Recently, NIST released 800-207 draft document, which is intended to provide guidance for government and non-government organizations on implementations of a Zero Trust architecture. The document provides a definition of the core components that make up a “zero trust architecture (ZTA) network strategy,” a gap analysis of areas where more research and standardization is required, establish an abstract definition of ZTA, deployment models, use cases and a high-level roadmap.
In May, we convened a technical working group to look at how identity-centric security principles could be applied to Zero Trust, the network-based security concept that was originally coined by Forrester. The first deliverable from the team, The Path to Zero Trust Starts with Identity, provided a view of Zero Trust from the perspective of over 20 identity and security vendors. At the core, we believe that identity serves as the keystone in any Zero Trust based strategy and to date have been working with two end customers who have successfully implemented these concepts in their organizations – Adobe and LogRhythm.
In addition to authoring blogs and articles in InfoSec Magazine and Dark Reading on identity defined zero trust, the team has spent the last several weeks reviewing and discussing NIST 800-207 and developed a formal response for submission. It will come as no surprise that the majority of our feedback is about elevating the role of identity and identity-centric principles throughout the document as an alternative to the traditional network orientation.
In parallel to this effort, the Zero Trust Architecture Technical Exchange meeting took place last week. It was great to hear from a mix of government agencies and commercial entities, including Adobe, on their Zero Trust strategies and implementations. The key takeaway from those presentations was that Zero Trust strategies can be implemented in different ways – network segmentation, identity-centric, or a combination – with the approaches and implementations being driven by the security and user experience requirements and culture of the organization.
We are excited to collaborate with organizations such as NIST who are helping to establish common terminology and conceptual frameworks for organizations. We invite the community to share their thoughts and feedback on our response.
Special thanks to Asad Ali (Thales), Baber Amin (Ping Identity), Martin Kniffin (VMware), Srinivas Kasula (Wells Fargo), Jerry Chapman (Optiv), Darren Semmel (ImageWare Systems), Saravanan Thiyagarajan (CyberArk), Erasmo Acosta (CyberArk), Morey Haber (BeyondTrust), Erik Bartholomy (LogRhythm), Joe Gottlieb (SailPoint), Andy Smith (Centrify).