In 2020, NIST released special publication 800-207 called Zero Trust Architecture or ZTA. It mentioned specifically seven tenets stating, “A zero trust architecture is designed and deployed with adherence to the following zero trust basic tenets”.
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
A few take-aways from this list is that in ZTA, everything is a resource. This means that for every resource, the lowest level of access and data must be secured, encrypted, monitored and controlled.
Another important point is that when access is granted in a ZTA network, it is the least amount of access required and sessions are kept to a minimal time; no more blanket authorizations.
Since in ZTA we acknowledge that at any time anything can be compromised, any observable issue in trust will require re-authentication by the user to the asset. For ZTA to be effective businesses are required to continuously monitor access and look for indicators that might imply trust should be revoked.
This is why it is imperative for businesses to have continuous monitoring, and event alerting mechanisms in place to identify potential unwanted access and connections to their business environments.
NIST SP 800-207 can be reviewed in its entirety here: https://csrc.nist.gov/publications/detail/sp/800-207/final
Contact us to learn more about how you can implement a Zero Trust Architecture and help secure your business from unwanted access.