Getty Images

NSA Shares Zero Trust Security Model Guide, Recommendations

NSA guidance on the zero trust security model details much-needed cybersecurity elements and recommendations to bolster access controls and workflows across the enterprise network.

The NSA unveiled guidance for implementing a zero trust security model across the enterprise infrastructure, which includes recommendations. The system management strategy is designed to bolster workflows and infrastructure through a coordinated, proactive security approach.

As previously noted, the zero trust model is highly recommended for healthcare delivery organizations as a way to stop attack proliferation across connected devices, strengthen access controls, and protect cloud-based assets.

“A zero trust architecture uses zero trust principles to plan enterprise infrastructure and workflows,” according to NIST. “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet).” 

“Authentication and authorization (both user and device) are discrete functions performed before a session to an enterprise resource is established,” it added. “Zero trust focuses on protecting resources, not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”

The new NSA guidance can support an earlier, similar guide released by NIST in August 2020. Organizations that embrace a zero model and mindset can better position the enterprise to secure sensitive information, systems, and services, in response to the increase in complex, diverse networks and relevant, heightened threat landscape.

Zero trust is a set of system designed principles and a coordinated system management strategy based on the overall mindset that threats exist both inside and outside traditional network boundaries.

By shifting into zero trust, entities can eliminate implicit trust in any one element, node or service. Instead, the model requires the continuous verification of the overall enterprise network through real-time data sourced from multiple tools to determine both access and system responses.

The model also constantly limits user access to only what is needed to perform required tasks, while constantly monitoring for anomalous or malicious activities.

The insights can be leveraged to better understand how to implement comprehensive security monitoring, granular risk-based access controls, and security automation, which is coordinated throughout all infrastructure elements.

“This data-centric security model allows the concept of least-privileged access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors,” NSA officials explained.

“Systems that are designed using zero trust principals should be better positioned to address existing threats, but transitioning to such a system requires careful planning to avoid weakening the security posture along the way,” they added.

To NSA, the zero trust principles and concepts need to be applied to most network assets and the operation ecosystem to be completely effective, minimize risk, and enable robust and timely responses.

Enterprise administrators should use the cybersecurity guidance to understand the zero trust nuances and benefit, along with possible challenges to implementing the model.

The guide further sheds light on the need for a detailed strategy for making the shift to zero trust and dedicated resources needed for a successful transition, as well as the ways to mature the implementation and fully commit to the zero trust model to garner successful results.

The NSA recommendations include best practice methods for adopting a zero trust mindset and guiding principles and details into leveraging design concepts for defining mission concepts, architecture, access controls, and network traffic.

Entities will also find examples of zero trust use cases, which highlight the ways the security model addresses compromised user credentials, remote exploitation, insider threats, and a compromised supply chain.

“Implementing zero trust takes time and effort: it cannot be implemented overnight. For many networks, existing infrastructure can be leveraged and integrated to incorporate zero trust concepts, but the transition to a mature zero trust architecture often requires additional capabilities to obtain the full benefits,” according to the guide.

“Transitioning to a mature zero trust architecture all at once is also not necessary,” it added. “Incorporating zero trust functionality incrementally as part of a strategic plan can reduce risk accordingly at each step.”

Next Steps

Dig Deeper on Cybersecurity strategies