The National Institute of Standards and Technology (NIST) defines Zero Trust (ZT) as “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” NIST further explains that the collection of concepts that comprise the zero trust principle are designed to “minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as contested.”

In practical terms, this entails:

  • Eliminating persistent trust
  • Performing continuous authentication
  • Granularly restricting access to the minimum needed
  • Applying segmentation and microsegmentation strategies
  • Continuously auditing access

NIST Special Publication (SP) 800-207 defines a Zero Trust Architecture (ZTA) as “an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.”

NIST further articulates that the primary focus of a ZTA is “protecting data and resources. It enables secure authorized access to enterprise resources that are distributed across on-premises and multiple cloud environments, while enabling a hybrid workforce and partners to access resources from anywhere, at any time, from any device in support of the organization’s mission.”

NIST puts forth the following seven fore tenets for zero trust:

  1. All data sources and computing services are considered resources. (Endpoints)
  2. All communication is secured regardless of network location. (Data Flows)
  3. Access to individual enterprise resources is granted on a per-session basis. (Data Flows)
  4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes. (Data Flows)
  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets. (Endpoints)
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. (Network Identity Governance)
  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture. (Data Flows)

To implement zero trust in practical terms, an organization must grasp which technologies and configurations can actually be implemented with tenets that meet theoretical requirements. To that end, NIST has published SP NIST 1800-352 on implementing Zero Trust (circa December 2022) to bridge that gap. Today, solutions (like Privileged Access Management, or PAM) exist that can address both the theoretical and practical requirements of zero trust.

Privileged Access Management (PAM) is a foundational technology stack for implementing zero trust security controls and enabling a zero trust architecture. BeyondTrust PAM provides the following capabilities across on-premise and cloud environments:

  • Discovers, onboards, and catalogs all privileged identities, accounts, and assets.
  • Enforces adaptive access and continuous authentication to ensure all devices, users, accounts, and identities have a high confidence in their actual identity. In other words, they are who they say they are above just positive authentication.
  • Right-sizes privileged access and entitlements by applying least privilege, including just-in-time access, to all sessions, endpoints, and applications.
  • Enables secure, least privilege remote access for vendors, employees, and service desks for sessions and trusted applications.
  • Implements segmentation and microsegmentation to isolate assets and users, and to prevent lateral movement.
  • Monitors and manages every privileged session, providing continuous visibility and control over who is doing what, and why, so any suspicious behavior can trigger immediate revocation of permissions and access.
  • Extends Microsoft® Active Directory authentication, single sign-on capabilities, and Group Policy configuration management to Unix and Linux systems, simplifying the secure management of identities and the path to implementing zero trust enterprise-wide, regardless of operating system or application.

Network location can no longer be treated as the prime component to the security posture of the resource due to the fact that:

  • Networks have become decentralized, perimeterless environments with resources distributed across both on-premises environments and multiple clouds.
  • Many users need access from anywhere, at any time, from any device to support the organization’s mission.
  • Data is programmatically stored, transmitted, and processed across different boundaries under the control of different organizations to meet ever-evolving business use cases.
  • It is no longer feasible to simply enforce access controls at the perimeter of the enterprise environment and assume that all subjects within it can be trusted.

The zero trust model is an effective form of security because it operates under the assumption that no asset or user account can be implicitly trusted based solely on their physical or network location or asset ownership. Zero trust requires both subject and device authentication and authorization before a session to an enterprise resource can be established.

In a recent BeyondTrust survey, 93% of respondents indicated that they'd had an identity-related incident in the last eighteen months, with 81% indicating 2 or more incidents. 63% of these incidents were related to privileged accounts. Since most exploits of vulnerabilities and other attack vectors require privileges to execute, privileged accounts and credentials are prized by threat actors. These credentials are able to give access to internal resources, security systems, and cloud resources. While some privileged accounts are associated with employee identities, other privileged accounts are associated with contractors, vendors, auditors or machines and applications. Zero trust strategies include tenets that directly address this type of risk.

A recent BeyondTrust survey investigated the current adoption level of zero trust in the market and found that only 24% of companies, by their own account, have their zero trust solution fully deployed. More than three quarters (76%) of companies are still in the process of implementing a zero trust approach, which is needed to secure an expanding security perimeter as a result of increased cloud utilization and remote workers. Of those companies, 26% are still at the beginning of the process and are selecting tools and security solutions and establishing processes. Half (50%) are further long, with some tools and processes in place that are still being refined and optimized.

With a carefully implemented Zero Trust Architecture, you'll gain:

  • Greater visibility across the enterprise into who (or what) has access to your network, when, and from where.
  • Streamlined and optimized processes to improve the efficiency and efficacy of IT managers and security teams.
  • Improved data protection with a Zero Standing Privilege framework combined with just-in-time (JIT) access.
  • A secure remote workforce that results from setting identity as the new perimeter, and from establishing secure access solutions that don't require a VPN.
  • Advanced hybrid cloud security.
  • A significant reduction of overall risk and increased protection against common threats.
  • Continuous compliance through enhanced logging and audit trails.
  • Ransomware
  • Malware
  • Lateral movement
  • Account Hijacking
  • Supply chain attacks

A zero trust security model can help organizations maintain continuous compliance because it introduces increased and centralized network monitoring and visibility and advanced logging and audit trails, simplifying the auditing process. Zero Trust also shifts organizations from a network-based perimeter to an identity-based perimeter, which places greater emphasis on protecting access to data and identities, core components of many compliance standards.

Prefers reduced motion setting detected. Animations will now be reduced as a result.