Hello, and welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.

Today we are continuing the series on the National Institute of Standards and Technology, otherwise referred to as NIST. Yes, yes, another NIST publication. How many are there out there? Well, I could fill a few months’ worth of TomCasts doing NIST publications (and I just might do that). Today’s discussion is centering around the hottest NIST publication on the minds of the federal government, the NIST Special Publication 800-207. This surrounds the topic of Zero Trust Architecture, or ZTA for short.

Why is this such a hot topic right now? Well, the Executive Order on Improving The Nation’s Cybersecurity, number 14028 focuses on zero trust and references the attributes in that particular publication. So, government agencies are scrambling to read, learn, understand, and implement the various pieces and parts of this publication sooner versus later. This is a much shorter publication than the 800-53; this is a 50 page document that doesn’t utilize extensive appendices, although it does contain a couple. It gets relatively straight to the point.

Ok, so what does zero-trust mean, exactly? As explained in the publication, quoting the publication here, “zero trust security models assume that an attacker is present in the environment, and that an enterprise-owned environment is no different, or no more trustworthy, than a non-enterprise-owned environment.” Authenticate to everything, and no more implicit trust. This minimizes the chance of continued pivoting and lateral movement in the case of a compromised set of credentials.

Minimizes the chance, that is, if proper authentication and authorization mechanisms are in place like multifactor authentication, for example. Also, even though the title is Zero Trust Architecture, believe it or not this isn’t an actual architecture to implement. Again, in the specific words of the publication, the zero-trust model is, and I quote here, “a set of guiding principles, workflow, system design, and operations”.

Interesting part about this publication is that the collaborators and composers understand that this is an ever evolving landscape and this will take time and routine auditing and adjusting to accomplish and maintain. The model should decrease uncertainties. Nothing will truly eliminate them, but when correctly implemented, configured, and administered the unknowns should be lessened significantly.

The zero trust model has seven tenets it is based upon, and those tenets also have some assumptions in place. Here are the seven tenets:

  1. All data sources and computing services are considered resources.
  2. All communication is secured regardless of network location.
  3. Access to individual enterprise resources is granted on a per-session basis.
  4. Access to resources is determined by a dynamic policy – including the observable state of client identity, application/service, and requesting asset – and may include other behavioral and environmental attributes.
  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

At the end of the tenets on page 7 there is a line in the paragraph that follows that states “the above tenets are meant to be technology agnostic”, which is a very important statement when you consider just how stringent agencies have a tendency to be with regard to products used. Why do I think that is important? Well, think of a standard set of tools your organization may be using currently. While they may fit the bill right now and meet the need, a new set of tools may be released that better meets the need in a future state and this provides the allowance to explore those other sets of tools to accomplish the mission.

Ok, on to the assumptions that follow the seven tenets. There are six, and they are as follows:

  1. The entire enterprise private network is not considered an implicit trust zone. (remember what we stated earlier about implicit trust?)
  2. Devices on the network may not be owned or configurable by the enterprise.
  3. No resource is inherently trusted.
  4. Not all enterprise resources are on enterprise-owned infrastructure.
  5. Remote enterprise subjects and assets cannot fully trust their local network connection.
  6. Assets and workflows moving between enterprise and nonenterprise infrastructure should have a consistent security policy and posture.

These are some of the main areas to consider and focus upon when electing to guide your organization into a zero trust model. The publication goes on to define the trust algorithm, the core components, sandboxing, connection and computing models, and much, much more. There is a lot of very useful data packed into those 50 pages. The document wraps up with a couple of appendices that contain useful acronyms, and “Identified Gaps in the Current State-of-the-Art in ZTA”. That particular appendix, Appendix B, might just be the answer-key you or your organization could be looking for with regards to questions you may have related to the implementation of ZTA.

Open up your preferred browser, utilize your preferred search engine, and look up the NIST 800-207. Give it a cursory read and get a better understanding of the zero-trust model. It is definitely worth the time and read.

We here at GuardSight thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what GuardSight can do for you, head on over to www.guardsight.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!