Zero Trust Architecture (ZTA) Explained - NIST 800-207

Nametag Team
Nametag console showing a successful verification result

Enable Self-Service Account Recovery

Nametag sends MFA and password resets to self-service while protecting your helpdesk against social engineering.

Zero Trust Architecture (ZTA) is the latest and most comprehensive standard for implementing and maintaining secure networks. ZTA helps prevent data breaches by ensuring good security practices when it comes to accessing company networks and resources. It also minimizes the damage that can be caused when a breach does happen.This article explains ZTA in simple terms. For an in-depth look, we recommend reading NIST's publication itself. It's available for free of charge on NIST's website: NIST SP 800-207.

What is NIST 800-207?

NIST SP 800-207 is a publication by the National Institute of Standards and Technology (NIST) that focuses on Zero Trust Architecture (ZTA). It provides guidelines and recommendations for implementing a Zero Trust approach to cybersecurity. NIST 800-207 emphasizes the importance of continuous monitoring, risk assessment, and access control in order to enhance security and protect against cyber threats. It’s available free of charge from the NIST website.

What is Zero Trust Architecture (ZTA)

Zero Trust Architecture (ZTA) is an approach to cybersecurity that’s designed to prevent data breaches and limit internal lateral movement when a breach does occur. ZTA moves away from static security policies enforced at "choke points". Instead, it focuses on continually analyzing and evaluating access requests based on a "need to access" basis.

ZTA is not a single architecture, so much as a a set of guiding principles. Properly-implemented, ZTA reduces exposure due to compromised accounts, attackers monitoring a network, and other threats. 

Basic Tenants of NIST SP 800-207 Zero Trust Architecture (ZTA)

  1. Consider all data sources and computing services to be resources. "Resources" can include devices, software services, systems that control things, and more. If personal devices can access a company's resources, the company might also treat them as resources.
  2. Secure all communication, regardless of network location. Just because a device is on the company's network shouldn't mean it's automatically trusted. Whether a device is inside the company's network or not, it has to meet the same security standards for access and communication.
  3. Grant access to individual enterprise resources on a per-session basis. Evaluate your trust in the requester before granting access, then grant access with the least privileges they need to complete their task. Granting access to one resources should not automatically grant access to a different resources.
  4. Determine access to resources by dynamic policy. Take into account client identity (user account or service identity), application/service, details about the requesting asset, and other factors. Determine the rules and attributes you analyze based on the needs of the business process and acceptable level of risk.
  5. Monitor and measure the integrity and security posture of all assets. Never trust an asset automatically. Continuously monitor the security of devices and applications. Take action on assets that are compromised or with vulnerabilities.
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. Implement systems for Identity, Credential, and Access Management (ICAM) and asset management. Use multi-factor authentication (MFA) for access to some or all resources. Continuously monitor and re-authenticate users based on time elapsed, new resource requests, resource modification, suspicious activity, or other criteria.
  7. Collect as much information as possible about assets, network infrastructure, and communications. Then use this info to improve your security posture.

Key Tenants of ZTA Network Planning and Deployment

  1. The entire enterprise private network is not considered an implicit trust zone. You should always act as if a bad actor is present on your network. Make sure your communications are done in the most secure possible manner by authenticating all connections and encrypting all traffic.
  2. There may be devices on the network that are not owned or configurable by the enterprise. Visitors and/or contracted services may use their own assets that need network access, for example through a bring-your-own-device policies (BYOD) policy.
  3. No resource is inherently trusted. Evaluate the security of every asset before granting access to your resources. Keep evaluating through the asset's entire session.
  4. Not all of your resources are on your own infrastructure. Assets that you own or manage (like laptops and phones) may need to use other networks (like home or public wifi networks) throughout an employee's day.
  5. Don't trust local network connections. Subjects and assets managed by your organizations should assume that local networks are hostile, and that all traffic is being monitored and potentially modified.
  6. Maintain a consistent security policy and posture. When moving between your own networks and local networks, or between on-premises data centers and non-enterprise owned cloud instances, assets and workloads should retain their security posture.

How to Set Up Zero Trust Architecture (ZTA)

Implementing Zero Trust Architecture (ZTA) is a marathon, not a sprint. It involves incremental changes to your infrastructure and processes.

