NIST unveiled the final version of its Zero Trust Architecture publication, which gives private sector organizations a road map for deploying the cybersecurity concept across the organization.
The guidance was developed in collaboration between NIST and multiple federal agencies and is meant for cybersecurity leaders, administrators and managers. The document is aimed at providing leadership with a better understanding of the zero trust environment.
“Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary,” according to NIST. “Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”
The guide contains both a full description of the architecture, as well as various deployment models and use cases that organizations could leverage on their own networks to improve the overal' IT security posture.
The deployment of a zero trust model begins with an understanding of workflows and assets. The guide breaks down various deployment scenarios and variations of the abstract architecture, including device agent, gateway-based, enclave-based, resource portal-based, and device application deployments.
The publication includes basics of zero trust tenets and an overall view of a zero trust network, as well as the logical components needed to develop a zero trust architecture and various approaches. Enterprise administrators can find insights into enhanced identity governance, micro-segmentation, and leveraging network infrastructure and software-defined perimeters.
Administrators can also find guidance around trust algorithms and needed network and environment deployments, along with the threats associated with the zero trust model, such as subversion of its decision process and stolen crendentials.
Last, the publication breaks down how the zero trust architecture can be paired with existing federal guidance like the NIST Risk Management Framework and NIST Privacy Framework.