The business continuity benefits of NIST's zero trust architecture
Connecting state and local government leaders
The National Institute of Standards and Technology publication on zero-trust architecture provides a new security architecture model for the fast-changing environment where the enterprise perimeter is dissolving and apps and users are everywhere.
The National Institute of Standards and Technology is in the process of releasing a special publication (SP 800-207) on zero trust architecture. The current draft has gone through two rounds of public comment and makes for very interesting reading. In the process of providing feedback to NIST over the past few months, I found myself analysing ZTA’s applicability to the business continuity/remote working transformation enterprises across the world are seeing today.
Traditional perimeter-based security approaches relied on most employees and applications operating within an implied trust zone, i.e., the agency network. The NIST ZTA works on the assumption that every access request, whether it comes from within the network or from outside, is hostile. The NIST ZTA paper provides a new security architecture model for the fast-changing environment where the enterprise perimeter is dissolving and apps/users are everywhere.
NIST recommends that organizations treat the move to ZTA as a journey that can facilitate secure adoption of an increasingly distributed workforce model. This journey, that was already underway, has been strongly accelerated by the global fallout of COVID-19. In the initial few months of 2020, enterprises globally scrambled to tactically ramp up their remote working capabilities as a way to ensure business continuity. Moving forward, remote work will become a strategic imperative for most enterprises. In this new normal, agencies must ensure both security and user experience implications of their application access strategy are adequately addressed.
Architectures like the NIST ZTA can be very helpful in enabling this strategic approach. This quote from the NIST ZTA draft offers some insight into how NIST thinks of the technology as an enabler of business continuity: “A ZTA makes many COOP (continuity of operations) factors easier as remote workers may have the same access to resources that they had on-premises.”
ZTA is different because it increases the focus on authentication and authorization prior to granting access on a per-resource basis and also reduces the risk surface by design. Enhanced identity governance is one of the ways to achieve these goals. Figure 1 shows NIST's abstracted model of zero trust access:
In this model, the user authenticates to a policy engine that makes a decision about authentication and authorization. The logic behind the access decision should be based on users' identity attributes, behavior, device security posture and external threat intelligence data, among other things. There is no implied trust in user access requests -- trust is continually to make a resource access decision. The ZTA infrastructure should shield the resource from discovery by attackers, thereby reducing the risk surface significantly. The idea is to minimize the implicit trust zone substantially by moving the policy enforcement point closer to the application.
Unlike the perimeter-based security model (which effectively provides access to a segment of a network), ZTA is focused on a "least privilege" access model. This means the access decision and associated security policies are enforced at an application level, not a network level. This model therefore offers better support for hybrid environments where agencies will have applications deployed on-premises as well as in the public cloud.
User experience is the other dimension security and agency IT leaders are focusing on. As employees’ work and home environments have converged, they expect enterprise IT applications to match their personal/consumer applications in terms of user experience and convenience. A ZTA implementation should, therefore, enable these important expectations in order to improve employees’ job satisfaction and productivity.
The resilience of the ZTA infrastructure is very important as well. Agency technology leaders should ensure that their ZTA implementation can scale up rapidly without impacting application performance. It is also critical that the policy engine and its components be resilient to attacks. This can be done by shielding the applications themselves from external discovery and by building in DDoS protection into the policy engine infrastructure. NIST recognizes the importance of the scalability and resiliency of the ZTA infrastructure as a key criteria for vendor evaluation.
NIST’s detailed guidance around zero trust is very timely. Though improved business continuity posture has thus far been seen as a side benefit of adopting zero trust, it may be prudent for agencies to make it a primary motivation for adopting a better, more secure way of provisioning access to enterprise resources.