The proliferation of cloud computing, mobile device use, and the Internet of Things has dissolved traditional network boundaries. Hardened network perimeters alone are no longer effective for providing enterprise security in a world of increasingly sophisticated threats. Zero trust is a design approach to architecting an information technology environment that could reduce an organization’s risk exposure in a “perimeter-less” world.
A zero trust architecture treats all users as potential threats and prevents access to data and resources until the users can be properly authenticated and their access authorized. In essence, a zero trust architecture allows a user full access but only to the bare minimum they need to perform their job. If a device is compromised, zero trust can ensure that the damage is contained.
The concept of zero trust has been around for more than a decade, but technology to support it is now moving into the mainstream. A zero trust architecture leans heavily on components and capabilities for identity management, asset management, application authentication, network segmentation, and threat intelligence. Architecting for zero trust should enhance cybersecurity without sacrificing the user experience. The NCCoE is researching ongoing industry developments in zero trust and its component technologies that support the goals and objectives of a practical, secure, and standards-based zero trust architecture.
Federal CIO Council Efforts
Since late 2018, National Institute of Standards and Technology (NIST) and NCCoE cybersecurity researchers have had the opportunity to work closely with the Federal Chief Information Officer (CIO) Council, federal agencies, and industry to address the challenges and opportunities for implementing zero trust architectures across U.S. government networks. This work resulted in publication of NIST Special Publication (SP) 800-207, Zero Trust Architecture.
In November 2019, the NCCoE and the Federal CIO Council cohosted a Zero Trust Architecture Technical Exchange Meeting that brought together zero trust vendors and practitioners from government and industry to share successes, best practices, and lessons learned in implementing zero trust in the federal government and the commercial sector.
An NCCoE project will build on this body of knowledge as we seek to build out and document an example zero trust architecture that aligns to the concepts and principles in NIST SP 800-207 and that uses commercially available products.