top of page
Search

Key Tenets of NIST Zero Trust Architecture



Before delving into zero trust architecture, NIST recommends that a few fundamental tenets be considered to ensure the success of any zero trust security implementation. These tenets serve as the foundation for an architecture that adheres to the zero-trust principles.

  • Defining Devices: To fully implement zero trust, the enterprise must consider all data sources and computing services to be resources. Devices that share data with aggregators, software as a service (SaaS), and various types of endpoints that connect to and communicate with the network are examples of these.

  • Securing Communications: All access requests from assets must adhere to predefined security standards. The assets may be located on the enterprise-owned network infrastructure or on any external network; the same security verifications must apply to both. Trust can never be assumed.

  • Session-Based Resource Access: Before authorizing access to any enterprise resource, trust must be established, and the trust must be valid only for the duration of the transaction. Access authorization to a specific resource cannot be extended to access another resource.

  • Attribute-Based Policy Enforcement: A policy is a set of access rules that an organization assigns to a user, data asset, or application based on attributes. These attributes could be device characteristics such as software version, location, time, and so on. Based on the sensitivity of the resource, behavioral attributes defined by the user and device analytics may also be considered.

  • Dynamic Authentication and Authorization: Granting access, scanning and assessing threats, and re-evaluating trust must be ongoing processes. Asset management systems and multifactor authentication (MFA), as well as continuous monitoring, are required to ensure that re-authentication and reauthorization are based on defined policies.

  • Policy Fine Tuning: Enterprises must gather as much information about the current state of the network and communications as possible and use this data to continuously improve their security posture. The insights provided by this data aid in the development of new policies as well as the fine-tuning of existing security policies to ensure proactive protection.

Core Components of NIST Zero Trust Architecture

Implementing zero trust, according to NIST, necessitates an architecture or framework with specific logical components. To ensure that trust is never implicit, this architecture should monitor the flow of data into and within the network, as well as control access to resources.


As a result, verification is central to the zero trust architecture. Before authorization, all access requests should be verified in accordance with defined security policies. Given the complexity of enterprise networks, deploying solutions that enable context-based, dynamic policy enforcement across data centre and hybrid cloud environments can help to simplify zero trust implementation.

  • Policy Engine: The zero trust architecture is built around the policy engine. The policy engine determines whether or not to grant access to any network resource. To verify and determine context, it relies on policies orchestrated by the enterprise’s security team, as well as data from external sources such as Security information and event management (SIEM) or Threat Intelligence. Access is then granted, denied, or revoked based on the enterprise’s defined parameters. The policy engine communicates with the policy administrator component, which is in charge of carrying out the decision.

  • Policy Administrator: The policy administrator component is in charge of carrying out access decisions made by the policy engine. It has the power to allow or deny communication between a subject and a resource. Once the policy engine has made an access decision, the policy administrator intervenes to allow or deny a session by communicating with a third logical component known as the policy enforcement point.

  • Policy Enforcement Point: The policy enforcement point is in charge of connecting a subject to an enterprise resource and enabling, monitoring, and terminating connections. This is treated as a single component of zero trust architecture in theory. In practise, however, the policy enforcement point has two sides: the client side, which could be an agent on a laptop or server, and the resource side, which acts as a gateway to control access.

NIST’s zero trust architecture is a detailed guide for enterprises and organizations to embark on their zero trust journey. There is, however, no one perfect method for implementing zero trust architecture. You could modify existing identity and access management tools to follow zero trust principles to some extent, but using the right security tools can make your zero trust journey easier and more efficient. Looking for solutions that provide real-time visibility of all network communications is a good place to start. Once you have a complete view of your network, investing in a robust policy engine capable of enforcing policies across dynamic network environments can enable zero-trust implementation — without adding complexity.

Commenti


bottom of page