The National Institute of Standards and Technology, commonly known as NIST, has recently released a new computer framework for users to consider as a cyber framework security model: the Zero Trust Architecture Model (ZTA). This new model was officially released to NIST SP 800-207 in late 2020.
NIST, founded in 1901, is a federal non-regulatory agency of the U.S. Department of Commerce. NIST’s mission is to promote innovation and industrial competitiveness in the United States “by advancing in science, standards, and measurement technology in a way that improves economic security and improves our quality of life.” One of NIST’s main missions is to design and promote secure cybersecurity framework models for its US industry.
To date, most NIST models of network information technology used in U.S. companies have a certain level of user trust set for privileged users. For example, when a network user authenticates with single sign-on (SSO) access, the user has access to any of the network-independent software systems based on their original authentication. One of today’s most important NIST cybersecurity models, designed to help protect the security of controlled unclassified information, known as NIST 800-171, recognizes the use of trusted users in many network topologies.
According to NIST, ZTA is based on a set of newly evolved security paradigms “that reduce defenses from broad network perimeters to individual or small resource groups.” ZTA also focuses on protecting resources rather than protecting network segments. Specifically, ZTA refocuses on network cybersecurity frameworks based on these new concepts:
- ZTA uses “zero confidence” principles to plan industrial and business workflows. Zero trust assumes that there are NO implicit internal trust privileges granted to resources or user accounts based solely on physical location, network location, or even ownership of resources;
- Authentication and authorization, for both a person and a device on a network, are now “discrete” functions that are performed before a session to establish a useful resource across the enterprise or network. ; i
- ZTA is designed in response to enterprise networks that use remote users, user-owned or “BYOD” proprietary devices, and cloud-based assets that are not within the original enterprise-owned network boundary.
What does this mean for users of a new Zero Trust Architecture network? ZTA means that, by default, no one is trusted from within or outside of a network, and that ongoing verification is required to access resources on that network. By removing the trust inherent in a network configuration, this should greatly reduce the possibility of data breaches, as verification would be necessary in all aspects of network usage, rather than just the initial stage. login for authentication purposes. The mantra for ZTA model advocates is “never trust, always check.” According to Palo Alto Networks, this model, when used correctly, will protect modern digital environments by leveraging network segmentation, preventing lateral movement of the user, and providing a “Layer 7” threat protection model.
Fortunately, ZTA is designed to build on your existing network architecture. You do not need to drag and replace your existing network. ZTA is really quite simple to deploy, implement and maintain and can be done at minimal cost.
ZTA is not without critics. There are some people who believe that ZTA is an unrealistic cybersecurity framework, as it demands total control of everything a user would have access to. Specifically, many consider ZTA to be “impractical and unrealistic” to implement. Some of the obstacles that are considered too big to overcome in relation to the ZTA model include:
- Technical debt
- Inherited systems
- Peer-to-peer technologies
- Digital transformation
It may be too early to know whether Zero Trust Architecture will become a force in the future of cybersecurity frameworks. There are legitimate advantages and disadvantages in implementing this system. There is little doubt that a platform that requires greater user authorization and authentication would provide a higher level of security. However, can or should this platform be used at cost efficiency when users access the resources of the business network?
Time will tell if ZTA growth will continue. A critical network security rule that will never change is as powerful today as it was when I learned it more than 22 years ago, when I started with the FBI: the only secure network is a user-free network. Otherwise, this conversation about the applicability of ZTA is just beginning.
ZTA deserves to be in the debate as a potential cybersecurity framework. Now that NIST has provided some guidelines on its potential use, that may be the case.