NIST Releases Updated Guidance on Zero Trust Implementation

The US National Institute of Standards and Technology (NIST) has released enhanced guidance for the implementation of Zero Trust Architecture (ZTA). This new publication aims to assist organizations in navigating the complexities associated with adopting a zero trust model, a significant evolution from previous conceptual frameworks outlined in 2020.

As more organizations face regulatory pressures to adopt ZTA, this guidance is particularly relevant. Traditional security models, which rely on a defined perimeter, are increasingly inadequate in the face of diverse network connections stemming from a multitude of devices and access locations. The zero trust philosophy operates on the assumption that trust cannot be given based on location or prior authentication alone. Instead, continuous verification and strict access controls are mandated across the network.

Challenges to implementing zero trust often arise from misconceptions regarding the model and the potential short-term disruptions it may bring to business operations. Alper Kerman, a computer scientist at NIST and a co-author of the guidance, emphasizes the significant transformations required when transitioning from traditional security measures to a zero trust framework. This includes a deep understanding of resource access patterns and recognizing that each organization’s network environment is unique, making zero trust implementations highly customized.

The NIST guidance delineates 19 example implementations of ZTAs, developed utilizing off-the-shelf technologies through a project at the National Cybersecurity Center of Excellence (NCCoE). This initiative involved collaboration with 24 industry partners, including several key technology firms, and spanned four years of real-world testing and adjustments to address typical challenges faced by large organizations.

The guidance categorizes several foundational zero trust designs that represent the basis for the 19 implementations:

– General Zero Trust: Applicable across all deployment methods, encompassing enhanced identity governance (EIG), software-defined perimeter (SDP), microsegmentation, and secure access service edge (SASE). These can be operated either on-premises or in the cloud.
– EIG Crawl Phase: This model focuses primarily on identity, credential, and access management (ICAM) and endpoint protection platforms (EPP) to safeguard on-premises resources.
– EIG Run Phase: This phase expands upon the crawl phase by incorporating additional protection architecture (PA) and protection elements (PE) not provided by the ICAM vendor.
– SDP, Microsegmentation, and SASE: Implementation approaches that utilize these specific design methodologies.
– ZTA Laboratory Physical: This defines the baseline physical architecture for establishing the laboratory where all other models are tested.
– Phase 0 Baseline Security Capability Deployment: This includes the introduction of security analytics tools to augment existing shared services and traditional security measures within the baseline setup.

Kerman notes that these examples provide organizations with foundational strategies for deploying ZTAs effectively, highlighting the various technologies necessary for such implementations. While the guidance discusses the use of commercially available technologies, it clarifies that their inclusion does not equate to endorsement by NIST or NCCoE.