In this article, I’ll help you understand NIST 800-207, Zero Trust, and how to meet the standards mandated by the US federal government’s recent cybersecurity mandate.
TL;DR
- The VPN and other similar perimeter-based network solutions are ineffective at protecting your organization against unauthorized lateral resource access. With those solutions, once someone is in your network, they have virtually free rein to your entire network.
- In contrast, a Zero Trust Architecture segments your information and resources into smaller ‘buckets’. This significantly reduces how much damage an attacker can do to your organization.
- NIST SP 800-207 was published in 2020, and it gave us a standardized definition of Zero Trust. The document also laid out different approaches and common use cases.
- While analyzing every aspect of NIST 800-207 is beyond the scope of this article, we have provided an overview of the different approaches to give you a high-level summary.
- Agilicus makes it simple to align with NIST 800-207 guidelines while also dramatically increasing security across your entire network.
Today, your critical systems are more vulnerable than ever to cybersecurity threats.
We’ve all heard this before. News of organizations falling victim to ransomware attacks is all too common. But what you might not know is why we continue to see organizations fall victim to ransomware and other similar attacks.
In a 2021 CISA report, the top three initial infection vectors for breaches were phishing, credential theft, and vulnerabilities.
The common thread? All of them had the common root cause of unauthorized resource access.
What is Authorization?
The process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system (NIST).
The Problem with ‘Castle and Moat’
Protecting your organization against this problem isn’t always so simple, however. For a long time, legacy network solutions like the VPN used a traditional castle and moat architecture of protecting your perimeter and stopping the bad guys from entering your sacred space. The thinking was that if you can control who comes in, you can trust everyone within your network. Bad people out there. Good ones in here.
And that served us well for many years. But the modern network doesn’t have clear boundaries. The castle and moat approach fails when what you need to protect is outside your castle.
What is Zero Trust?
This is where a Zero Trust Network Architecture (ZTNA) shines. Whereas a traditional perimeter typically takes a “Trust, but Verify” approach, Zero Trust asserts that nothing should be implicitly trusted – not your identities, devices or even your network components.
What is Identity?
The process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system (NIST).
Because information and resources are segmented into smaller ‘buckets’, users are given access to the least amount of data they need to do their job. This approach severely limits the amount of damage that an intruder can do because the pool of data that they can see and access is much smaller.
This ultimately prevents attackers from gaining access to systems and users that will help them advance deeper into the network (a technique commonly known as lateral movement).
Despite the stronger security that comes with Zero Trust, the concept is still a relatively new one. It was only when organizations began making the rapid shift to remote-first or hybrid workforces in 2020 as a result of the COVID-19 pandemic that organizations began to take Zero Trust seriously.
NIST’s Response
In response to this evolving cybersecurity landscape, the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-207, Zero Trust Architecture in 2020.
Even today, it stands as the gold standard for understanding the requirements, challenges, and nuances of implementing Zero Trust.
Although other federal bodies like NSA and CISA have published their own guidance and recommendations, we will focus specifically on NIST 800-207 in this post. We will give you an overview of the document and the different ways of implementing ZTNA so you can meet the guidelines and improve your organization’s security posture.
What is Included in NIST 800-207?
In a world where remote work prevails and traditional network defenses are increasingly ineffective, NIST SP 800-207 provides enterprises with systematic guidelines for updating their network cybersecurity
The document itself (which you can read here) lays out a clear, albeit abstract definition of Zero Trust, which has been key to standardize the concept. That being said, this definition has been left purposely vague to let organizations decide how best to implement it within their organization.
NIST clearly understood that this could also spark some confusion, so the special publication also lays out common components of a Zero Trust Architecture, as well as the ways it could interact with existing federal guidance (more on that below).
Perhaps more importantly, NIST 800-207 gives you general deployment scenarios and different use cases where Zero Trust so you can see how it can improve your overall information technology security posture.
How does NIST 800-207 define Zero Trust?
What is Zero Trust?
Zero Trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero Trust Architecture is an enterprise’s cyber security plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan (NIST).
Why It Matters
I’ve talked a lot about the increased security that Zero Trust brings to organizations like yours, especially with increasingly distributed users, resources, and systems.
The federal government has also noticed the value of NIST 800-207 and the benefits of Zero Trust. So much so that on January 26th, 2022, the US government issued a memorandum that formally established a federal strategy for implementing Zero Trust across the country.
