- Custom AI models help MWAA deliver better airport experiences
- The latest Google Pixel 6a update may limit your battery - but you'll be glad to know why
- I replaced my living room TV with this 4K laser projector for a month - and didn't regret it
- M365 Copilot: New Zero-Click AI Flaw Allows Corporate Data Theft
- Why this SSD docking station is one of my best investments for my PC - and it's on sale
NIST Publishes New Zero Trust Implementation Guidance
The US National Institute of Standards and Technology (NIST) has published new practical guidance on implementing zero trust architecture (ZTA).
While previous NIST guidance on zero trust in 2020 described the approach at a conceptual level, the new publication is designed to help organizations overcome implementation challenges.
The agency noted that ZTA adoption is increasing, partly as a result of regulatory requirements for some organizations.
Zero trust offers an alternative approach to the traditional perimeter model of security, amid growing network connections from different devices and locations.
Zero trust assumes that no user or device can be trusted, regardless of its location or previous verification. As a result, they are subject to continuous strict verification and authorization across the network.
However, implementation can be challenging due to issues such as misconceptions about the model and the potential short term disruption it can cause to businesses.
Alper Kerman, a NIST computer scientist and co-author of the guidance, explained: “Switching from traditional protection to zero trust requires a lot of changes. You have to understand who’s accessing what resources and why. Also, everyone’s network environments are different, so every ZTA is a custom build. It’s not always easy to find ZTA experts who can get you there.”
Zero Trust Implementation Options
The NIST guidance offers 19 example implementations of ZTAs built using commercial, off-the-shelf technologies.
These were developed through a project at the NIST National Cybersecurity Center of Excellence (NCCoE), which involved 24 industry collaborators including several major tech companies.
The NCCoE team and its collaborators spent four years installing, configuring and troubleshooting the example implementations around real-world situations that large organizations typically confront.
It sets out several zero trust build types, upon which the 19 example implementations are based, these include:
- General zero trust: This applies to all deployment approaches: enhanced identity governance (EIG), software-defined perimeter (SDP), microsegmentation and secure access service edge (SASE), and may be operated as either on-premises or cloud-based services
- EIG crawl phase: This architecture relies mainly on ICAM and endpoint protection platform (EPP) components, and is currently limited to protecting on-premises resources
- EIG run phase: Unlike the crawl phase, this architecture includes PA and PE components that are not furnished by the ICAM provider
- SDP, microsegmentation and SASE: Builds that are based on the SDP, microsegmentation, and/or SASE deployment models
- ZTA laboratory physical: This describes the physical architecture of the baseline laboratory environment upon which all the builds are based on
- Phase 0 baseline security capability deployment: This is the Phase 0 security analytics tools deployed to augment the set of shared services and conventional security tools deployed as part of the baseline environment
Kerman added: “This guidance gives you examples of how to deploy ZTAs and emphasizes the different technologies you need to implement them. It can be a foundational starting point for any organization constructing its own ZTA.”
The document mentions the use of commercially available technologies, however, their inclusion does not imply recommendation or endorsement by NIST or NCCoE.
