The National Institute of Standards and Technology wants feedback on its definition of zero trust security architecture and potential deployments — outlined in a draft special publication released Monday.
No implicit trust is given to systems based on their location, and user and device authentication is required prior to establishing a connection. This is particularly important as more employees work remotely and data is migrated to the cloud.
While zero trust architecture (ZTA) isn’t a foreign concept to agencies, more research and standardization is needed to improve their overall security posture, according to NIST.
“[M]any organizations already have elements of a ZTA in their enterprise infrastructure today,” reads the document. “Organizations should seek to incrementally implement zero trust principles, process changes, and technology solutions that protect its data assets and business functions.”
In addition to providing a ZTA roadmap, the document highlights a number of use cases including agencies with satellite facilities, multi-cloud environments and contracted services.
ZTAs still face unique cyberthreats like a compromised policy engine or policy administrator — which approved connections between resources — denial of service attacks or network disruption targeting those components, and insider threats among them.
The Federal Information Security Management Act, Trusted Internet Connection 3.0, and Continuous Diagnostics and Mitigation programs all play into zero trust because they restrict data and service access to authorized parties, the end goal being to eliminate all unauthorized access. Access control enforcement should be as granular as possible, according to NIST.
Most agencies will operate within a hybrid architecture as legacy information technology is modernized, NIST adds. While it’s possible to build a pure ZTA using a ground-up, greenfield approach, large agencies will require multiple tech refresh cycles and migrate one business process at a time.
“After enough confidence is gained in the workflow policy set, the enterprise enters the steady operational phase,” reads the report. “The network and systems are still monitored, and traffic is logged, but responses and policy modifications are done at a lower tempo as they should not be severe.”
Public comments on the document are due by Nov. 22.