The need for Zero Trust has been primarily driven by two important factors. The first is the fact that users are no longer strictly working from an office and instead work from anywhere. The second relates to the applications, data and services that once were centralized and hosted within the office that are now scattered throughout the cloud. Both factors have resulted in the erosion of the fixed office perimeter and, in many cases, the physical boundaries that once protected users and resources has completely vanished. This new reality in technology and its delivery is challenging not only from a security perspective, but from a compliance perspective as well.
Zero Trust aims to solve the challenges related to protecting resources, users and assets in a world where users and resources have no perimeters. According to a CISA report that studied ransomware attacks in 2021, the top three initial infection vectors for breaches were phishing, credential theft and vulnerabilities, which all had the common root cause of unauthorized resource access. The National Institute for Standards and Technology, or NIST, created the Zero Trust Architecture framework to address the root causes of breaches with the goal to prevent unauthorized access to systems and services. NIST defined this architecture in the NIST Special Publication 800-207.
The NIST 800-207 definition of the Zero Trust Architecture is centered around resource access and the verifications needed to ensure that resources are secure while users and assets interact with them. The security objectives the framework aims to achieve are preventing data loss, preventing data destruction and ensuring reliable access to the data. These security objectives are under attack by prolific ransomware and attackers due to the ubiquity of the applications and data as they’ve moved to the cloud. Although the NIST 800-207 Zero Trust Architecture has gained much popularity due to its ability to significantly reduce risk, the long-term compliance and successfully implementation of its tenants are the only way our way of life can continue without significant disruption.
On January 26th, 2022, the US government issued an Executive Order that mandates that government agencies move to Zero Trust by the year 2024. The Executive Order references the NIST 800-207 throughout, with requirements of implementing this model across all Federal Agencies. With this order in place, similar protective regulations will likely be mandated at the state and local levels of government in the coming weeks and months. References to the NIST 800-207 are being made internationally as well, and it’s very likely revisions to other standards like ISO will follow a very similar protection model. Looking at compliance standards, many requirements are related to access control. The foundations of Zero Trust are based on controlling access that fulfills these compliance requirements in a broad way by protecting resources.
Zero Trust is just as much about security as it is connectivity. Applying security controls such as malware defense and data loss prevention are native to this design principle. NIST uses an airport analogy to exemplify this point. At the airport, the goal is to protect airplanes. This can be accomplished by determining who might want to harm a plane. Taking this approach is very challenging due to the number of people at the airport with the potential to cause harm. An inverted solution takes the approach that only a few hundred people are going to board each plane which includes only passengers with tickets to travel. All others, including those without a boarding pass, will be denied. This reduces the scope of the challenge from including all people as possible attackers to just a handful of potential threats. Putting an airport security checkpoint in front of the plane allows travelers to be authenticated and authorized once identification has been verified and bags have been checked.
Zero Trust uses the same concept as an airport security checkpoint, but instead of protecting airplanes it protects digital resources by placing a security service checkpoint in front of them. Whenever access is required, authentication and authorization are performed by identifying the user and checking the assets to ensure they are not infected. Other checks on the asset can also be performed such as having the firewall enabled and antimalware running.
The NIST 800-207 falls squarely under the NIST Risk Management Framework, or RMF, which is a framework designed to reduce cyber risk across organizations of all types and sizes. The RMF is a very popular and robust framework that includes categorizing the resources being protected, understanding their risk and impact levels to the organization and implementing controls around those resources. The NIST 800-207 Zero Trust architecture is a component of the RMF related to reducing risk by controlling access.
Implementing Zero Trust now can solve many immediate problems facing enterprises today. It can connect remote users to the resources they need while allowing them to work from anywhere. It can ensure security is applied whenever users interact with protected resources without requiring those users to connect from the office. It can protect resources that are scattered throughout offices, datacenters, cloud and SaaS providers by making those applications and data private. Most importantly, it can fulfill compliance requirements by meeting access control requirements mandated throughout most US Federal and EU compliance standards.