The National Institute of Standards and Technology, commonly referred to as NIST, recently published a new computer framework for users to consider as a cyber-framework security model — the Zero Trust Architecture Model (ZTA). This new model was officially published in NIST SP 800-207 in late 2020.
NIST, founded in 1901, is a non-regulatory federal agency within the U.S. Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness by “advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life.” One of the main missions of NIST is designing and promoting secure cybersecurity framework models for use in American industry.
To date, most network informational technology NIST models used in American businesses have some level of user trust established for privileged users. For example, when a network user authenticates with single sign-on (SSO) access, the user has access to any of several independent software systems in the network based on his or her original authentication. One of the most important current NIST cybersecurity models, which is designed to help protect the security of controlled unclassified information, known as NIST 800-171, acknowledges the use of trusted users in many network topologies.
According to NIST, ZTA relies on a newly evolving set of security paradigms “that narrows defenses from wide network perimeters to individual or small groups of resources.” ZTA also focuses on protecting resources rather than protecting network segments. Specifically, ZTA refocuses network cybersecurity frameworks based on these new concepts:
- ZTA uses “zero trust” principles to plan industrial and enterprise workflows. Zero trust assumes that there are NO implicit internal trust privileges granted to assets or to user accounts based solely on physical location, network location, or even asset ownership;
- Authentication and authorization — both for a person or a device on a network — are now “discrete” functions that are performed before a session to establish an enterprise- or network-wide usable resource; and
- ZTA is designed in response to enterprise networks that use remote users, user-owned or “BYOD” devices, and cloud-based assets that are not located within the original enterprise-owned network boundary.
What does this mean to the users of a new Zero Trust Architecture network? ZTA means that by default no one person is trusted from inside or from outside a network, and verification is continuously required to gain access to resources on that network. By eliminating inherent trust in a network setting, this should greatly decrease the possibility of data breaches, since verification would be required at every aspect of network usage, as opposed to only the initial “logging in” stage for authentication purposes. The mantra for advocates of the ZTA model is “never trust, always verify.” According to Palo Alto Networks, this model, when used correctly, will protect modern digital environments by leveraging network segmentation, preventing user lateral movement and providing a “Layer 7” threat-protection model.
Fortunately, ZTA is designed to be built on your existing network architecture. You do not need to rip out and replace your existing network. ZTA is actually quite simple to deploy, implement and maintain and can be done with minimal cost.
ZTA is not without its critics. There are some individuals who believe that ZTA is an unrealistic cybersecurity framework since it demands full control of everything that a user would access. Specifically, many find ZTA to be “impractical and unrealistic” to implement. Some of the obstacles that are considered too great to overcome as they relate to the ZTA model include:
- Technical debt
- Legacy systems
- Peer-to-peer technologies
- Digital transformation
It may be too soon to tell whether Zero Trust Architecture will become a force in the future of cybersecurity frameworks. There are legitimate pros and cons to the implementation of such a system. There is little doubt that a platform requiring greater user authorization and authentication would provide a greater level of security. However, can or should such a platform be used at the expense of efficiency when users access enterprise network resources?
Time will tell whether the growth of ZTA will continue. One critical network security rule that will never change is as powerful today as when I learned it over 22 years ago, when I started with the FBI — the only safe network is a network with no users. Otherwise, this conversation on the applicability of ZTA is just starting.
ZTA deserves to be in the discussion as a potential cybersecurity framework. Now that NIST has provided some guidance on its potential use that may very well be the case.