NIST and Zero Trust Architecture: What You Need to Know
More commonly known as NIST, the National Institute of Standards and Technology gave zero trust a considerable boost recently, recognizing it as a standard for modern cybersecurity and publishing a framework for American organizations to use.
NIST is a non-regulatory agency within the federal government tasked with promoting technology, measurement science, and standards to keep American businesses competitive. One of its many jobs is developing and standardizing information technology security frameworks.
Up until recently, NIST recommended businesses give some level of trust to privileged users. This is no longer the case: NIST now recommends everyone transition to zero trust architecture.
NIST’s Zero Trust Tenets
NIST sees zero trust as a set of six separate concepts, all working together to secure company resources continuously:
- Every data source and computing service is a resource. This can include personally owned devices if they have access to internal resources.
- Network location doesn’t matter. All communication is secured, no matter its origin.
- Access to a resource is only granted for that session. The network must reauthorize subsequent access.
- Access to a resource is not a static concept. Missing security patches, a login that seems suspicious, and other factors may still block access even if the requesting client is authorized to view a particular resource.
- An organization must continuously monitor the security posture of both internal and external assets that have access to the organization’s network.
- Organizations should use the information collected from initial zero trust deployments to ease the transition and improve their security posture.
Zero trust has changed how information technology managers need to look at their security networks. This includes rooting out some long-held beliefs on how to keep their networks secure. The NIST publication summarizes a zero trust network as having the following attributes:
- The organization’s private network shouldn’t be implicitly “trusted.”
- No resource is trusted, either.
- Users may connect devices to the network that aren’t owned or configurable by the organization.
- Some resources are not within the private network, such as cloud-based assets.
- Remote subjects and assets must also assume their local network is hostile.
- Any asset or workflow that moves between internal and external infrastructure must have a consistent security posture.
Approaches for Deploying Zero Trust
The NIST’s publication details three different approaches to implementing zero trust in an organization: enhanced identity governance, logical micro-segmentation, and network-based segmentation. While all the tenets of zero trust discussed earlier are followed, organizations may only focus on one or two approaches rather than all three:
- Enhanced identity governance: User identity and assigned attributes play a primary part in granting access. Other factors, including the device used, asset status, and environmental factors, also factor into whether full, limited, or no access is given.
- Logical micro-segmentation: Additional firewalls are built around individuals or groups of resources using either hardware or software. This limits the movement of hackers by trapping them in a smaller portion of the network.
- Network-based segmentation: This method uses network infrastructure to protect resources. In this approach, the policy administrator acts as a network controller and reconfigures the network based on the decisions made by the policy engine.
Organizations might use a single asset to implement the approaches described above, or they may use several.
Zero Trust Deployment Scenarios
NIST envisions five common deployment scenarios for zero trust, each with its own unique considerations:
- One primary location and several satellite facilities: This is the most common zero trust scenario. An organization has one primary location and several satellite locations (and possibly remote employees) connected by a non-enterprise-owned network connection. Here, NIST recommends cloud-based hosting for the policy engine and policy administrator.
- Multi-cloud/cloud-to-cloud enterprise: Another scenario that is becoming increasingly common is where an organization’s application and data are hosted on one or several cloud-based assets. Here, cloud-based assets should be able to talk to each other without passing through the organization’s network with a cloud-based host for the policy engine and policy administrator.
- Enterprise with contracted services or nonemployee access: Another common scenario is where the organization must provide access to contractors or other non-employees. These individuals will not need access to company resources. An excellent example of this is a publicly-accessed Wi-Fi network. By denying access to the corporate intranet through its public Wi-Fi, organizations can offer the connectivity their contractors need without compromising security.
- Cross-organizational collaboration: Some situations might require an organization to collaborate with another, such as a joint product launch or a public/private partnership. Here, NIST recommends using a “federated ID management system,” or a standard method to sign on to the particular application across both companies. This way, user access is managed as a single entity.
- Public-facing organizations: Some organizations may need to factor in access to the general public. In most cases, zero trust doesn’t apply since the information is for public use. However, if an organization plans to use authentication to access specific sensitive resources, the tenets of zero trust apply. Enforce strong password rules, use MFA, and consider passwordless authentication. Ensure adequate monitoring and remediation strategies are in place, as these are a favorite target for hackers.
Migrating to a Zero Trust Architecture
The NIST report provides the following steps to migrate to a zero trust architecture successfully. In the migration recommendations they include:
- Identify what’s on your network. This doesn’t just include human users but automated accounts as well. In zero trust, these users should only have permission to access what they need to complete the task at hand.
- Identify assets that connect to your network. These should be appropriately cataloged and monitored. Zero trust networks also enforce security policies, requiring all devices to be up-to-date on security patches and software updates.
- Identify business processes and their risks. All mission-critical applications should be evaluated for potential security risks and the disruption that migrating zero trust may cause. It might be best to start with a less critical process or workflow to minimize disruptions.
- Set up policies. Once you have identified the process you’d like to migrate to zero trust, it’s time to formulate policies that align with zero trust best practices. It might also be worth it to consider zero trust-ready platforms, which make it easier to transition whole workflows to zero trust.
- Choose and deploy your candidate solutions. For example, you might want to do away with alphanumeric passwords. Beyond Identity’s zero trust-ready passwordless authentication platform could help you achieve that goal and offers a free demo.
- Monitor, monitor, monitor: After the initial hard work of the initial zero trust migration, an extended period of monitoring is necessary to ensure not only are resources protected, but the disruptions to workflows are minimal, and users still have access to what they need to do their jobs.
- Expand to other workflows. With a successful migration under your belt, take what you’ve learned and expand zero trust throughout the organization. Again, it’s helpful to focus on less critical processes first to make the transition as smooth as possible.
How Beyond Identity Can Help Achieve Zero Trust
Zero trust isn’t possible until you eliminate passwords, and Beyond Identity removes passwords entirely from your system. Beyond Identity’s platform replaces the password with secure credentials based on X.509 certificates and public-private key pairs. Beyond Identity can help you achieve zero trust and protect your organization while providing the most secure and frictionless authentication experience ever.
Beyond Identity’s workforce solutions include:
Learn more about our advanced authentication and get a demo.