There are two basic ways to implement ZTA:

  1. Greenfield: Build new architecture from the ground up based on zero trust principles. This involves identifying the applications/services and workflows needed for operations and mapping out the components and their interactions. From there, the infrastructure can be built and the components configured.
  2. Hybrid model: You continue to operate in a combination of zero-trust and perimeter-based modes while investing in IT modernization initiatives. This allows for a gradual transition to a ZTA while protecting high-value data assets. It’s very important to have a roadmap for small-scale workflow migrations and ensure a baseline of competence before deploying a significant ZTA-focused environment.

No matter your approach, ZTA starts with a thorough understanding of your cybersecurity posture and operations. This involves identifying assets, subjects, and processes, and gradually implementing zero trust principles and technology solutions to protect critical assets.

Start by identifying and cataloging assets, subjects, business processes, traffic flows, and dependencies within the enterprise. This baseline information will help you develop a list of business processes to focus on first, and the subjects/assets involved.

Common ZTA Mistakes to Avoid

Be sure to address these common mistakes and risks when implementing ZTA.

  1. Lack of compatibility requirements: One common mistake is the difficulty in creating a multiyear roadmap for moving into ZTA due to the lack of a minimum set of compatibility requirements for components. This makes it challenging to ensure seamless integration between products and may hinder the successful implementation of ZTA.
  2. Over-reliance on vendor APIs: Another common mistake is relying too heavily on vendor APIs, which can limit flexibility and hinder interoperability between different ZTA environments. Avoid excessive dependence on proprietary APIs. And consider emerging standards and open protocols that promote compatibility and collaboration.
  3. Insufficient research and knowledge gaps: Implementing ZTA without having done thorough research and understanding of the technology can have disastrous consequences. Take your time to do thorough research into ZTA best practices, and speak with your peers who have gone through the process before. Gain as much knowledge and experience as you can, but don’t 
  4. Inadequate policy formulation: Formulating policies for the ZTA candidate requires careful consideration of factors such as the importance of the process, the subjects affected, and the current state of resources. Failing to formulate effective policies can result in access issues, compromised security, and hindered workflow.
  5. Neglecting user experience: The end user experience in a ZTA environment is an important aspect that should not be overlooked. Think about how your users might react to security measures that create friction or frustration: for example, some authentication factors are more secure, but take longer to complete. 

5 Things to Keep In Mind When Implementing ZTA

  1. Identify and manage enterprise assets: You must have detailed knowledge of your company’s physical and virtual assets, including devices and digital artifacts. Conduct surveys to understand the current state of operations and identify any unknown "shadow IT" deployments within your organization.
  2. Understand business processes and risks: Evaluate your business processes, data flows, and workflows to determine the key processes and their associated risks. Starting by implementing ZTA for low-risk processes can help gain experience before transitioning to more critical ones. Cloud-based resources and remote worker processes are often good candidates for ZTA implementation.
  3. Develop access policies and evaluate risk: Implementing ZTA involves developing access policies that align with the acceptable risk level for the enterprise's mission or business process. This requires identifying and evaluating risks associated with resource access requests and ensuring that policies are enforced and logged. The NIST Risk Management Framework (RMF) can provide guidance in this process.
  4. Ensure Continuous monitoring and security posture: Enterprises must establish continuous diagnostics and mitigation (CDM) systems to monitor the integrity and security posture of all owned and associated assets. This includes applying patches and fixes as needed and having robust monitoring and reporting systems in place to track the state of enterprise resources.
  5. Properly configure and maintain ZTA components: Your policy engine and policy administrator are critical components of ZTA. You must properly configure and maintain these components to prevent subversion of the decision process and mitigate the risk of denial-of-service or network disruption. Configuration changes should be logged and subject to audit, and the components should be properly secured and monitored.

The Role of Identity Verification in ZTA

Identity verification plays a crucial role in Zero Trust Architecture. In ZTA, access to enterprise resources is based on the identity of the requestor. The primary requirement for resource access is the access privileges granted to the given subject.

Identity verification ensures that only authorized individuals or entities are granted access to enterprise resources. It helps in establishing trust and ensuring that access is granted to the right individuals with the appropriate access privileges. By verifying the identity of requestors, ZTA can enforce access policies based on identity and assigned attributes, enhancing the security of the enterprise.

Further Reading

The greatest resource for learning about NIST 800-207 is, of course, NIST itself. NIST SP 800-207 is available for free on NIST’s website. The full document is 59 pages long, however. If you don’t want to read through the whole thing, we also recommend these summaries:

Secure your helpdesk against social engineering and impersonators.
Accept All Cookies