In the rapidly evolving cybersecurity landscape, a Zero Trust (ZT) model has emerged as a beacon of hope, promising enhanced security posture and protection against sophisticated cyber threats. Documented in NIST Special Publication 800-207, Zero Trust Architecture (ZTA) advocates abandoning the traditional perimeter-based security model in favor of a more dynamic approach where trust is never assumed and strict access controls are enforced.
However, while Zero Trust holds great promise, it is not without its challenges. In this article, we delve into the intricacies of Zero Trust 800-207 and highlight the problems associated with its implementation. Moreover, we argue for adopting prescriptive controls to complement Zero Trust frameworks, ensuring comprehensive security measures are in place.
To skip the justifications and rigors that went into the selection and basis of controls, click the link in the last paragraph of the article.
The Promise and Pitfalls of Zero Trust
At its core, Zero Trust embodies the principle of "never trust, always verify." This concept is applied utilizing micro-segmentation, continuous authentication (identity), strict authorization controls (access), encryption, and comprehensive visibility into network activity. By assuming that threats may exist both outside and inside the network perimeter, Zero Trust aims to minimize the impact of potential breaches and limit lateral movement by malicious actors.
The Zero Trust Architecture (ZTA) revolves around several fundamental principles or tenets. These principles guide the design and deployment of a ZTA, aiming to enhance security by minimizing trust assumptions within network environments. Here is a summary of these tenets:
Tenet #1 - All Resources Are Considered Equal
In a ZTA, all data and computing services, regardless of their nature or origin, are treated as resources. This includes devices, software as a service (SaaS), and even personally owned devices if they access enterprise resources.
Tenet #2 - Security Over Location
Communication is secured regardless of the network's location. Trust isn't automatically granted based on the device being within an enterprise-owned network infrastructure. Instead, all communication should be securely encrypted, maintaining confidentiality and integrity and providing source authentication.
Tenet #3 - Per-Session Access Control
Access to enterprise resources is granted on a per-session basis, with trust evaluated before access is granted. Access to resources is determined using the current state of identity, the application or service uses, and if the request aligns with the privileges needed to access the asset. These can also include behavioral and environmental attributes for additional scrutiny. In the same line of thought, access to one resource does not automatically permit access to an adjacent resource.
Tenet #4 - Dynamic Policy-Based Access Control
Access to resources is determined dynamically based on various factors, including client identity, application/service, and requesting asset's observable state. Policies are set based on business needs and risk levels, ensuring least privilege principles are applied.
Tenet #5 - Continuous Integrity Monitoring and Evaluation
The enterprise continuously monitors all assets' integrity and security posture, including associated devices. No asset is inherently trusted, and any subverted or vulnerable assets may be treated differently.
Tenet #6 - Dynamic Authentication and Authorization
All resource authentication and authorization are dynamically enforced before access is granted. This involves a constant cycle of obtaining access, assessing threats, and reevaluating trust, often utilizing Identity, Credential, and Access Management (ICAM) systems.
Tenet #7 - Data-Driven Improvement
The enterprise collects and utilizes as much information as possible about the state of its assets, network infrastructure, and communications to enhance its security posture. This data-driven approach aids in improving policy creation and enforcement by analyzing the behavior of assets and requests to identify anomalies.
These tenets aim to be technology-agnostic and apply to internal organizational processes, excluding anonymous public or consumer-facing processes. While an organization cannot impose internal policies on external actors, ZT-based policies may apply to non-enterprise users with special relationships with the organization, such as registered customers or employee dependents.
However, the implementation of Zero Trust poses several challenges:
1. Complexity
Zero Trust requires organizations to overhaul their existing security architectures, implementing a multitude of controls such as micro-segmentation, least privilege access, and continuous monitoring. Transitioning from legacy systems to a Zero Trust environment can be daunting, requiring significant time, resources, and expertise.
2. Resource Intensiveness
Maintaining a ZTA demands continuous monitoring and analysis of system/device statuses, user behaviors, and the ability to detect drift from an expected, known, and trusted state of operation. If the proper controls are implemented incorrectly, substantial human and technological resources would be required, which would strain organizations with limited budgets or understaffed security teams.
3. User Experience
Stricter access controls inherent in ZT may lead to friction in user experience. Employees accustomed to seamless access to resources may encounter authentication hurdles and additional verification steps, potentially impacting productivity and user satisfaction. Refining these controls to apply privileges based on job function will notably lessen this impact over time.
4. Integration Challenges
Integrating disparate security solutions and technologies to establish a cohesive ZT framework can be challenging. Compatibility issues, interoperability concerns, and the need for centralized management platforms add layers of complexity to the integration process.
The Imperative of Prescriptive Controls
While Zero Trust provides a robust foundation for modern cybersecurity, it is not a silver bullet. Organizations must complement their frameworks with prescriptive controls to address the limitations, gaps, and challenges associated with Zero Trust 800-207. These controls can offer clear guidelines and actionable measures to enhance security posture effectively. Here's why prescriptive controls are essential:
Clarity and Consistency:
Prescriptive controls provide organizations with clear, well-defined security measures tailored to their specific needs and risk profiles. By following established guidelines, organizations can ensure consistency in implementing security controls across their infrastructure.
Compliance and Assurance:
Prescriptive controls often align with regulatory requirements and industry standards, facilitating compliance efforts. By adopting and adhering to established best practices, organizations can demonstrate due diligence and enhance stakeholders' confidence in their security posture.
Risk Mitigation:
Traditional controls address “known” security vulnerabilities and threat vectors, which help organizations mitigate risks. However, by implementing the recommended security controls, organizations can proactively identify and remediate “unknown” vulnerabilities and potential weaknesses before they can exploited by malicious actors.
Scalability and Adaptability:
Prescriptive controls offer scalable solutions that can adapt to evolving threats and technological advancements. Organizations can leverage established frameworks and guidelines to future-proof their security architectures and stay ahead of emerging cyber threats.
However, defining the various controls that would align and support a ZTA would require adopting control definitions from a couple of frameworks, as 800-53, for example, is not designed for a modern digital reality.
Conclusion
While Zero Trust 800-207 represents a paradigm shift in cybersecurity, its implementation can be challenging. Organizations must navigate complexities, allocate resources effectively, and prioritize user experience to realize the full potential of Zero Trust frameworks. By embracing prescriptive controls alongside Zero Trust principles, organizations can establish robust security postures that effectively mitigate risks, ensure compliance, and safeguard critical assets in an increasingly hostile digital landscape.
The Controls
Cimcor an other industry experts, practitioners, and auditors have taken on the challenge to expedite the effort of creating prescriptive guidance that aligns with and supports Zero Trust.
The three core considerations for assembling the prescriptive controls are based on the following:
- The seven tenets defined in 800-207
- The Zero Trust Architecture, as defined in 800-207
- DoD's Zero Trust Capability Execution Roadmap (COA 1).
Get a copy of the Zero Trust Prescriptive Controls: 
Special thanks to Schellman, ComplianceForge, Zscaler, and Cimcor for their relentless efforts to help simplify the implementation of Zero Trust by defining the prescriptive controls that can be auditable and enforceable.
.png?width=50&height=50&name=Mark%20%20(3).png)
