The National Institute of Standards and Technology (NIST) defines Zero Trust (ZT) as “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” NIST further explains that the collection of concepts that comprise the zero trust principle are designed to “minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as contested.”
In practical terms, this entails:
As envisioned by NIST (SP 800-207), Zero Trust security models eliminate persistent trust and enforce continuous authentication, least privilege, and adaptive access control. This strategy also applies segmentation and microsegmentation for secure access. A zero trust approach is about constant visibility into who is doing what on your network. This ensures maximum control over network security and network access.
A zero trust security strategy reduces the threat surface and minimizes threat windows. Use zero trust to protect against everything from ransomware and malware to advanced persistent threats and insider threats.
NIST Special Publication (SP) 800-207 defines a Zero Trust Architecture (ZTA) as “an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.”
NIST further articulates that the primary focus of a ZTA is “protecting data and resources. It enables secure authorized access to enterprise resources that are distributed across on-premises and multiple cloud environments, while enabling a hybrid workforce and partners to access resources from anywhere, at any time, from any device in support of the organization’s mission.”
NIST puts forth the following seven fore tenets for zero trust:
To implement zero trust in practical terms, an organization must grasp which technologies and configurations can actually be implemented with tenets that meet theoretical requirements. To that end, NIST has published SP NIST 1800-352 on implementing Zero Trust (circa December 2022) to bridge that gap. Today, solutions (like Privileged Access Management, or PAM) exist that can address both the theoretical and practical requirements of zero trust.
Privileged Access Management (PAM) is a foundational technology stack for implementing zero trust security controls and enabling a zero trust architecture. BeyondTrust PAM provides the following capabilities across on-premise and cloud environments:
Network location can no longer be treated as the prime component to the security posture of the resource due to the fact that:
The zero trust model is an effective form of security because it operates under the assumption that no asset or user account can be implicitly trusted based solely on their physical or network location or asset ownership. Zero trust requires both subject and device authentication and authorization before a session to an enterprise resource can be established.
With a carefully implemented Zero Trust Architecture, you'll gain:
A zero trust security model can help organizations maintain continuous compliance because it introduces increased and centralized network monitoring and visibility and advanced logging and audit trails, simplifying the auditing process. Zero Trust also shifts organizations from a network-based perimeter to an identity-based perimeter, which places greater emphasis on protecting access to data and identities, core components of many compliance standards.