Zero Trust Architecture: What is NIST SP 800-207 all about?

Image

“Doubt is an unpleasant condition, but certainty is an absurd one.”

Whilst I claim no particular knowledge of the eighteenth-century philosopher Voltaire, the quote above (which I admit to randomly stumbling upon in a completely unrelated book) stuck in my mind as a fitting way to consider the shift from traditional, perimeter-focused ’network security’ thinking to that of ‘ZTA’ (Zero Trust Architecture.) Whilst much is talked and indeed marketed about for ‘Assume Breach’ or ‘ZT’ (Zero Trust) models, these have not always been well understood or universally agreed terms. In some cases, they are simply thrown about as nothing more than ‘buzzwords.’ Certain vendors have muddied the waters further by attempting to equivocate or even claim such terms as their own in relation to specific products or feature sets. Which is why the recent NIST Special Publication 800-207 provides a great, industry-neutral starting point for providing some authoritative and much-needed clarity as to what we actually mean by ZTA. For some time, many of us have come to realize that the concept of granting implicit trust to data or resources based solely on factors such as network location or device ownership rarely works efficiently from either a business or security perspective. A line of more realistic thinking has thereby inevitably evolved that actually assumes attackers to be present and active on ‘the network’ regardless if ‘the network’ is on-site, in the cloud, owned/managed by the organization themselves or behind one or a hundred firewalls. This helps with focusing more security attention (and hopefully return on investment) towards the authentication, authorization and continual evaluation of posture—all of which should help in making better decisions for granting and monitoring access to the actual data, resources, services and other assets which really count and matter most to an individual or organization. That’s sort of the idea, anyway. Although in keeping with the theme of my opening quote, SP 800-207 realistically acknowledges that uncertainties in any model, including ZTA, can only be lessened and never eliminated. Despite certain myths and confusion, the NIST SP 800-207 publication states: "ZT is not a single architecture but a set of guiding principles for workflow, system design and operations." The opening sections therefore begin by providing some background as to the origins of ZT and offering some clear descriptions of its basic tenets. Section three then moves on to its building blocks, describing the core logical components involved such as the:

• PE (Policy Engine) – The component responsible for the decision to grant access to a resource.
• PA (Policy Administrator) – The component responsible for actually establishing access to a resource.
• PEP (Policy Enforcement Point) – The system gateway responsible for enabling, monitoring and eventually terminating connections between an authorized subject and the resource itself.

This section continues by presenting other potential components and sources of relevance such as PKI, CDM (Continuous Diagnostics & Mitigation) systems, threat intelligence feeds, system logs and data access policies. It specifically highlights how they can interrelate and input into the policy engine decisions. Section four then brings all of these concepts to life a little more by showing us some ‘real world’ type examples of theoretical deployment use cases. Various scenarios and models are discussed in this section via clear, summarized narrative and diagrams. Section five considers threats to ZT itself, whilst the final sections discuss alignment with existing federal guidance and steps towards actually transitioning to Zero Trust Architecture. One of the key points which the publication reiterates across a number of these sections is that a mature and detailed understanding is required of both the logical assets themselves and subjects requiring access to them. ZTA cannot reliably operate or even be delivered as a technology piece in isolation of such information being as accurate as possible. More than ever, it is therefore vital that an organization truly understands is assets (data, resources, workflows, services) as well as the subjects/actors requiring legitimate access to them. This is after all how the PE will ultimately determine the necessary ‘confidence level’ to grant a request access or deny it, sometimes dynamically based on current state or posture at a given point in time. The more granular its policies and the more accurate this information, the better these decisions should become. The next myth the publication should hopefully help to dispel is one that ZTA negates the need for any form of network segregation. Section three explicitly outlines how there should be some clear separation (logical or even physical) in place between the control and data planes. The PE & PA ‘brains of the operation’ should firmly reside in the control plane, whilst the data plane is used for any actual communications between the subject and resources which the PEP establishes. Access to assets must only be via the PEP, and so the PEP needs to be accessible by the subjects. The control plane, however, requires maximum protection and therefore isolation from the data plane and the subjects themselves. Lastly, the myth of having to radically ‘throw the traditional, perimeter security baby out with the bathwater’ is also corrected. Section seven states that in all but the rarest ‘greenfield’ cases, migration to Zero Trust Architecture will need to be a journey rather than any wholesale replacement of existing infrastructure or processes. It pragmatically recognizes that for many organizations, a long or even indefinite hybrid transition period will be required. New systems and workflows may be built with a ZTA approach, but they will still need to co-exist effectively with or within, more traditionally built non-ZTA environments. Hopefully, this short blog has given enough of a taste by now to download and read the paper itself. At 50 pages, that’s not a daunting task, and it really is packed with concise and clear information. As for anyone looking for a ‘tick box’ blueprint of certainties for how to secure your network, it won’t offer that. Such a thing simply doesn’t exist. Like the great old TV show used to say, ‘trust no one’ including those perpetuating such myths about ZTA itself.

Image

About the Author: Angus Macrae is a Certified Information Systems Security Professional (CISSP) in good standing. He has more recently been awarded (ISC)²' Certified Cloud Security Professional (CCSP) status. He is currently Head of Cyber Security services for King's College London. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.