NIST Zero Trust Architecture

NIST Zero Trust Architecture

Modern-day enterprise infrastructures have become more complex and variable. An enterprise operates separate internal networks, remote offices, cloud services etc. Due to the growing needs of modern infrastructure and the complexity of underlying operations, the use of legacy perimeter defenses is no longer effective because adversaries have found ways to breach parameters with great ease.

Zero trust architecture is an initiative that helps prevent data breaches by introducing a concept of ‘zero trust’ in the organizational architecture. The primary focus of the zero trust approach is data and service protection. The zero trust approach is expandable to all enterprise assets such as devices, infrastructures, cloud services, applications, end-users etc.

Zero trust architecture is based on the assumption that the attacker is present on the enterprise network and the network is no longer trustworthy. In this case, the enterprise must continuously analyze the infrastructure for malicious activity and deploy appropriate countermeasures and attack prevention techniques. In zero trust, the protections involve minimizing access to data resources, computer resources, services and applications by implementing the principle of least privilege and constantly authenticating and authorizing the security posture of each connection or request.

Basics of Zero Trust

a network that uses zero trust architecture

Image Source: https://www.zubairalexander.com/blog/zero-trust-security-model/

Zero trust is a concept that focuses on resource protection, and trust is never granted indirectly but through continuous evaluation and authentication.

NIST SP 800-207 defines zero trust or zero trust architecture like so: 

“Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero-trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero-trust architecture plan.”

The goal is to prevent unauthorized access to services and data and to make access control enforcement as tight as possible. 

Principles of Zero Trust

Zero trust architecture is designed based on the following principles:

  • Data sources and computing services are categorized as resources

A network infrastructure comprises various devices. Devices in the network may send data to and fro to different servers physically or on a cloud setup. Classification of these devices is necessary as they are linked to the enterprise architecture. 

  • All types of communication are secured irrespective of the network location

Trust is not confined to a network location. Rather, the access requests being received by enterprise-owned network infrastructures should have the same security requirement as that of untrusted or non-owned enterprise infrastructures. Trust should not be granted based on the device being existent on the network infrastructure. Communication should be done in a secure manner, considering the confidentiality and integrity of data and verifying the source of the data.

  • Access authorization for enterprise resource is granted on a per-session basis

Before access to any particular resource is granted, trust has to be evaluated against the requester of the resource. The access granted should be on the principle of least privilege. This also complies with the principle that access should be granted only to one resource and authorizing one resource does not grant access to another resource on the network.

  • A dynamic policy is used to determine access to resources

The resources being protected by the organization are defined by different access control and privileges. In the zero trust model, the client identity is defined by parameters such as user account name/service identity or any attributes defined and assigned by the enterprise. Asset state can be requested by considering device characteristics like software version, network location, and time/date. Apart from these characteristics, environmental attributes are also considered, which may include the resource requester’s network location, the date/time etc.

  • All organization assets and security posture needs to be monitored and measured by the organization

The organization evaluates the security posture of the asset when a specific request is received against that asset. An organization opting for zero trust and zero trust architecture must establish continuous monitoring and mitigation techniques and apply patches/fixes when needed.

  • Resource authentication and authorization is strictly followed and enforced before access to the resource is granted   

Scanning, monitoring and identifying threats and re-evaluating trust in communications is a continuous process. An organization planning to implement zero trust architecture must have identity, credentials, access management and asset management in place.

  • Network architecture, infrastructure, communication and assets need to be continuously monitored

Collection and monitoring of the current state of your network architecture, infrastructure, communication and assets are made compulsory to assess and improve the security posture of the overall architecture.

Logical Components Involving Zero Trust Architecture

Multiple components make up the zero trust architecture deployment. On-premises or cloud-based services can both be used to make these components operable.

The logical components defined in zero trust architecture are as follows:

  • Policy Engine (PE)

This component is responsible for granting access to a requester for a given resource.

  • Policy Administrator (PA)

The policy administrator is responsible for the creation and termination of the communication channels between the resource requester and the resources.

  • Policy Enforcement Point (PEP)

The policy enforcement point is used to monitor, enable and finally terminate connections between a subject and the resource. 

