The US National Institute of Standards and Technology (NIST) has published new practical guidance on implementing zero trust architecture (ZTA). This guidance builds upon previous NIST conceptual guidance on zero trust that was published back in the year of 2020. The new publication is specifically designed to help organizations overcome various different ZTA implementation challenges that they often face. The agency has noted that ZTA adoption is increasing, partly as a direct result of new regulatory requirements for some organizations. Zero trust offers an alternative approach to the traditional perimeter model of cybersecurity amid growing network connections from different devices. It assumes that no user or device can be trusted regardless of its location and requires continuous strict verification.
Implementation of zero trust can be challenging due to common issues such as many different misconceptions about the security model.
It can also cause short term disruption to normal business operations, which many companies are very hesitant to experience. A NIST computer scientist, Alper Kerman, explained that switching from traditional protection to zero trust requires a lot of changes. Organizations have to understand who’s accessing what resources and why, and every ZTA is a custom build for them. The new NIST guidance offers nineteen example implementations of ZTAs built using commercial, off-the-shelf technologies to help with this process. These were developed at the NIST National Cybersecurity Center of Excellence (NCCoE) with twenty-four different industry collaborators.
The NCCoE team and its collaborators spent four years installing, configuring and also troubleshooting the example implementations for this guidance.
These examples were built around real-world situations that many large organizations typically confront in their own IT environments. The guidance sets out several zero trust build types, upon which the nineteen different example implementations are based for organizations. These include general zero trust, enhanced identity governance (EIG), software-defined perimeter (SDP), microsegmentation, and secure access service edge (SASE). The guidance also describes the physical architecture of the baseline laboratory environment that was used for all of the builds. This provides a foundational starting point for organizations.
NIST computer scientist Alper Kerman added that this guidance gives you examples of how to deploy many different ZTAs. It also emphasizes the different technologies that you will need to successfully implement them within your own organization’s network. He has stated that it can be a foundational starting point for any organization that is constructing its own ZTA. The document from NIST does mention the use of various commercially available technologies from a number of different vendors. However, their inclusion in the guidance does not imply any kind of recommendation or official endorsement by NIST or the NCCoE. The goal is to provide practical examples, not to promote particular commercial software.
Reference:
