In May, The White House released an executive order on improving the nation’s cybersecurity. The order came with various directives for Federal Civilian Executive Branch agencies. Among other efforts, the order focused on the federal government’s advance toward zero trust architecture (ZTA). It framed this journey as one “which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) … has outlined in standards and guidance.”

This action item raises an important question. What standards and guidance has NIST outlined in reference to zero trust? Let’s take a look below.

Putting Zero Trust Into Perspective

In its Special Publication (SP) 800-207 ‘Zero Trust Architecture’ published in August 2020, NIST pointed to the reality that many conceptualizations of zero trust position themselves in terms of what to exclude. Many of those take umbrage with perimeter defenses like firewalls in particular. As I’ve written before, zero trust and firewalls can coexist.

But there’s an even larger issue here. In the words of NIST, “most of these definitions continue to define themselves in relation to perimeters in some way (such as microsegmentation or micro-perimeters) … as part of the functional capabilities of a ZTA.” Such definitions frame themselves in terms of perimeter-based models while at the same time attempting to move past them.

Seven Tenets of Zero Trust

NIST sought to define what to include in zero trust, not what to exclude. This led the agency to develop seven tenets of zero trust. They define the first principle this way: “All data sources and computing services are considered resources.”

A network may be composed of multiple classes of devices. A network may also have small footprint devices that send data to aggregators/storage, software as a service (SaaS), systems sending instructions to actuators and other functions. Also, an enterprise may decide to classify personally owned devices as resources if they can access enterprise-owned resources.

Let’s take a moment to unpack this. Elsewhere in SP 800-207, NIST clarified that resources consist of assets, workflows, accounts and services. Network segments aren’t resources, the agency noted, because “the network location is no longer seen as the prime component to the security posture of the resource.” In other words, while network segmentation still serves a role in a network security strategy, the part it plays is a supporting one. An external attacker can infiltrate a network segment by compromising a connected endpoint or authorized account, for instance. With this in mind, assume every potential connection attempt is suspicious unless proven otherwise.

The emphasis of that last sentence falls on the word every. Don’t assume that any network device or asset is automatically secure. You also can’t presume that a device will receive validation every time it submits a connection attempt. Compromises happen. Things change.

Visibility and Insight

This highlights the need for security teams to achieve and maintain visibility over their assets. What if they lack insight into their assets and how they interact? They won’t be able to implement an authentication and access control policy, one of the cornerstones of a zero trust architecture. Towards that end, security teams can extract metadata from network traffic to discover their apps and map their interactions. They can then use that map as a baseline to watch for potentially suspicious activity going forward.

Using network traffic is especially useful for asset mapping. After all, it can detect certain types of resources like legacy systems that other methods might fail to spot. This is important, as organizations’ networks are more complex than ever. After all, we’re fully within the rise of IoT, containers, cloud environments and the like. Anything with a network connection could provide attackers with a way in. Hence the need for an approach that considers all kinds of assets.

The Connection to Hybrid Work

The final sentence of the principle quoted above is particularly instructive for organizations in the age of hybrid work. Prior to 2020, the notion of allowing personal devices to connect to enterprise-owned resources operated in the context of Bring Your Own Device (BYOD) programs. Many organizations created those programs to support the demands of their employees for how they wanted to do their work. In doing so, they also saved money by removing the need for every employee to have a corporate-issued device.

That changed with the events of 2020. The world shifted to remote work, and the hybrid or flex work model followed. These events made personal devices essential for employees to do their work from their home offices. In doing so, they made the work of security teams harder, as traditional security approaches limited how much they could gain visibility over those remote devices — especially when they weren’t located in the same physical place.

That’s not an issue with zero trust. Indeed, zero trust can help because it treats each network connection as a resource to be validated. Every device, account and user is authorized on a case-by-case basis. That gives security teams a means to constantly validate remote connections.

More Zero Trust Principles to Come

This marks the beginning of a series looking at the basic tenets identified by NIST in SP 800-207. Stay tuned for the next blog post.

More from Zero Trust

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

What to Know About the Pentagon’s New Push for Zero Trust

The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations. But first, let’s review this zero trust business. What is Zero Trust? Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer. It’s not about whether a person or…

Effectively Enforce a Least Privilege Strategy

Every security officer wants to minimize their attack surface. One of the best ways to do this is by implementing a least privilege strategy. One report revealed that data breaches from insiders could cost as much as 20% of annual revenue. Also, at least one in three reported data breaches involve an insider. Over 78% of insider data breaches involve unintentional data loss or exposure. Least privilege protocols can help prevent these kinds of blunders. Clearly, proper management of access…