On 11 August, the National Institute of Standards and Technology (NIST) released a 50-page guidance document on Zero Trust Architecture (ZTA), specifically with the enterprise in mind. It is not intended to be a single deployment plan for ZTA as every enterprise will have unique use cases and assets that need protection. We’ve poured over the guidance to provide a TL;DR, you can read the full publication here.

The enterprise infrastructure is becoming increasingly complex; a single enterprise may operate several internal networks, remote offices with their own local infrastructure, have a large contingent of remote and mobile users as well as increased the adoption of cloud services. The lack of a clearly defined perimeter, as well as distributed ownership of technologies, has made perimeter-based security techniques increasingly ineffective and given rise to ZTA.

ZTA Basics

NIST defines ZTA as:

“Zero Trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. ZTA is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.”

ZT focuses on data and service protection but can be expanded to all enterprise assets including devices, infrastructure, applications and so forth. Under ZT, there is the assumption that an attacker is present in an environment; no implicit trust must be assumed based on user location or recognized device; risk must be continually analyzed and access to resources minimized.

ZT encompasses identity (person and nonperson entities), credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure. To mitigate implicit trust assumptions associated with traditional perimeter-based security techniques, the focus needs to be on authentication, authorization and shrinking implicit trust zones while maintaining and minimizing temporal delays in authentication mechanisms. Access rules are made as granular as possible to enforce a least privilege access model.

Zero Trust Principles

A ZTA is designed and deployed with the following principles in mind:

  • All data sources and computing services are considered resources
  • All communication is secured regardless of network location
  • Access to individual enterprise resources is granted on a per-session basis
  • Access to resources is determined by dynamic policy including the observable state of client identity, application/service, and the requesting asset. This may include other behavioral and environmental attributes
  • Enterprise monitors and measures the integrity and security posture of all owned and associated assets
  • All resource authentication and authorization are dynamically and strictly enforced before access is allowed
  • Enterprise collects as much info as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

ZTA Logical Components

There are numerous logical components that make up a ZTA deployment in an enterprise. These components may be operated as an on-premises service or through a cloud-based service. The core components include:

  • Policy engine: the component ultimately responsible for granting or denying access to a resource.
  • Policy administrator: responsible for establishing or shutting down the communication path between a subject and resource.
  • Policy enforcement point (PEP): the system responsible for enabling, monitoring and eventually terminating connections between a subject and enterprise resource.

NIST also lists a number of secondary components that can be used to input into policy rules when making access decisions:

  • Continuous diagnostics and mitigation (CDM) system
  • Industry compliance system
  • Threat intelligence feed
  • Network and system activity logs
  • Data access policies
  • Enterprise public key infrastructure (PKI)
  • ID management system
  • Security information and event management (SIEM) system

ZTA Approaches

There are several ways that an enterprise can enact a ZTA for workflows. These approaches vary in the components used and in the main source of policy rules for an organization. Each approach implements all the tenets of ZT

  • Enhanced identity governance: uses the identity of the actors involved as a core component in policy creation. The primary requirement for resource access is based on the access privileges granted to the given subject. Other factors such as device used, asset status, and environmental factors may alter the final confidence level calculation (and ultimate access authorization) or tailor the result in some way
  • Using microsegmentation: In this approach, the enterprise places infrastructure devices such as intelligent switches (or routers) or next-generation firewalls (NGFWs) or special purpose gateway devices to act as PEPs protecting each resource or small group of related resources
  • Software-defined perimeter: The ZTA implementation is achieved by using an overlay network. In this approach, the policy administrator acts as the network controller that sets up and reconfigures the network based on the decisions made by the policy engine.

Amongst these approaches, there are a number of deployment options that enterprises can adopt including device agent/gateway-based, enclave-based, resource portal-based and device application sandboxing.

NIST emphasizes the importance of a trust algorithm, highlighting the different ways to implement it, however, concluding that a contextual trust algorithm is the better approach.

ZTA Use Cases

NIST list out a number of use cases for adopting ZTA, including:

  • Enterprise with satellite facilities
  • Multi-cloud environments
  • Contracted services and non-employee access
  • Inter-enterprise collaboration
  • Enterprises with public-facing services

Migrating to ZTA

Implementing ZTA is a journey and requires considerable planning and an incremental approach to achieve the desired architecture. How a company migrates to ZTA is largely dependent on existing security posture and operations. A thorough audit of an enterprise’s existing estate needs to be performed in order to effectively guide future processes and make sure that there is alignment. Acknowledging that several existing federal policies and guidance overlap with ZTA, NIST provides further guidance in the publication on how existing policies can shape ZTA strategies.

If you’re starting a Zero Trust project at your organization, Wandera Private Access simple, secure access to all your corporate applications, for any user, on any device. Get in touch to learn more about how Wandera can help you with your Zero Trust journey.