Everyone seems to agree that organizations need to move to a zero trust architecture, but zero trust in action currently ranges from a single area that can be “zero trust-like” to a complete environment being considered a zero trust architecture… But there aren’t actually agreed upon standards as of yet. Which means almost every security vendor has their own approach to zero trust with very little consistency between.
The National Institute of Standards and Technology, NIST, recently closed the second round of its request for comments regarding its document “Zero Trust Architecture Special Publication 800-207.” This document was created to provide a guidance for a conceptual framework when applying zero trust principles in an organization.
Understanding Zero Trust in Action
This is the first step in wrangling the chaos of zero trust architectures (zero trust architecture) and creating a baseline of how things should be done. This leads to questions like:
“How does this ‘NIST standards approach’ help when I want to deploy a zero trust architecture in my organization?”
“Didn’t that vendor say they can do zero trust and how?”
The answers can be as varied as the technologies that say they do zero trust architecture. When we started creating ethernet technologies, there were many vendors that said they could provide ethernet better than everyone else because they had developed their own proprietary design of Ethernet and it was far superior to anyone else’s. This created a chaos of technologies and approaches. Once a design was created, agreed upon and ratified, the technology became a stable technology, and the proprietary designs faded into obscurity in favor of the more widely accepted architecture.
Establishing a Base Foundation for Zero Trust Architecture
Creating a design with standards and guidelines sets the technology down a path that enables vendors to enhance the design and users to understand how to deploy the technology efficiently. Having an official standard also means creating a minimum threshold for acceptable usage and protects the consumer of the technology from adopting something that is not able to be used universally.
So, what exactly is a zero trust architecture in general terms? The NIST SP 800-207 describes it efficiently:
Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move network defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture (ZTA) uses zero trust principles to plan enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet). Authentication and authorization (both user and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users and cloud-based assets that are not located within an enterprise owned network boundary. Zero trust focuses on protecting resources, not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
With NIST putting together a baseline document on what zero trust architecture is and what are the proper components, SP 800-207, we get the byproduct of a clear architecture roadmap with a very defined process and areas of concern. This will make zero trust architecture something that can be easily understood with a solid foundation for building your own environment. This will also keep the vendors on task and give the consumer some flexibility in the technology they can use to build their own zero trust architecture environment.
Implementing Zero Trust
While the framework for zero trust cybersecurity hasn’t been set officially, vendors are still selling their services as zero trust−without consistent groundwork. Some solutions will be similar to what NIST is already proposing, but many others will fall much short. And companies can’t afford to fall behind in cybersecurity.
That doesn’t mean that you can’t start building your way to zero trust, however. With the right technology partner that has a proven track record of upholding cybersecurity standards of excellence and following NIST and other security councils’ recommendations, companies can emerge from the chaos with a strong cybersecurity posture. As zero trust becomes more defined, businesses will be able to implement this architecture fully with confidence.
ADAPTURE brings decades of cybersecurity experience recognized by industry leaders such as CRN and Cisco. As companies look to implement zero trust practices, ADAPTURE has been keeping ahead of the curve to help our clients stay at the forefront of emerging technologies. You can’t afford to fall behind in your cybersecurity strategy. With a proven history of helping leading organizations develop incident response and remediation plans, business continuity roadmaps, and network security architecture, ADAPTURE has the expertise and channel relationships to help you find your way through the chaos to a solid zero trust architecture.
This post was contributed by CISSP and F5 Certified Technical Specialist Tim Cullen. Tim Cullen is an ADAPTURE Senior Security Solutions Architect specializing in information security and network architecture. Cullen has provided F5-focused consulting services for over 10 years and has participated in the creation of the F5 ASM Certified Technology Specialist 303 exam.