Many current cybersecurity plans and models follow an older set of priorities that hinge upon the importance of strong perimeter defense. To use a physical analogy many cybersecurity architectures focus on building up the walls and moats protecting the very outside of your castle from attack. But inherent in these schemes is an implicit trust of everyone already inside.
And of course not every subject is a loyal one.
In today’s ever-more-remote landscape the usefulness of these perimeter-focused schemes is eroding. There are as many threats within as there are without, and the line dividing “inside” and “outside” is growing blurrier by the day. Cybersecurity schemes need to be built accordingly.
Enter zero trust architecture.
What is the NIST Zero Trust Architecture?
It’s a plan for building cyberdefenses that meet the challenges of our increasingly cloud-based and remote digital world. Nowadays, companies are expanding their networks and systems far beyond the confines of physical infrastructure, like offices and headquarters. Doing so increases flexibility, but it also diminishes the effectiveness of defenses tailored to those physical contexts.
Businesses need cybersecurity planning to respond to this new reality.
That’s why the National Institute of Standards and Technology (NIST) is currently drafting a detailed plan for Zero Trust Architecture in NIST Special Publication 800 207. This document lays out a comprehensive guide to zero trust architecture, justifying it in the face of evolving security threats, and explaining how to implement it in any company.
This blog will break down all the most important information from the NIST SP 800 207, diving into what zero trust is and how it works.
But first, let’s get into why it’s important.
Why Zero Trust?
Because with great mobility comes great danger.
Even before the onset of the COVID-19 pandemic, prudent businesses have been optimizing workflows by mobilizing and extending workforces outside of their physical buildings. However, the height of the pandemic has necessitated social distancing and work from home (WFH) practices for workers across the world. Business continuity has required mobility.
Mobility challenges boundaries and security measures that rely on them.
As businesses rely more on remote digital access to their networks, they open themselves up to a host of concerns. These include:
- Vulnerabilities in employees’ home networks
- Suboptimal cybersecurity measures in employees’ devices
- Increased cybercriminal targeting of WFH endpoints and cloud services
In an office, control over hardware, software, and networks enable a sense of implicit trust for all users accessing them. That goes out the window when the office is someone’s home.
Regardless of individuals’ own actions and intentions, any system that operates remotely is simply not as “trustworthy,” cybersecurity wise, as a controlled environment.
In the face of accelerating mobility, it’s time to abandon that trust altogether.
What is Zero Trust?
It’s a paradigm shift—a new way to think about securing your company’s digital assets that focus on the resources themselves rather than the networks they exist within.
Zero trust is based on assumptions, just like perimeter-focused cyberdefense is. However, the assumptions are the exact opposite of their counterparts:
- Perimeter-based architecture – assumes benevolence of actors who “belong” within a defined location, physical or virtual. It bases defenses on access to that location:
- Users authenticate themselves to gain access to the safe location.
- Once inside, users are permitted access to various assets and resources within.
- Zero trust architecture – assumes malevolence of any and all actors, irrespective of location. It bases defenses on direct access to resources:
- There is no location to “enter,” or entry into a location grants no specific access.
- Authentication is required at each access point of individual assets.
As its name implies, zero-trust is inherently more shrewd in terms of the trust and agency it grants to individuals. By assuming that there is no “outside” and anyone can be a threat, it significantly restricts access to all resources.
While this revolutionary paradigm is the future of cybersecurity, it’s also nothing new.
History and Legacy of Zero Trust
Zero trust as a concept long predates the distanced realities of 2020. Zero trust architecture is already in use throughout governmental bodies and in certain private sectors, including especially information technology. It’s also prevalent in higher education.
The driving ideology behind zero trust architecture predates the terminology of “zero trust” itself.
As early as 1994, the Jericho Forum (now the Open Group) was preaching the virtues of what it called “de-perimeterized” cybersecurity. Its Jericho Commandments, updated most recently in 2007, were devoted entirely to re-orienting cyberdefense away from the perimeter. They focus on assets, assume a “hostile world,” and warn against assumption of context.
In 2007, the Department of Defense incorporated a scheme called “black core” into its Global Information Grid Architectural Vision. Like the Jericho Forum’s plan, this DoD mandate shifted focus away from the perimeter and onto safety at the level of individual transactions.
These are foundational zero trust concepts, all of which are echoed in today’s architecture.
Basic Tenets of Zero Trust
The conceptual framework for zero trust architecture is composed of the tenets of zero trust. These tenets span all dimensions of what zero trust assumes and various conclusions emanating forth from those premises.
Here is the breakdown of the key elements of zero trust’s logic:
- Consider each computing service and data source a resource – Any and all devices, including personal devices used to access networks, are labeled resources.
- Secure all communication regardless of network location – All requests for access must meet the same, stringent standards for authentication, irrespective of where the request originates (i.e. within the office vs. from public wifi).
- Grant access to individual resources on a per-session basis – Access is contingent upon authentication and limited to a particular period of time. Also, access to one particular resource does not automatically imply access to any other resource.
- Determine access through dynamic policy – Authentication and access are multifaceted, incorporating some combination of:
- Client identity (including username, password, etc.)
