Monday, 9 March 2020

NIST 800-207 - What is Zero Trust Architecture (ZTA) and Why Has It Become Important? (aka the X-Files - Trust No One)

One of the primary concerns, when operating in cloud environments and accessing resources over the internet, is cybersecurity. Traditional firewalls and edge-approaches to security no longer align with how we use technology.

This has given rise to the recent release of the National Institute of Standards and Technology (NIST) 800-207 security draft https://csrc.nist.gov/publications/detail/sp/800-207/draft. The release of this document has highlighted the prominence that has come to the Zero Trust approach to network security. Zero trust is a necessary security model that has arisen due to evolving user and mobility expectations and the rise of different software and infrastructure delivery models such as the cloud.

Bodies of knowledge such as NIST and CISSP recommend a layered approach to security (also known as "defence in depth" and "Segmentation/Micro-segmentation") - Zero Trust Architecture is a type of layered approach which will protect the confidentiality, integrity and availability of your information. This includes not just servers and devices but also protecting at the application/microservice (e.g. with JSON Web Tokens) and user levels.

What is Zero Trust Security?


  • Zero Trust follows the motto of the X-Files - "Trust No One". Regardless of whether the traffic is from internal or external sources - access is regularly scrutinized, verified, validated and processed in the same way. 
  • Zero Trust assumes that there is no implicit trust based on a user's or resource's location (e.g. intranet or intranet). Normal perimeter or edge-based security approaches segment the network this way in a static way based on location, subnets and IP ranges.
  • A useful analogy that is often used is the Castle versus the Hotel Model. Once inside a castle, a device or user has great lateral freedom. In a hotel, each room requires a key and is checked on entry to different rooms (representing applications and/or systems). 
  • Zero trust security focuses more on protecting the resources and users both inside and outside those network boundaries. It includes Establishing Trust (e.g. do I trust a jail-broken/unpatched/unencrypted/unsecured/unrecognized device with all of its ports open?), Enforcing Access and Continuously verifying the trust. It also includes continuous monitoring to detect anomalies. It is a combination of technologies and methods of protection.

  • Zero Trust is a more granular and flexible approach to securing resources reflective of the reality of modern workplaces. 
  • Zero Trust typically uses the following parameters and checks in combination to determine policy-based access to resources:
    • User Identity
    • Device (including assurance services, Mobile Device Management Flags - identifying patch levels to establish device-level trust or vulnerabilities)
    • Location
    • Session Risk (such as anomalous/unusual access behaviors or times)


Why has it become important?

  • The rise of working from home, remote users, and Bring Your Own Devices (BYOD) and cloud-based services (e.g. Salesforce, Office 365, Microsoft Teams and other AWS, Azure and GCP-based applications) have led to resources and users being located outside traditional network boundaries. 
  • Consequently, authentication and authorization cannot be assumed to be valid just because of the source location of a request - credentials and associated tokens need to be validated independently of location. 
  • Zero Trust is also required because of greater awareness of the "Insider Threat" from contractors and employees - through negligence or malicious intent.
  • As part of the Zero Trust mindset - there are also greater requirements around monitoring, logging and auditing activities as part of due diligence when complying with legal obligations (e.g. Australian Prudential Regulation Laws such as APRA Prudential Standard CPS 234). It is not good enough just to log external activities - internal activities need to be monitored as well. 

Why is it difficult?

  • Zero Trust requires a much better understanding of the assets and resources that need protection and the behavior of the users consuming and accessing those resources. 
  • Phenomena such as "Shadow IT" also introduce problems because they are not visible and so Zero Trust approaches may actually exclude previously functioning devices from resource access. 
  • Zero Trust requires the creation of more refined corporate and technical policies to handle the more granular resource-based approach to accessing your critical corporate systems.
  • Zero Trust requires much more intensive logging and scrutiny of user activity. This typically necessitates AI other anomaly detection mechanisms (e.g. out of hours access alerts).


9 comments:

Unknown said...

Nice post!! Thanks for sharing...
Interior Design Sketches in Bangalore

Kuma Herbals said...

Thanks for sharing this information with us...
Unani Treatment in Bangalore

i Digital Academy said...

Thanks for sharing such a nice information with us...
Digital Marketing in Bangalore

Elegant IT Services said...

Nice Post...Thanks for Sharing the Information...
Elegant IT Services

Kuma Herbals said...

Thanks for the information...
Unani Treatment in Bangalore

Mohamed Abdellatif said...

What are White Ants?
White ants are just another name for termites. They are called white ants because of the way that they look. You should be aware, though, that white ants are not actually ants. White ants prefer to be in large colonies and they are wood eating insects that can cause damage to wood (and wood structures) in a surprisingly short period of time.

شركة مكافحة النمل الابيض بالدمام
شركة مكافحة النمل الابيض ببريدة
شركة مكافحة النمل الابيض بالقطيف
شركة مكافحة النمل الابيض بالخرج

hrroman said...

If you are stuck with your Management assignment then in this case you can opt for our Management Assignment. we provide the bestMarketing assignment help.We also provideConsumer Behaviour Assignment Help for students across the globe. for more information contact us +16692714848.

James David said...

This Is Really Great Work. Thank You For Sharing Such A Good And Useful Information Here In The Blog online digitizing

Nisha Sharma said...

The Silveredge Casino perform extremely well with its regular promotions and a wide range of silveredge casino games online .