Zero Trust Architecture: the NIST Zero Trust Framework
The goal of a Zero Trust Architecture (ZTA) is to improve an enterprise's overall IT security posture by protecting resources rather than network segments.
What Is a Zero Trust Architecture (ZTA)?
The zero trust security model is a security approach that assumes that any device or user attempting to access a network or system may already be compromised and requires strict identity verification and continuous monitoring. It is a paradigm that shifts the focus of defenses from static, network-based perimeters to active protection of users, assets, and resources.
The goal of a Zero Trust Architecture (ZTA) is to improve an enterprise’s overall IT security posture by protecting resources rather than network segments. In a ZTA, authentication and authorization are performed before a session to an enterprise resource is established, regardless of the device or user’s physical or network location.
A ZTA extends security to encompass remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary. This approach is in contrast to traditional security models, which often rely on network perimeter defenses and assume that devices and users inside the network can be trusted.
This is part of a series of articles about application security.
In this article:
- What Are the NIST Zero Trust Architecture Principles?
- What Are the Core Components of the NIST Zero Trust Architecture?
- Policy Engine
- Policy Administrator
- Policy Enforcement Point
- Building a Zero Trust Architecture Model: Best Practices You Should Know
- Know Your Architecture Including Users, Devices, and Services
- Create a Strong Device Identity
- Focus Your Monitoring on Devices and Services
- Don’t Trust the Network, Including the Local Network
What Are the NIST Zero Trust Architecture Principles?
The concept of Zero Trust evolved from National security planners recognizing the need to secure networks from advanced persistent threats (APTs) and cyber espionage. Forrester analysts later popularized the term and described its principles in a 2010 report. Google also played a role in the development of Zero Trust by implementing it in their own networks and sharing their experiences with the public.
The National Institute of Standards and Technology (NIST) has outlined guidelines and principles for implementing Zero Trust in the form of the NIST Zero Trust Architecture (ZTA). These guidelines include:
- Classifying resources: Identifying and classifying the different types of resources (e.g. data, systems, users) that need to be protected and determining their specific security requirements.
- Secure communication: Establishing secure communication channels between systems and users, and between different parts of the network.
- Access policies based on user identity and system characteristics: Implementing access controls that are based on the identity of the user and the characteristics of the system, rather than simply the location of the user or system.
- System monitoring and user authentication: Continuously monitoring systems for signs of compromise and requiring multi-factor authentication for users.
What Are the Core Components of the NIST Zero Trust Architecture?
The National Institute of Standards and Technology (NIST) defines the following core ZTA components:
Policy Engine
The policy engine is the component that defines and manages the security policies for the network. It is responsible for creating and enforcing access policies based on user identity, system characteristics, and the level of risk associated with the request. It uses a combination of access controls, authentication mechanisms, and threat intelligence to determine the level of risk associated with a request.
Policy Administrator
The policy administrator is responsible for managing and maintaining the security policies defined by the policy engine. This includes updating policies as needed, monitoring policy compliance, and troubleshooting issues. For example, it regularly reviews and updates policies to reflect changes in the environment, such as new threats and vulnerabilities.
Policy Enforcement Point
The policy enforcement point is the component that enforces the security policies defined by the policy engine. This includes controlling access to resources based on the policies, monitoring network activity for signs of compromise, and enforcing multi-factor authentication for users. The policy enforcement evaluates incoming traffic based on a variety of factors, including the identity of the user, the characteristics of the system, and any known threats or vulnerabilities, using this information to allow or deny access to the requested resource.
Building a Zero Trust Architecture Model: Best Practices You Should Know
Know Your Architecture Including Users, Devices, and Services
Zero Trust is a security concept that assumes that all network traffic is untrusted and requires authentication and authorization. To build a Zero Trust architecture, it is important to first understand the different components of your network and the access needs of your users, devices, and services.
It involves identifying and inventorying all the users, devices, and services that need access to your network. This will help you understand the scope of your ZTA implementation and ensure that all necessary components are included. You should also determine the access needs of each user, device, and service and define an appropriate level of access and controls.
By understanding your architecture and the access needs of your users, devices, and services, you can implement a ZTA that is tailored to your organization’s specific needs and can help you protect your network from threats.
Create a Strong Device Identity
Creating a strong device identity is an important step in building a ZTA. It involves uniquely identifying and authenticating devices that need access to your network. Here are some best practices for creating a strong device identity:
- Use unique device identifiers (UDIDs) to identify each device that connects to your network. This can include the device’s MAC address, serial number, or other unique identifier.
- Implement device registration and onboarding processes. This ensures that only authorized devices are allowed to connect to your network and that they are configured with the appropriate security settings and policies.
- Use device certificates or other forms of device-based authentication to verify the identity of each device. This can include Public Key Infrastructure (PKI) certificates, digital certificates, or other forms of authentication.
By creating a strong device identity, you can ensure that only authorized devices are able to connect to your network, and you can monitor and control their access to network resources. This is a crucial step in building a ZTQ and defending against advanced threats.
Focus Your Monitoring on Devices and Services
A ZTA must monitor and analyze the activities of devices and services that are connected to the protected network to detect and respond to potential threats. Here are some best practices for monitoring devices and services in a ZTA:
- Implement network monitoring and logging tools to track and record all network activity. This includes monitoring the activity of devices, services, and users, as well as capturing information such as IP addresses, device types, and access times.
- Use security information and event management (SIEM) systems to aggregate and analyze log data from multiple sources. This helps to identify potential threats and anomalies in real-time.
- Implement behavioral analytics and machine learning algorithms to detect and respond to abnormal patterns of activity. This allows you to identify and respond to potential threats more quickly and effectively.
- Monitor for known vulnerabilities and misconfigurations in devices and services. This will help you identify and remediate potential vulnerabilities before they can be exploited by attackers.
- Regularly review and update your monitoring and response protocols. As your organization and security landscape evolves, it is important to keep up with the latest threats and technologies.
By focusing monitoring on devices and services, you can gain a deeper understanding of the activity taking place on your network. This can help you detect and respond to potential threats more quickly and effectively, which is an essential aspect of a Zero Trust architecture.
Don’t Trust the Network, Including the Local Network
In a ZTA, everything is considered untrustworthy, including the local network. This means that all network traffic should be treated as potentially malicious and requires authentication and authorization. Here are some ways to achieve this:
- Implement a “least privilege” approach to network access. This means that users, devices, and services are only given the minimum level of access necessary to perform their job function.
- Use network segmentation to create logical boundaries between different parts of your network. This helps to limit the spread of potential threats and limit the damage that can be done if a breach occurs.
- Use encryption to protect data in transit and at rest. This includes using secure protocols such as HTTPS and SSH, as well as using encryption technologies such as VPNs and disk encryption.
- Regularly monitor and assess your network for vulnerabilities and suspicious activity. This includes using vulnerability scanners, penetration testing tools, and threat intelligence feeds to identify potential vulnerabilities and threats.
- Continuously review and update your network security policies and procedures. This includes staying up-to-date on the latest threats and technologies, and regularly reviewing and updating your network security controls.