Apart from these core components, the following are the data sources that provide the input and policy rules:

  • Continuous diagnostics and mitigation (CDM) systems
  • Industry compliance systems
  • Threat intelligence feeds
  • Network and system activity logs
  • Data access policies
  • Enterprise public key infrastructures (PKI)
  • ID management systems
  • Security information and event management (SIEM) systems
how zero trust architecture uses policy enforcement point to regulate connection between the enterprise resource and the subject

Image source: https://csrc.nist.gov/publications/detail/sp/800-207/final

Network Requirements for Zero Trust Architecture

The network requirements for the implementation of a zero trust architecture by NIST is as follows: 

  1. Organizations should have basic network connectivity.
  2. An enterprise should classify the assets in terms of ownership and management. Underlying asset security posture should be properly addressed.
  3. The enterprise should be able to monitor all inbound and outbound traffic flow.
  4. Resources in the enterprise should not accept incoming connections from unauthenticated sources.
  5. Organizations should ensure the logical separation of the data plane and control plan.
  6. The policy enforcement point (PEP) should be used by the resource requesters in order to access the services and resources of the enterprise.
  7. The link between the client and resource for communication is established only through the PEP accessing the policy administrator.
  8. Resource requests from remote users should not involve accessing the core/critical assets when accessing resources.
  9. Load should be managed and distributed appropriately when implementing the zero trust architecture.
  10. Users accessing resources remotely should be denied access when a certain policy or requirement is not met.

Deployment Scenarios

Enterprises can implement the zero trust architecture using the zero trust principle, which has been discussed in previous sections. NIST SP 800-207 presents some deployment scenarios that are commonly considered in enterprise infrastructures, some of which are mentioned below:

  • Enterprises with Satellite Facilities

A common scenario is an enterprise where there is a single headquarter and one or more offices that are located in different geographical locations (as seen in the diagram below). Remote workers may not own a fully owned enterprise network but they do need to access resources from different locations. In some cases, the enterprise may not have the requisite bandwidth to support different remote workers to access resources at the same time.

In this particular case, PE/PA(s) are hosted on a cloud service. This creates ease of access for users as they don’t need to access the enterprise network. The resources can be accessed via a resource portal that resides on the cloud.

how multiple servers need simultaneous access to the same network in a remote work from home setup and how zero trust architecture can use the cloud to enable this

Image source: https://csrc.nist.gov/publications/detail/sp/800-207/final

  • Multi-Cloud/Cloud-to-Cloud Enterprise

In some cases, enterprises might use multiple cloud providers. In the figure below, the enterprise owns its network and has two cloud providers to provide applications or services to customers.

how zero trust architecture can be used with the cloud to provide easy secure access to the enterprise network in a cloud-to-cloud or multi-cloud enterprise

Image source: https://csrc.nist.gov/publications/detail/sp/800-207/final

This scenario uses the server–server implementation of the software-defined perimeter specification protocol outlined by the Cloud Security Alliance. The zero trust approach implies that PEP should be placed at the access points of each data source, service or application. The PE/PA may be placed in the cloud or with a third-party cloud provider.

  • Enterprise with Contracted Services and/or Non-employee Access

Another common scenario includes guest/on-site visitors and contract-based service providers that have limited access to the enterprise network. The zero trust model can help enterprises by allowing visitors and service contractors to use the internet without interacting with the organization’s critical resources.

how zero trust architecture can be used in an enterprise campus network

Image source: https://csrc.nist.gov/publications/detail/sp/800-207/final

In the above figure, the organization also has a conference room where outsiders, such as visitors, interact with employees. In the zero trust architecture approach, the visitors are allowed access to the internet but are denied access to enterprise resources.

  • Collaboration across Enterprise Boundaries 

One more scenario includes collaboration of different enterprises with each other. In this example, both enterprises may be federal agencies or private enterprises. Enterprise A needs to allow users from Enterprise B to access the database DB1 and deny access to DB2 for all users in Enterprise B. The management and access control over different databases for two or more enterprises connected for communication is a difficult task. 

how zero trust architecture can be employed where systems from different enterprises can have access to the database without compromising security

Image source: https://csrc.nist.gov/publications/detail/sp/800-207/final

A PE or PA can be hosted as a cloud service to provide cloud access to users of Enterprise B without having to install a separate VPN. The users of Enterprise A may need to install software or use a web console interface to access the resources of Enterprise B. 

  • Enterprise with Public- or Customer-Facing Services

Another very common scenario is when an enterprise offers public services that either do not require an authenticator or a password is provided to the users to access a resource. In this case, an enterprise does not have strict control over a public service as it is, by definition, public-facing. The tenets of zero trust architecture are not directly applicable in this case. 

For securing public- or customer-facing services, the enterprise can categorize users in terms of business relationships with customers. They may employ multi-factor authentication (MFA) for users where they are provided with passwords to access a resource. If a certain web portal needs to be accessible for users over the internet, the enterprise may implement different checks such as the use of updated browsers, user access times etc.

Conclusion

Implementing a zero trust architecture requires extensive planning and it’s a continuous process. Organizations should consider classifying and identifying their critical assets and processes and implement zero trust architecture principles appropriately. You can learn more about zero trust architecture to understand how to go about implementing it.

Leave a Reply

Your email address will not be published. Required fields are marked *