What is the NIST Zero Trust Architecture?

The U.S. National Institute of Standards and Technology (NIST) is responsible for developing standards and best practices promoting cybersecurity for federal agencies, businesses, and the general public.

The NIST Zero Trust Architecture (ZTA) is a security framework specifically developed to address the difficulties of securing complex IT environments with resources located beyond traditional network perimeters.

As such, organizations should strongly consider implementing the framework to strengthen their security posture.

In this article:

Wh‎at is the NIST Zero Trust Architecture?

Zero Trust logical components screenshot from NIST — *Screenshot from* *NIST.gov*

‎Details of the NIST ZTA can be found in NIST Special Publication 800-207. The document’s purpose is to provide its intended audience of enterprise security architects with an understanding of Zero Trust when used with unclassified civilian IT systems.

It offers its audience a path to migrate and deploy Zero Trust security in an enterprise environment, with additional information focused on implanting Zero Trust in a cloud environment available in NIST Special Publication 800-207A.

The NIST stresses the point that this publication serves as a framework that should be augmented by considerations of a company’s unique business objectives and requirements.

We’re going to discuss the major principles and components of the NIST Zero Trust Architecture and look at how a data loss prevention (DLP) solution can be instrumental in its successful implementation.

Ze‎ro Trust core principles

Closeup of a computer screen using a complex application — *Photo by* *Tima Miroshnichenko* *from* *Pixabay*

‎‎The main principle of the NIST ZTA security model states that threats to the IT environment can come from external or internal actors. Trust should never be assumed regarding any entity inside or outside the network.

Threats may already be present within the environment and need to be identified and addressed through a program of continuous verification and authentication.

These following core principles form the foundation of the ZTA model.

Entities such as users, devices, or applications are never trusted by default and verification is required throughout any interaction with the IT environment.
Least privilege access should be implemented to provide entities with the minimum level of access to complete a task.
Assume breaches will or have occurred when designing security measures.
Network resources should be segmented with controls applied to each segment to mitigate the spread of threats.
Contextual access controls must consider a user’s identity, location, device state, and the sensitivity of resources being accessed.

Ba‎sic tenets of Zero Trust

Enterprise with remote employees screenshot from NIST — *Screenshot from* *NIST.gov*

‎NIST SP 800-207 defines the following basic tenets of Zero Trust. Adhering to these tenets is essential for successfully implementing ZTA.

All data sources and computing services are considered resources. Networks may be comprised of multiple types of devices and services. Companies may include personally owned devices with the ability to access enterprise resources.
Communication needs to be secured regardless of network location. The same security measures need to be implemented when verifying access requests from inside and outside the traditional network perimeter.
Trust should not be granted simply because an entity is already inside the network and has gained some level of access.

Zero Trust Access screenshot from NIST — *Screenshot from* *NIST.gov*

Resource access is granted on a per-session basis. Least privilege access is only granted after reevaluating trust in the requesting entity. Authorization to a resource will not automatically permit access to other resources.
A dynamic policy determines access to resources that includes factors such as the state of the client’s identity, the state of a requesting asset, and other behavioral or environmental attributes. For example, device state may include characteristics such as the software version installed, its location, and previously observed behavior.

The policy is developed by an organization to address its unique business processes and the level of risk it can tolerate.

Assets are never inherently trusted. The integrity and security of all owned and associated assets are continuously monitored and measured. Assets will be denied access to resources for which they cannot be authenticated.
Authentication and authorization are dynamic and enforced before access to any resource is permitted. A continuous cycle of obtaining access, assessing threats, adapting, and reevaluating trust is required at every interaction.

Credential and access management using techniques such as multi-factor authentication (MFA) is necessary to protect the environment.

Enterprises should collect as much information as they can regarding the state of assets, the network, and communications. This data can be leveraged to enhance the security posture by improving Zero Trust policy creation and enforcement.

Un‎derstanding the 3 primary approaches to implementing NIST Zero Trust Architecture

The NIST Special Publication 800-207 delineates three primary models for implementing Zero Trust architecture: Enhanced Identity Governance, Micro-Segmentation, and Software-Defined Perimeters. These models serve as foundational approaches for organizations to adopt Zero Trust principles.

Enhanced Identity Governance focuses on robust authentication and authorization mechanisms, while Micro-Segmentation involves dividing networks into smaller, more manageable segments. Software-Defined Perimeters create dynamic, identity-centric boundaries around resources.

Co‎mmon pitfalls in implementing Zero Trust Architecture

Abstract digital illustration of Zero Trust Architecture — *‎‎Image by* *Pete Linforth* *from* *Pixabay*

Implementing ZTA requires a comprehensive approach encompassing several key elements. Organizations must effectively manage their assets, thoroughly understand potential risks, and develop robust policies to guide implementation.

Continuous monitoring is crucial to maintain security, while proper configuration of all components ensures the system functions as intended.

When implementing ZTA, it's important to avoid common pitfalls. One such mistake is neglecting compatibility issues between different systems and components, which can lead to integration problems and security gaps.

Another error to avoid is over-reliance on vendor APIs, as this can create vulnerabilities and limit flexibility in the long run. By addressing these aspects and avoiding potential mistakes, organizations can successfully implement a robust ZTA framework that enhances their overall security posture.

Th‎e role of DLP in supporting Zero Trust Architecture

‎Data loss prevention software can be an important component of an organization’s attempts to implement Zero Trust Architecture. Using a DLP solution requires the development of a data handling policy that defines which resources can access and use specific data assets. The DLP platform then automatically enforces the policy, restricting access according to policy definitions.

A DLP solution such as the Reveal Platform by Next protects an organization from external and internal risks to data assets. It contributes to a Zero Trust mindset by enforcing authorization for all attempts at accessing enterprise data.

Schedule a demo to see how Reveal can support your Zero Trust security measures.

Fr‎equently asked questions

Why should a company adopt the NIST ZTA framework?

A company should adopt the NIST ZTA framework because it streamlines the process of protecting its valuable and sensitive data resources. The framework was developed by experts in the field and incorporates proven best practices that will enhance the security of any IT environment.

Organizations can use the framework as a road map to ZTA implementation, making adjustments to reflect their specific business requirements.

How does Zero Trust architecture address the issue of insider risks?

Zero Trust architecture addresses the issue of insider risks by requiring authorization and authentication for every interaction in an IT environment. This approach restricts deliberate or accidental attempts to misuse data resources by employees or contractors already within the infrastructure.

Simply gaining access to a specific system will not permit users to use data resources for which they are not authorized.

Why is the principle of least privilege important when implementing ZTA?

The principle of least privilege is important when implementing Zero Trust Architecture because it restricts entities from gaining access to resources that are not necessary to perform their job or a designated task.

This approach meshes nicely with ZTA’s continuous enforcement of authorization and authentication to protect IT resources. Implementing least privilege eliminates the prospect of an entity gaining access to sensitive resources outside of the scope of its role in the enterprise.