Last week, the National Institute of Standards and Technology (NIST) published its guidance for implementing a Zero Trust architecture, SP 800-207. This latest publication consolidates industry input received on previous draft versions of the architecture.
As part of IDSA’s mission to promote identity-centric security, we provided feedback to NIST and are pleased to see some of our recommendations reflected in the updated document.
In the past ten years, discussions about Zero Trust have evolved dramatically. As businesses have tried to come to grips with the advent of cloud computing and worker mobility, the erosion of the traditional network perimeter has led to a growing recognition that a never trust, always verify approach is vital to security.
The NIST guidance gives considerable weight to identity. IDSA has been evangelizing the role of identity in zero trust frameworks for many years, and now the security industry is also coming to the same realization. Specifically, NIST now includes recommendations to:
- Make identity authentication and authorization decisions using dynamic, risked-based policies. Access requests should be judged according to policies that analyze factors such as device characteristics and user or device behavior and location.
- Enable continuous attestation of identities, devices, and the security posture of access requests. Since no assets are trusted, enterprises should continually monitor the state of devices and applications and either deny access or apply additional security challenges in response to anything suspicious.
- Control access to resources on a per-session basis. Assess the trust level of the requester before granting access. Any access should also be constrained in accordance with the principle of least privilege.
IDSA also recommended NIST add references to Zero Trust access, which now plays a central role in the document. All totaled, we provided approximately 50 specific pieces of feedback to NIST to help shift the Zero Trust conversation away from a network-centric view of security to one focused on identity. The updated guidance reflects this change in emphasis, as well as the realization that it is no longer possible to protect resources by merely focusing on network defenses. Credential theft is at the heart of many compromises. By integrating security and identity infrastructures, enterprises can reduce the risk of data breaches by making smarter decisions about access and authentication as part of a Zero Trust strategy.
As noted in the IDSA’s The Path to Zero Trust Starts with Identity white paper, forward-thinking companies, such as Adobe and LogRhythm, are improving security by implementing architectures that share identity context and provide risk-based access to critical resources. As we move forward, IDSA will continue to promote the importance of an identity-centric approach and welcomes opportunities to join forces with NIST and other organizations to nurture the development of guidance and frameworks focused on businesses adopting a Zero Trust model.
About the Author: Stefan Lesaru is the IDSA Zero Trust TWG subcommittee leader and Big Data and Security Director at Atos, where he advises and assists clients with their business digital transformation, provides Zero Trust advisory services and consulting services sales and delivery for IAM, IGA, eGRC and cybersecurity. He is an experienced IT leader with extensive integration expertise in large scale initiatives ranging from systems/product implementations and data centre migrations to very large, multi-year cybersecurity programs. Prior to Atos, he held architect roles with Broadcom and CA.