NIST Releases Enterprise Zero Trust Architecture Draft Document

Growth In Cloud Services And Remote Workers Drives Need To Protect Resources

Jeff Orr

NIST Releases Enterprise Zero Trust Architecture Draft Document

As information security matures, the need for common frameworks and industry standards emerge. In the U.S., the Department of Commerce’s National Institute of Standards and Technology (NIST) is a primary driver for the standards effort of both the private and public sector.

NIST has developed a technology-neutral set of terms, definitions, and logical components of network infrastructure using a Zero Trust Architecture (ZTA) strategy. The draft document (SP 800-207) is currently under review and open for comment through November 22, 2019. The document is not intended to be a single deployment plan for ZTA, as an enterprise will have unique business use cases and data assets that require protection. Starting with a solid understanding of your organization's business and data will result in a strong approach to zero trust.

An Introduction To Zero Trust Architecture

Zero Trust is a network security concept for moving network defenses from wide network perimeters to narrowly focusing on individual or small groups of resources. In a ZTA strategy, no implicit trust is granted to systems based on their physical or network location, such as a LAN vs. the internet. Access to data resources is granted when the resource is required, and authentication (both user and device) is performed before the connection is established.

The growth in cloud applications and remote users is causing organizations to expand their security perimeter. ZTA addresses this network trend by focusing on protecting resources, not network segments, as the network location is no longer seen as the prime component to the security posture of the resource. The NIST ZTA attempts to define ZTA and gives general deployment models and use cases where ZTA could improve an enterprise’s overall IT security posture.

See Related: The Cyber Security ‘Perimeter:’ Has It Simply Vanished?

ZTA strategies are already present in federal cybersecurity policies and programs, though the NIST ZTA document includes a gap analysis of areas where more research and standardization are needed to aid agencies in development and implementation of ZTA strategies. The document establishes general deployment models and use cases where ZTA could improve an enterprise’s overall IT security posture, and a high-level roadmap to implementing a ZTA approach for an enterprise.

NIST Survey Identifies ZTA Gaps

In developing the draft document, NIST surveyed the market to understand the maturity of zero trust components and solutions. The current state of the ZTA ecosystem is not mature enough for widespread adoption. Strategies built around ZTA exist to plan and deploy an enterprise network; however, there is no solution that delivers all of the necessary components. And finally, the survey found that few ZTA components available today can be used for all of the various workflows present in an enterprise.

See Related: Cyber Security Hub Digital Summit Prepares Infosec Leaders For Resiliency