The term “zero trust” is becoming increasingly common in cybersecurity circles. But what is zero trust, and why is it important? In this blog post, we’ll explore the concept of zero trust and its implications for cybersecurity professionals.
Zero trust is a security model that assumes that all users, devices, and applications are untrusted and must be verified before being given access to sensitive data. This is in contrast to the more traditional “trust but verify” model, which assumes that users, devices, and applications are trustworthy unless there is evidence to the contrary.
Zero Trust is not a product you can purchase and implement, nor is it even a single approach or technique to adopt. It is a framework of concepts and ideas, and where do we look when we reference frameworks, NIST, of course. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207 provides the following operative definition of zero trust and Zero Trust Architecture (ZTA):
Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. ZTA is an enterprise’s cybersecurity plan that uses zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a ZTA plan.
NIST SP 800-207 is the result of a multi-collaboration between several federal agencies and is overseen by the Federal Chief Information Officer Council. It is meant to educate and to provide a road map to assist in the migration and execution of zero trust security concepts.
There are several reasons why the zero trust model is gaining popularity. First, it’s a more realistic approach to security in a world where data breaches and ransomware attacks continue to rise. Second, it helps to ensure that only authorized users have access to sensitive data. And third, it can help to improve security by making it more difficult for attackers to gain access to systems and data. With today’s uptick in remote working in combination with traditional network defenses not doing enough, it is necessary for organizations to upgrade their network cybersecurity.
There are some challenges associated with the zero trust model. Most legacy systems are built around "implicit trust", which directly conflicts with the zero trust architecture. Not only are most legacy systems built around implicit trust, but also existing infrastructures which must either be rebuilt or replaced. Additionally, as of today, there is no formal adoption of a maturity model for zero trust architecture. While proposals for maturity models have been put forth, current initiatives for kickstarting zero trust adoption are often focused on the network layer and do not present a holistic approach for transition.
The Cybersecurity and Infrastructure Security Agency (CISA) was aiming to release it's Zero Trust Maturity Model 2.0 this summer, according to Eric Goldstein, CISA’s executive assistant director for cybersecurity, but we have yet to see this updated document. Their original draft, open to public comment, included five pillars and three cross-cutting capabilities and received hundreds of comments. Rivial Data Security will be watching for the newest release of this document so we can share CISA's best-practices for implementing zero trust in your organization.
If developing and executing a zero trust road map is on your radar, utilizing the Rivial Platform to guide you to your zero trust architecture will be the easiest path to reach your goal. By dropping in NIST SP 800-207 into the Rivial Platform, you'll easily be able to track your organization's progress to meet your zero trust goals. Sign up for a demo of the Rivial Platform to get started.