There are plenty of resources that explain what Zero Trust should be in theory.
In the last article, we cover the three principles of Zero Trust, which do exactly that—they explain the “big idea” behind Zero Trust.
However, while the principles are helpful for understanding Zero Trust, they don’t give much of an indication of what controls an organization would need to put in place for a successful Zero Trust Architecture.
What Does Zero Trust Look Like in the Real World?
.jpg?width=1450&name=Zero%20Trust%20Security%20Model%20(cropped%202).jpg)
NIST SP 800-207 is the “guiding light” for Zero Trust. It includes seven core tenets that describe what it should look like in the real world:
- All data sources and computing services are considered resources. Users, devices, and services need access to these resources to complete their functions.
- All communication is secured regardless of network location. Since organizations must assume they are breached, all digital communications must be secured to the same standard regardless of their origin.
- Access to individual enterprise resources is granted on a per-session basis. Upon successful verification, users, devices, and services are granted the minimum necessary access—and only to a single resource. Accessing further resources requires additional verification.
- Access to resources is determined by dynamic policy. Access policy considers the broadest possible range of factors, and policies are updated continuously to reflect new information. Factors can include:
- Client or service identity, credentials, and behaviors.
- Device health, configuration, software versions, network location, analytics, etc.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets. All devices connected to the organization’s IT infrastructure should be continuously monitored to ensure they remain configured in a state that is known to be legitimate and secure.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed. Access to resources is never ‘inherited’ from a previous step. Policies are enforced every time a user, device, or service requests access to a resource.
- The enterprise collects as much information as possible on the current state of assets, network infrastructure, and communications and uses it to improve its security posture. Uses of this data include maintaining access policy, activity allowlists, etc.
Note these tenets don’t prescribe a specific solution-based approach to Zero Trust—this is intentional. There are many possible approaches to delivering a Zero Trust strategy. Each organization should develop a strategy and tool stack that matches its unique needs and existing infrastructure.
Stefan Lesaru, IDSA Zero Trust Technical Working Group Lead, and Big Data and Security Director at Atos, explains:
“One of the biggest misconceptions is that Zero Trust is a tool or set of tools. It’s not. Each organization must define its own concept based on an evaluation of the current network environment and any gaps that exist. They have to embrace the concept and culture and then move towards it. Zero Trust is a journey that may take several years to realize, and each organization’s journey and final implementation will look different.”
The Missing Components of Zero Trust
Our new report, ‘The Missing Components of Zero Trust,’ explains what Zero Trust really is, examines some significant gaps in existing guidance, and details the most important concepts and capabilities required for an effective Zero Trust Architecture.
Download the report to learn:
- The Core Principles and 7 Tenets of Zero Trust.
- How the Zero Trust strategy and architecture eliminate implicit trust.
- How to elevate your security posture and avoid making the most common Zero Trust mistakes.
- The answer to the question, "Does Zero Trust actually work?"