It requires that government agencies move to Zero Trust by the end of Fiscal Year (FY) 2024.
With recurring references to NIST 800-207, this mandate sent a clear message: Zero Trust is the future of cybersecurity for critical infrastructure.
With this order in place, similar protective regulations will likely also be mandated at the state and local levels of government in the coming weeks and months. We have already seen some of these mandates from some agencies (like the Federal Aviation Administration) following high profile incidents.
With a tight 2024 deadline, it’s vital for government agencies and public bodies to meet the standards set out in NIST 800-207 as soon as possible.
How to Align Your Organization with NIST 800-207
As I mentioned, there are many different ways you can set up a Zero Trust Architecture to satisfy the guidelines set out in NIST 800-207.
Here are a few different approaches you can take.
The Different Approaches
Zero Trust Architecture Using Enhanced Identity Governance
In this approach, policies for enterprise resource access are created based on the identity of users and assigned attributes. Access to resources is primarily based on the access privileges granted to the user. Other factors like the device used, asset status, and environmental factors may be considered to alter the confidence-level calculation, which ultimately decides access authorization. Agilicus, for example, uses your existing native identity provider (Ex. Azure, Google, etc…) to authenticate, avoiding the need for new user names, passwords, or active directory licenses.
This approach is typically employed in open network models or enterprise networks with frequent non-enterprise devices on the network (like vendors, for example).
Because access to resources is restricted to identities with the appropriate privileges, this approach is typically more secure than the others mentioned below. Let’s use Agilicus as an example – our platform authenticates and authorizes you before a connection is established (you can learn more about that here if you’re curious).
Zero Trust Architecture Using Micro-Segmentation
In this approach, individuals or groups of resources are placed on a unique network segment protected by a gateway security component. The enterprise can use infrastructure devices such as intelligent switches, routers, next-generation firewalls, or special-purpose gateway devices to act as Policy Enforcement Points (PEPs) that protect each resource or a small group of related resources. Alternatively, the organization can choose to implement host-based micro-segmentation using software agents or firewalls on the endpoint asset(s).
The gateway devices dynamically grant access to individual requests from a client, asset, or service. Depending on the model, the gateway may be the sole PEP component or part of a multipart PEP consisting of the gateway and client-side agent. This approach can be applied to a variety of use cases and deployment models, as the protecting device acts as the PEP, with the management of said devices acting as the Policy Engine/Policy Administration (PE/PA) component.
This approach requires an Identity Governance Program (IGP) to function fully, but it relies on the gateway components to act as the PEP that shields resources from unauthorized access and/or discovery. The key necessity to this approach is that the PEP components are managed and should be able to react and reconfigure as needed to respond to threats or changes in the workflow.
It is possible to implement some features of a micro-segmented enterprise by using less advanced gateway devices and even stateless firewalls, but the administration cost and difficulty to quickly adapt to changes make this a poor choice.
Zero Trust Architecture Using Network Infrastructure and Software-Defined Perimeters
This approach uses the network infrastructure itself. This can be done through an overlay network, which operates at the application layer (layer 7) or lower layers of the Open Systems Interconnection (OSI) network stack.
These approaches are sometimes referred to as software defined perimeter (SDP) approaches and may include concepts from software defined networks (SDN) and intent-based networking (IBN). In this approach, the policy administrator (PA) acts as the network controller, setting up and reconfiguring the network based on decisions made by the policy engine (PE).
Clients still request access via policy enforcement points (PEPs), which are managed by the PA. The most common deployment model for this approach is the agent/gateway, where the agent and resource gateway establish a secure channel for communication between the client and resource. Other variations of this model may exist, including for cloud virtual networks or non-IP-based networks.
Agilicus Can Help!
While this post only begins to scratch the surface of NIST 800-207 and Zero Trust, you should now be equipped with a high-level understanding so you can decide how best to implement a Zero Trust Architecture for your organization.
And although Zero Trust has many clear benefits, it can be challenging to make such an enormous shift. At Agilicus, we believe the fastest path to adoption is to make it simpler. That’s why our Zero Trust platform removes the need for a VPN, leverages your existing identity providers for secure authentication, and gives you fine-grained authorization tools to precisely manage access.
It’s the easiest way to align with NIST 800-207 while also greatly elevating your organization’s security posture.
Curious to learn more? Check out this case study to see how we helped a municipality modernize its critical infrastructure to better enable simple, secure connectivity with precise control over privileges.