NIST SP 800-207 – Zero Trust Architecture – Finalized with More Emphasis on Identity

Last week, the National Institute of Standards and Technology (NIST) published its guidance for implementing a Zero Trust architecture, SP 800-207. This latest publication consolidates industry input received on previous draft versions of the architecture.

As part of IDSA’s mission to promote identity-centric security, we provided feedback to NIST and are pleased to see some of our recommendations reflected in the updated document.

In the past ten years, discussions about Zero Trust have evolved dramatically. As businesses have tried to come to grips with the advent of cloud computing and worker mobility, the erosion of the traditional network perimeter has led to a growing recognition that a never trust, always verify approach is vital to security.

The NIST guidance gives considerable weight to identity. IDSA has been evangelizing the role of identity in zero trust frameworks for many years, and now the security industry is also coming to the same realization. Specifically, NIST now includes recommendations to:

IDSA also recommended NIST add references to Zero Trust access, which now plays a central role in the document. All totaled, we provided approximately 50 specific pieces of feedback to NIST to help shift the Zero Trust conversation away from a network-centric view of security to one focused on identity. The updated guidance reflects this change in emphasis, as well as the realization that it is no longer possible to protect resources by merely focusing on network defenses. Credential theft is at the heart of many compromises. By integrating security and identity infrastructures, enterprises can reduce the risk of data breaches by making smarter decisions about access and authentication as part of a Zero Trust strategy.

As noted in the IDSA’s The Path to Zero Trust Starts with Identity white paper, forward-thinking companies, such as Adobe and LogRhythm, are improving security by implementing architectures that share identity context and provide risk-based access to critical resources. As we move forward, IDSA will continue to promote the importance of an identity-centric approach and welcomes opportunities to join forces with NIST and other organizations to nurture the development of guidance and frameworks focused on businesses adopting a Zero Trust model.

About the AuthorStefan Lesaru is the IDSA Zero Trust TWG subcommittee leader and Big Data and Security Director at Atos, where he advises and assists clients with their business digital transformation, provides Zero Trust advisory services and consulting services sales and delivery for IAM, IGA, eGRC and cybersecurity. He is an experienced IT leader with extensive integration expertise in large scale initiatives ranging from systems/product implementations and data centre migrations to very large, multi-year cybersecurity programs. Prior to Atos, he held architect roles with Broadcom and CA.

Related Articles

2020: A Year Like No Other


Let's work together to help everyone become more secure.