Monday, 9 March 2020

NIST 800-207 - What is Zero Trust Architecture (ZTA) and Why Has It Become Important? (aka the X-Files - Trust No One)

One of the primary concerns, when operating in cloud environments and accessing resources over the internet, is cybersecurity. Traditional firewalls and edge-approaches to security no longer align with how we use technology.

This has given rise to the recent release of the National Institute of Standards and Technology (NIST) 800-207 security draft https://csrc.nist.gov/publications/detail/sp/800-207/draft. The release of this document has highlighted the prominence that has come to the Zero Trust approach to network security. Zero trust is a necessary security model that has arisen due to evolving user and mobility expectations and the rise of different software and infrastructure delivery models such as the cloud.

Bodies of knowledge such as NIST and CISSP recommend a layered approach to security (also known as "defence in depth" and "Segmentation/Micro-segmentation") - Zero Trust Architecture is a type of layered approach which will protect the confidentiality, integrity and availability of your information. This includes not just servers and devices but also protecting at the application/microservice (e.g. with JSON Web Tokens) and user levels.

What is Zero Trust Security?


  • Zero Trust follows the motto of the X-Files - "Trust No One". Regardless of whether the traffic is from internal or external sources - access is regularly scrutinized, verified, validated and processed in the same way. 
  • Zero Trust assumes that there is no implicit trust based on a user's or resource's location (e.g. intranet or intranet). Normal perimeter or edge-based security approaches segment the network this way in a static way based on location, subnets and IP ranges.
  • A useful analogy that is often used is the Castle versus the Hotel Model. Once inside a castle, a device or user has great lateral freedom. In a hotel, each room requires a key and is checked on entry to different rooms (representing applications and/or systems). 
  • Zero trust security focuses more on protecting the resources and users both inside and outside those network boundaries. It includes Establishing Trust (e.g. do I trust a jail-broken/unpatched/unencrypted/unsecured/unrecognized device with all of its ports open?), Enforcing Access and Continuously verifying the trust. It also includes continuous monitoring to detect anomalies. It is a combination of technologies and methods of protection.

  • Zero Trust is a more granular and flexible approach to securing resources reflective of the reality of modern workplaces. 
  • Zero Trust typically uses the following parameters and checks in combination to determine policy-based access to resources:
    • User Identity
    • Device (including assurance services, Mobile Device Management Flags - identifying patch levels to establish device-level trust or vulnerabilities)
    • Location
    • Session Risk (such as anomalous/unusual access behaviors or times)


Why has it become important?

  • The rise of working from home, remote users, and Bring Your Own Devices (BYOD) and cloud-based services (e.g. Salesforce, Office 365, Microsoft Teams and other AWS, Azure and GCP-based applications) have led to resources and users being located outside traditional network boundaries. 
  • Consequently, authentication and authorization cannot be assumed to be valid just because of the source location of a request - credentials and associated tokens need to be validated independently of location. 
  • Zero Trust is also required because of greater awareness of the "Insider Threat" from contractors and employees - through negligence or malicious intent.
  • As part of the Zero Trust mindset - there are also greater requirements around monitoring, logging and auditing activities as part of due diligence when complying with legal obligations (e.g. Australian Prudential Regulation Laws such as APRA Prudential Standard CPS 234). It is not good enough just to log external activities - internal activities need to be monitored as well. 

Why is it difficult?

  • Zero Trust requires a much better understanding of the assets and resources that need protection and the behavior of the users consuming and accessing those resources. 
  • Phenomena such as "Shadow IT" also introduce problems because they are not visible and so Zero Trust approaches may actually exclude previously functioning devices from resource access. 
  • Zero Trust requires the creation of more refined corporate and technical policies to handle the more granular resource-based approach to accessing your critical corporate systems.
  • Zero Trust requires much more intensive logging and scrutiny of user activity. This typically necessitates AI other anomaly detection mechanisms (e.g. out of hours access alerts).


15 comments:

Elegant IT Services said...

Nice Post...Thanks for Sharing the Information...
Elegant IT Services

Mohamed Abdellatif said...

What are White Ants?
White ants are just another name for termites. They are called white ants because of the way that they look. You should be aware, though, that white ants are not actually ants. White ants prefer to be in large colonies and they are wood eating insects that can cause damage to wood (and wood structures) in a surprisingly short period of time.

