NIST Seeks Industry Input on Zero Trust for Cybersecurity

The National Institute of Standards and Technology (NIST), in collaboration with the Federal CIO Council’s architecture subgroup, recently released a draft special publication addressing Zero Trust Architecture (ZTA) and potential deployments in federal agencies and beyond.

Zero Trust refers to network security that shifts defenses from the network perimeter to the actual information resources being accessed, and only at the time they are accessed, requiring authentication before a connection is established. “ZTA assumes the network is hostile and that an enterprise-owned network infrastructure is no different—or no more secure—than any non-enterprise owned network,” NIST says in the publication’s introduction.

The draft publication provides a definition of ZTA, its logical components, possible deployment scenarios, and threats. It also presents a general roadmap for organizations wishing to migrate to a ZTA-centered network infrastructure and discusses relevant federal policies that may impact or influence a zero trust architecture.

ZTA Gap Analysis

NIST identified gaps that impede movement to ZTA that present challenges and opportunities for future research and solutions.

• Definitions and Perceptions – There is a lack of common terms for ZTA design, planning and procurement as well as perceptions that ZTA is in conflict with existing federal cybersecurity policies.
• Technical Issues – There currently exists systemic issues like standardization of interfaces between components and emerging standards that address overreliance on proprietary APIs.
• Knowledge Gaps – Further understanding is needed to anticipate how attackers will response to ZTA, how to address the user experience in a ZTA environment, and how to build resilience of ZTA to enterprise and network disruptions.

ZTA Deployment Opportunities

The DOD, DHS and other agencies are pursuing ZTA capabilities to harden their cybersecurity and improve the identity and access management.

NIST identifies several potential scenarios for ZTA deployment:

• Agencies with satellite offices or facilities
• Agencies using multiple cloud providers
• Agencies with contracted services and/or non-employee access
• Agencies that collaborate across enterprise boundaries

Implications

Since ZTA is heavily dependent on effective identity management, any ZTA efforts will need to integrate with an agency’s ICAM policy. Agencies will also need to reign in privileged access rights and the plethora of devices and applications accessing agency networks and data. Further, for ZTA to be effective agencies will need to use it as part of an overall comprehensive cybersecurity and risk management approach. This includes modernizing their IT governance policies and processes as well as their IT architectures. Finally, agencies must keep working to transform their cultures to make cybersecurity a core value in the minds of their users so that they recognize that anyone who touches any form of information technology is a cyber-actor in the contested space of cybersecurity and the enterprise information environment.

Note: Public comments on the NIST publication are due by November 22, 2019. See more details at the NIST website.