- Asset status (IP address, networks accessed, updates installed)
- Other analytics-driven criteria (monitoring for disallowed behaviors)
- Ensures maximum security for all owned and associated devices – All devices are required to meet a certain threshold for security, including practices like up-to-date security patches. Even when devices meet this minimum, they’re still not “trusted.”
- Enforcement dynamic authentication and authorization prior to access – The dynamic authentication process detailed above is not static, but dynamic and ongoing. Once granted, access can be revoked if a given authenticating factor is compromised.
- Maximize data collection on current state of infrastructure to improve security – All access requests should be tracked, recorded, and monitored. The resulting data can inform dynamic authentication criteria and processes.
Across these seven tenets, a robust framework of safety emerges from the complexity and dynamism of each practice prescribed. Abiding by these basic principles ensures the maximum security that a zero trust architecture can provide.
But how does it work?
How Zero Trust Architecture Works
Zero trust architecture is a realization of the tenets outlined above. It works by turning those theoretical concepts into practices. That includes naming entities, establishing relationships, and installing restrictions and control points where authentication is required.
A zero trust architecture depends upon the successful implementation of its components.
Key Components of Zero Trust Architecture
In order to successfully deploy a zero trust architecture, there are certain components that must be installed, with specific relationships between them, to enable the tenets outlined above. These components can exist on the premises of your business, in remote or cloud services, or in some combination of the two.
The foundational, core components are comprised of the following:
- Policy engine (PE) – The component with ultimate decision-making power with respect to granting access. The PE uses inputs from multiple components listed below to determine whether access ought to be granted, logging the decision.
- Policy administrator (PA) – The PA is paired with the PE. While the PE determines whether access is granted, the PA executes the decision and grants the access. In some cases, the PE and PA are unified into one single service.
- Policy enforcement point (PEP) – The system that contains the exact point of enforcement, or access grant/denial, of the decision made by the PE and administered by the PA. It may be broken into multiple sub-components working in concert.
In addition to these, there are also operational components and inputs that provide the information that the PE uses to make its decisions. These include:
- Data access policies – All relevant regulations and guidelines that govern access to a resource. These are either added to the system, or generated by it; they also serve as simply the starting point for the PE’s decision making process.
- Identification management system – The system that is responsible for all creation, processing, and storage of identifying information for users, assets, and resources.
- Continuous diagnostics and mitigation system (CDM) – This system gathers all relevant information about the particular asset requesting access, verifying its safety with respect to software updates and all known vulnerabilities.
- Threat intelligence feed(s) – Various sources of information, internal and external, that provide insights into any and all existing and potential threats. Some examples include:
- Ransomware, viruses, and all malware
- Attacks on comparable systems
- Network and system activity logs – The system that logs all relevant information pertinent to any and all access requests, both granted and declined, as well as activity and behavior after the access request is processed.
- Security information and event management (SIEM) system – The system that collects all information related to any and all security matters, to be used in continuous analysis and correction of authentication policy.
- Enterprise public key infrastructure (PKI) – The system that generates and logs all certificates issued to resources, as well as subjects and applications. Global authority ecosystem and Federal KPI may or may not be integrated into the enterprise KPI.
- Industry compliance system – A system that scans for all requirements of all particular regulatory codes required to be followed by the organization (FISMA, HIPAA, etc.).
The components detailed above may be distributed in various different ways across any number of assets. They may even be optimized and unified into one single asset.
By installing all of these components you can integrate a zero trust architecture throughout every element of your company. However, this is not the only way to integrate zero trust architecture. There are also…
Alternative Methods for Zero Trust Architecture
Beyond the components detailed above enterprises may also take other approaches to implementing a system analogous or similar to a fully-fledged zero trust architecture.
Some of these approaches include:
- Enhanced identity governance – An intensive focus on individual identities of users and assets, prioritizing these above and at the expense of all other factors in any (perimeter or zero trust) system.
- Micro-segmentation – Creating specialized protocols for individuals and groups of particular assets, insulating them as zero trust irrespective of the broader architecture.
- Network infrastructure and software defined perimeters – A secure channel is created within specific network or software dimensions; this perimeter is purely virtual and capable of being defined minutely.
Any of these methods can provide protection, just like the components above.
However you achieve it, zero trust architecture is one of the most effective ways to secure your business from the unique threats posed by our remote digital landscape. No cybersecurity scheme can ensure 100% safety and completely eliminate risks, but zero trust comes close.
Zero trust or not, professional cyberdefense is the best way to minimize your risks and maximize your security.
Zero Trust, Heroic Cyberdefense
At RSI Security our mission is helping businesses shore up their cybersecurity in all dimensions. Our qualified experts will work with you to implement the perfect zero trust architecture for your particular situation.
Our overall NIST advisory services include analysis, training, and support to help you meet and exceed the parameters of NIST 800 207 and all compliance needs.
But that’s not all.
We’re industry leaders with over a decade of experience providing cybersecurity solutions to companies of all sizes and types. Contact RSI today, and we’ll craft a cyberdefense profile that’s tailored specifically to your needs.