The National Institute of Standards and Technology (NIST) has released new guidance on enforcing zero trust architecture (ZTA) to aid companies in dealing with the difficulties of implementing this new cybersecurity strategy.
Conventional security entails protecting a perimeter. Examples of perimeter defenses include firewalls to stop threat actors from accessing internal systems, intrusion detection systems (IDS), and antivirus programs. Other security options offer more protection in the event of a network perimeter breach. In most cases, this approach assumes that everything within the network perimeter is trustworthy.
Zero trust suggests that defenses have been breached by a malicious actor; hence, trust is withheld from any user or device until verified via authentication steps. This is applied even if a user or device was previously validated. The rule of least privilege is implemented to ensure that, in case of a security breach, harm is restricted, with steady monitoring of all actions and behaviors. Additionally, zero trust is applied for both insider and external threat actors.
The classic process has helped organizations effectively; however, this approach stops working whenever the network perimeter needs to be expanded to protect remote access, mobile devices, SaaS applications, and third-party access. The growing complexity of cyber threats makes network perimeter breaches more probable, and traditional methods make it more difficult to prevent lateral movement.
In 2020, NIST launched a conceptual ZTA framework as mentioned in the NIST Special Publication 800-207, presenting the idea of zero trust. The most recent publication gives practical advice on applying ZTA utilizing commercially available systems. The new publication consists of 19 real-world setup models, together with specialized settings, guidelines, and critical starting points for creating your own ZTA. The guidance was created as part of a 4-year project by the NIST National Cybersecurity Center of Excellence (NCCoE) together with 24 industry associates.
Changing from conventional protection to zero trust entails many changes. Knowing who’s accessing the resources and the reason why is important. Every network setting is different, thus every ZTA is customized. Finding ZTA specialists who can do this is not easy.
The guidance is created with consideration of real-world circumstances that big companies usually face, simulating the sophistication of modern system environments with several internal systems, guest Wi-Fi networks, cloud solutions, SaaS applications, and several areas throughout the country, providing various approaches to deal with implementation problems, and mapping the options to cybersecurity infrastructure.
The cases in the guidance offer demonstrations so that companies become aware of some of the functionalities needed on board to use a ZTA. This information should be included in a company’s HIPAA training as well.
Image credit: ImageFlow, AdobeStock / logo©NIST
