What is the NIST Zero Trust Architecture?
by Erin Risk

What is the NIST Zero Trust Architecture?

Two years ago, the National Institute of Standards and Technologies (NIST) issued a report defining a new paradigm for secure network access. The NIST Zero Trust Architecture outlines how organizations can improve security by replacing legacy technologies such as virtual private networks (VPN). This 59-page document comprehensively explores the principles and implications of Zero Trust, but it is easy to get lost in all the details.

This article will touch on why the traditional model of a network perimeter is failing, what Zero Trust looks like from the NIST’s perspective, and how the US government is migrating to this new security paradigm.

Why is Zero Trust necessary?

Zero Trust is a modern approach to secure network access that avoids the security weaknesses and inefficiencies of legacy technologies such as virtual private networks or remote desktop protocol (RDP). Designed for today’s distributed network architectures, Zero Trust solutions let organizations manage all users, devices, and resources within a single system. Zero Trust delivers seamless access to users no matter where they are while keeping resources secure amid the growing sophistication of today’s cybercriminals.

Legacy technologies are unsecure

For decades, organizations have used a “secure perimeter” framework to protect sensitive networked resources. Security administrators focused on locking down private networks to prevent access from outside the organization’s walls. Employees used managed desktops on this private network to access the resources they needed.

VPN, RDP, and other specialized technologies let a few employees access the network remotely. Gateway devices positioned outside the network provided a portal through the firewall so these users could access the network.

What worked decades ago no longer works today. Secure perimeter technologies have become vectors for cyberattacks. Gateways publish their presence to the public internet. By constantly scanning every gateway, cybercriminals can spot an unpatched device before administrators know an update is available. In addition, users’ devices and credentials are vulnerable to malware and social engineering attacks. Since VPN gateways provide access to networks rather than to specific resources, these vulnerabilities create significant risks to an organization’s security.

Legacy technologies are inefficient

Legacy approaches also make an organization’s networks inefficient. As work-from-home policies during the pandemic made clear, gateways are bandwidth chokepoints for all remote traffic. In addition, the private network must handle traffic flowing between remote users and cloud-based resources. Besides degrading the private network’s bandwidth, this backhaul adds latency to users’ connections.

In addition to the performance impact, legacy technologies such as VPN are more difficult and expensive to manage. Changes to access policies can require changes in the infrastructure and vice versa. Upgrading or replacing a VPN gateway can disrupt the organization.

What are the NIST Zero Trust definitions?

Zero Trust was introduced as an academic concept in the 1990s. National security planners have worked with similar concepts for decades. A few years after Forrester analysts popularized Zero Trust in 2010, Google began developing its in-house Zero Trust network architecture.

In 2020, the NIST Zero Trust Architecture was published to provide a common reference for government agencies hoping to improve their organization’s security posture. This is how the authors defined the new security paradigm:

Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.

They further defined seven technology-agnostic “tenets” upon which to base a Zero Trust Architecture:

Consider all data sources and computing services as resources

Any software or hardware that touches an organization’s data is a resource. This includes routers, printers, managed desktops, and anything else connected to the private network. Zero Trust Architecture also includes an organization’s internet-hosted applications and services.

Secure all communications regardless of network location

Unlike the secure perimeter paradigm, Zero Trust does not assume that a private network is any more secure than the public internet. No matter what network an access request comes from, Zero Trust denies it by default and only grants access to authenticated and authorized users.

Only grant per-session access to individual resources

Authentication and authorization should not give a user more than the requested access. Applying least-privilege principles restricts permissions to a single resource and does not transfer to others.

Grant access dynamically based on context

User identity, location, and many other factors can affect the risk profile of an access request. These factors can change at any time — even during a session. Zero Trust systems evaluate each access request based on this context and grant just-in-time access.

Constantly evaluate device and resource security postures

Every network and device is always vulnerable to attack. The only safe assumption is that they have already been compromised. Organizations must have “a robust monitoring and reporting system” to identify security weaknesses.

Strictly and dynamically enforce policies before granting access

Too many legacy technologies grant access before completing authentication or authorization. Zero Trust systems deny access by default. Only once a request has been found in compliance with all security policies is access granted.

Monitor all network activity and act on learnings

Detailed activity logs, and the systems to use them, are needed to understand infrastructure state and traffic patterns. Those learnings should inform improvements to security policies and enforcement practices.

Is there a simpler way to think about Zero Trust?

The NIST’s technical definitions, while detailed, can be difficult to grasp. However, Zero Trust principles are easy to understand as they’ve been distilled to three basic concepts:

Assume breach - Any network, resource, device, or user credential can be compromised at any time. The only safe approach is to assume everything has already been breached and every access request is a potential attack.

Verify explicitly - Before creating any connection to a resource, the Zero Trust system must authenticate the user and evaluate the request’s risk profile based on context. However, authentication is not enough to permit access.

Least privilege - Role-based policies give users the least amount of access needed to do their work within the context of the access request. These permissions are ephemeral, disappearing when the session ends, times out, or when any trust factor changes.

Why are organizations interested in Zero Trust?

Zero Trust does not have the security and efficiency weaknesses of traditional secure perimeter technologies. In an increasingly distributed networking and cybersecurity environment, Zero Trust makes organizations more secure while improving productivity and network performance.

  • Shrinking the attack surface - Replacing publicly-visible gateways with invisible Zero Trust proxies hides distributed networks from attackers.
  • Preventing lateral movement - Zero Trust’s least privilege access policies stop hackers from roaming through networks. Administrators can identify and mitigate attacks faster, reducing the blast radius of successful attacks.
  • Simplifying granular control - Zero Trust lets organizations control access for each resource, each role, and each context through simple administrative tools.
  • Unifying all users and resources - Administrators can apply common security policies for all users and resources, including third-party resources.
  • Reducing network costs - Decoupling access control from the physical network reduces infrastructure investments and overhead.
  • Improving network performance - Without the need for centralized gateways, Zero Trust improves the latency of user connections while relieving private networks of backhaul traffic.
  • Improving the user experience - Users get the same experience at home as they do in the office. Zero Trust clients enforce security policies transparently while delivering performant, low-latency connections.

Why is the US government adopting Zero Trust?

Recognizing the weakness of secure perimeter paradigms, the defense and national security sectors have been planning a switch to Zero Trust Architectures. On May 15, 2021, the Biden Administration directed all federal agencies to adopt Zero Trust. Within 60 days, every agency had to

… develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them.

To help agencies implement these plans by Fiscal 2024, the Executive Order directed the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to:

…modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with Zero Trust Architecture [and] develop security principles governing Cloud Service Providers (CSPs) for incorporation into agency modernization efforts.

One month later, CISA published a draft version of its Zero Trust Maturity Model. This roadmap is meant to guide federal agencies as they migrate their networks to Zero Trust.

Twingate’s vision for the future of Zero Trust

Zero Trust is becoming part of every organization’s security roadmap, from an academic thesis to a solution for modern cyber threats. Twingate has helped large and small organizations begin their Zero Trust journeys. Our scalable, software-based solutions run parallel with legacy architectures, letting security administrators implement Zero Trust where it is most impactful while phasing in our secure access solution over time.

In our 2022 Zero Trust Outlook Report, we take a by-the-numbers approach to documenting the current state of Zero Trust. We explain why organizations in every sector are turning to this modern security model to support today’s distributed networks. Download a copy now.

To see how Zero Trust works, sign up for our free Starter plan for individuals and small teams.


Featured Articles