NIST Shares Final Zero Trust Architecture Strategies, Guidance

August 11, 2020 - NIST unveiled the final version of its Zero Trust Architecture publication, which sheds light on the enterprise security model and provides private sector organizations a road map for deploying the cybersecurity concept across the organization. 

Overseen by the Federal CIO Council, the guidance was developed in collaboration between NIST and multiple federal agencies and is meant for cybersecurity leaders, administrators, and managers. The document is aimed at providing leadership with a better understanding of the zero trust environment. 

As cyberattacks become increasingly more sophisticated and credential theft more frequent, it’s no longer enough to rely on perimeter defenses to prevent falling victim to a cyberattack. In particular, human-operated ransomware attacks allow attackers to go undetected for days, and sometimes months. 

It’s important to note that zero trust is not a single deployment, as security researchers have previously explained to HealthITSecurity.com. Rather, it’s an evolving cybersecurity set able to shift an organization’s defenses from a traditional static model for the network perimeter, into a plan for infrastructure and workflows. 

The model gives no “implicit trust” to users and assets based on location, either physical or network-based, or based on ownership. Rather, authorization and authentication are functions performed before a user session is established. 

“Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterpriseowned network boundary,” according to NIST.  

“Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource,” it continued.  

The guide contains both a full description of the architecture, as well as various deployment models and use cases that organizations could leverage on their own networks to improve the overal IT security posture.  

The deployment of a zero trust model begins with an understanding of workflows and assets. The guide breaks down various deployment scenarios and variations of the abstract architecture, including device agent, gateway-based, enclave-based, resource portal-based, and device application deployments. 

The publication includes basics of zero trust tenets and an overall view of a zero trust network, as well as the logical components needed to develop a zero trust architecture and various approaches. Enterprise administrators can find insights into enhanced identity governance, micro-segmentation, and leveraging network infrastructure and software-defined perimeters. 

Administrators can also find guidance around trust algorithms and needed network and environment deployments, along with the threats associated with the zero trust model, such as subversion of its decision process and stolen crendentials. 

Lastly, the publication breaks down how the zero trust architecture can be paired with existing federal guidance like the NIST Risk Management Framework and NIST Privacy Framework. 

“In particular, modern healthcare networks have seen explosions in the use of IT technology on clinical networks where care is delivered,” Chris Williams, Cyber Solution Architect, Capgemini North America, said in a recent interview with HealthITSecurity.com. 

“Healthcare organizations should have some segregation of clinical capabilities from IT and internet-connected capabilities, so that internet-based issues cannot interfere with patient care and safety, he added. “Situations where devices and users are trusted simply because they are connected need to be identified, isolated, and locked down to the greatest extent possible.”