The National Institute of Standards and Technology (NIST) defines Zero Trust (ZT) as “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” NIST further explains that the collection of concepts that comprise the zero trust principle are designed to “minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as contested.”
In practical terms, this entails:
NIST Special Publication (SP) 800-207 defines a Zero Trust Architecture (ZTA) as “an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.”
NIST further articulates that the primary focus of a ZTA is “protecting data and resources. It enables secure authorized access to enterprise resources that are distributed across on-premises and multiple cloud environments, while enabling a hybrid workforce and partners to access resources from anywhere, at any time, from any device in support of the organization’s mission.”
NIST puts forth the following seven fore tenets for zero trust:
To implement zero trust in practical terms, an organization must grasp which technologies and configurations can actually be implemented with tenets that meet theoretical requirements. To that end, NIST has published SP NIST 1800-352 on implementing Zero Trust (circa December 2022) to bridge that gap. Today, solutions (like Privileged Access Management, or PAM) exist that can address both the theoretical and practical requirements of zero trust.
Privileged Access Management (PAM) is a foundational technology stack for implementing zero trust security controls and enabling a zero trust architecture. BeyondTrust PAM provides the following capabilities across on-premise and cloud environments:
Network location can no longer be treated as the prime component to the security posture of the resource due to the fact that:
The zero trust model is an effective form of security because it operates under the assumption that no asset or user account can be implicitly trusted based solely on their physical or network location or asset ownership. Zero trust requires both subject and device authentication and authorization before a session to an enterprise resource can be established.
In a recent BeyondTrust survey, 93% of respondents indicated that they'd had an identity-related incident in the last eighteen months, with 81% indicating 2 or more incidents. 63% of these incidents were related to privileged accounts. Since most exploits of vulnerabilities and other attack vectors require privileges to execute, privileged accounts and credentials are prized by threat actors. These credentials are able to give access to internal resources, security systems, and cloud resources. While some privileged accounts are associated with employee identities, other privileged accounts are associated with contractors, vendors, auditors or machines and applications. Zero trust strategies include tenets that directly address this type of risk.
A recent BeyondTrust survey investigated the current adoption level of zero trust in the market and found that only 24% of companies, by their own account, have their zero trust solution fully deployed. More than three quarters (76%) of companies are still in the process of implementing a zero trust approach, which is needed to secure an expanding security perimeter as a result of increased cloud utilization and remote workers. Of those companies, 26% are still at the beginning of the process and are selecting tools and security solutions and establishing processes. Half (50%) are further long, with some tools and processes in place that are still being refined and optimized.
With a carefully implemented Zero Trust Architecture, you'll gain:
A zero trust security model can help organizations maintain continuous compliance because it introduces increased and centralized network monitoring and visibility and advanced logging and audit trails, simplifying the auditing process. Zero Trust also shifts organizations from a network-based perimeter to an identity-based perimeter, which places greater emphasis on protecting access to data and identities, core components of many compliance standards.