The National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) has a distinguished history of developing what some would call traditional secure software solutions to ensure the security of information systems and platforms. However, a zero trust architecture is anything but traditional. That’s because the traditional approach to cybersecurity relies upon barriers — firewalls — that control traffic coming in and out of a network. Zero trust, on the other hand, is about assuming no barriers. It is usually referred to as as “removing perimeters,” “shrinking perimeters,” “reducing perimeters” or “going perimeter-less,” according to a NIST release.
Birth of the Zero-trust Security Model
“In 2010, cybersecurity expert John Kindervag coined the phrase ‘zero trust’ while he was with Forrester Research. In a nutshell, zero trust assumes that the system will be breached and designs security as if there is no perimeter. Hence, don’t trust anything by default, starting with the network,” a NIST official wrote in a blog post.
NIST suggested the zero trust model really increased in interest with the Office of Personnel Management (OPM) data breach in 2015. An estimated 22.1 million records were exposed in what has been described as one of the largest breaches of U.S. government data in history. The attack exposed records of people who had undergone background checks, as well as information about their family, friends and acquaintances, many of whom weren’t even government employees. Social Security numbers, names, dates and places of birth, and addresses were among the types of personally identifiable information that were revealed, NIST reported.
The OPM data breach was a titanic wake-up call for the U.S. government to secure its information systems and infrastructures. In its aftermath, several initiatives were launched to improve and modernize the U.S. government’s security posture. The American Technology Council, formed in May 2017 under the direction of the president, promptly coordinated and produced a report for federal IT modernization later that year, according to NIST.
In February 2018, the CIO Council Services, Strategy, and Infrastructure Committee, made up of federal IT officers, chartered the Zero Trust and Software-Defined Networking Steering Group. That group’s job was to support the adoption of more effective methods and technologies for verifying, securing, enforcing and continuously monitoring access to the federal government’s assets and data by applying zero trust principles, NIST reported.
The group convened a workshop on October 25, 2018, at the NCCoE. The workshop included 21 representatives and subject matter experts from federal civilian and defense agencies alike to discuss and come to consensus on definitions of zero trust networking and software-defined networking, including components, functional capabilities and security characteristics of each model. This interaction led to the February 2019 launching of a NIST NCCoE project, in partnership with the CIO Council, to research zero trust and zero trust architectures (ZTA) with the goal to produce a general guidance document for adoption of ZTAs for securing U.S. government information systems and infrastructures.
In August 2020, NIST NCCoE released the general guidance document NIST SP 800-207, Zero Trust Architecture, for adoption of ZTAs in the federal government. This is a document that provides conceptual-level insight for zero trust and zero trust architectures, including deployment models, use case scenarios and discovered gaps in technologies.
Keeping Networks Safe, Then and Now
Professionals who have been in the IT field since the earliest days will surely remember the more “innocent” times in which network environments were developed. For example, developers didn’t have remotely accessible resources or applications and services in the cloud like today, NIST said. At that time, developers built a digital fence — a perimeter — around networks and applications, which funneled external accesses through a single point of entry in a verified and authorized manner. This would allow the internal users access to the pool of resources and applications protected inside the perimeter. This was a sound strategy for a long time, according to NIST.
However, today, with the explosion of cloud computing, information resources are more globally connected than ever before. More and more, people are conducting business remotely using mobile devices. “We consume, exchange and store digital information in private clouds, public clouds, hybrid clouds and many other variations in between. The conventional boundaries have expanded and become more obscured to allow for a much larger footprint of applications and services to be located and accessed from anywhere. With that expansion, the cybersecurity vulnerabilities have also grown. There are more areas and points of attack. Networks and data are more vulnerable to the types of cybersecurity breaches that originate from inside the networks — inside the perimeter,” according to NIST.
Going back to the “infamous” OPM data breach, hackers first gained access to OPM’s internal network using stolen credentials and then planted a malware package that installed itself within OPM’s network as a back door for data exfiltration. From there, attackers escalated their privileges to gain access to various OPM information systems, a typical escalation scenario that is often referred to as the “lateral movement” or “East-West traffic” of a security breach inside the perimeter, NIST reported. This case highlighted the shortcomings of the conventional perimeter defense in that it provides no security control mechanism to prevent lateral movements once the security threat is inside the perimeter, as inside was always considered to be the safe or trusted zone in this strategy.
The OPM case demonstrates why zero trust is a better cybersecurity model, NIST advised. For example, you could be working from an enterprise-owned network, a coffee shop, home or anywhere in the world, accessing resources spread across many boundaries, from on-premises to multiple cloud environments. Regardless of your network location, a zero trust approach to cybersecurity will always respond with: “I have zero trust in you! I need to verify you first before I can trust you and grant access to the resource you want.” Hence, “never trust, always verify” — for every access request.
“The verification process is one of the key aspects of a zero trust approach. Every access request to a resource must be thoroughly evaluated dynamically and in real time based on access policies in place and current state of credentials, device, application and service, as well as other observable behavior and environmental attributes, before access may be granted. For example, a member of staff or a contractor, or even a guest user, may be verified and granted access to a specific resource, but they will still need to be re-verified to access another resource within a zero-trust-enforced environment. This continuous scrutiny is the security control mechanism that prevents lateral movement of bad actors spreading from compromised systems within network environments, which is basically the essence of any zero trust solution,” NIST wrote.
The NIST/NCCoE zero trust team said their zero trust security efforts and standards are being closely followed and are highly regarded by other government agencies and many in the cyber industry. For example, the Department of Defense is investing in a zero trust architecture and cybersecurity model.
For information, please see NIST SP 800-207, Zero Trust Architecture
Adapted from the NIST Taking Measure blog, “Zero Trust Cybersecurity: ‘Never Trust, Always Verify,’ by Alper Kerman.