شركة مكافحة النمل الابيض بالدمام
شركة مكافحة النمل الابيض ببريدة
شركة مكافحة النمل الابيض بالقطيف
شركة مكافحة النمل الابيض بالخرج

hrroman said...

If you are stuck with your Management assignment then in this case you can opt for our Management Assignment. we provide the bestMarketing assignment help.We also provideConsumer Behaviour Assignment Help for students across the globe. for more information contact us +16692714848.

James David said...

This Is Really Great Work. Thank You For Sharing Such A Good And Useful Information Here In The Blog online digitizing

Bhavana said...

I would prescribe my profile is critical to me, I welcome you to talk about this point... 360DigiTMG AI Course in malaysia

Techguy said...

Good Information. Great work. Recommend all
Azure Training in Chennai | Devops Training in Chennai | AWS Training in Chennai

شركة الشعلة لتنسيق الحدائق said...
This comment has been removed by the author.
ABSHER said...

شركة ابشر من افضل الشركات لتنظيف المنازل والمكيفات والتعقيم حيث نسعي لبيئة نظيفة وجميلة ومنزل معقم ودائما عند ثقة عملائنا
شركة تعقيم بجازان

شركة مكافحة حشرات بجازان

شركة تنظيف منازل بجازان

شركة نقل عفش بجازان


شركة كشف تسربات المياه بجازان

افضل شركة رش مبيدات بجدة said...

. أفضل شركة خدمات (تنظيف - نقل عفش - مكافحة الحشرات - كشف التسربات ) بارخص الاسعار و اقل التكاليف ، و بجميع المناطق بالمملكة العربية السعودية و نصلكم باقصي سرعة ممكنة .
فتعد الحشرات من الكائنات التي تسبب توتر و قلق للانسان ووجودها في المكان غير مستحب نهائي لما تسببة من أمراض معدية و اضرار بالصحة كثيرة . لذلك نتمكن من التخلص من جميع الحشرات بأفضل مبيدات حشرية فعالة و بدون رائحة و من خدمات التخلص من الحشرات :-

شركة رش مبيدات بجدة
شركة مكافحة حشرات بمكة

يعد التنظيف من أهم المهام اللابد القيام بها من اجل الحماية من الحشرات و الامراض و هذا ما تهتم به شركتنا بشدة و توفير كافة المعدات و المحترفين . من اجل تنظيف الخزانات و تنظيف جميع الاماكن بالسعودية و من أهم خدمات التنظيف :-
شركة تنظيف خزانات بالطائف
شركة تنظيف بمكة

يحتاج الكثير الي نقل الاثاث و العفش و يحتاجون الي شركة متخصصة للتغليف و النقل بأمان بدون كسر او خدش و هذا متوفر شركة النجوم لجميع عملائها من خلال خدماتنا :-
شركة نقل عفش بالطائف
شركة نقل عفش بجدة

شركة النصر للمكافحة بجازان said...

شركة النصر لجميع الخدمات تقدم أفضل خدمة مكافحة الحشرات و رش المبيدات بجازان .
علي اعلي مستوي من الكوادر البشرية المدربة و الاسعار الرخيصه جداً .
نستخدم مبيدات بدون رائحة و بدون مواد سامة و نقضي علي جميع انواع الحشرات بفضل الله ..
نقضي علي الصراصير و البق و الفئران ، و اي حشرة تسبب في ازعاجك . فنحن متواجدون دائماً من أجل خدمتك و لاتتردد ابداً بزيارتنا و الاتصال بنا .


يتوفر لدينا عماله ممتازه
خدمة رخيصه
جودة عاليه و كفاءه
احدث المعدات و افضلها

شركة النصر لمكافحة الحشرات بجازان

360digiTMG Training said...

Wow! Such an amazing and helpful post this is. I really really love it. It's so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also.
Best Data Science courses in Hyderabad

traininginstitute said...

We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work


Best Data Science courses in Hyderabad

lionelmessi said...

i have to thank you for the time i spent on this especially great reading !! i really liked each part and also bookmarked you for new information on your site...

Data Science Training in Hyderabad

Anonymous said...

I really appreciate the kind of topics you post here. Thanks for sharing great information that is actually helpful. Good day!
Megri Embroidery Digitizing

devFarook said...

Thanks for your information.
Tableau Training|Data Science Training|
AlteryxTraining|PowerBI Training