NIST issuing revised draft of zero trust guidance for public comment

The notion of zero trust networks and architecture intended to support better cybersecurity is often misunderstood. Cyber experts at the National Institute of Standards and Technology have put out a document to help. It’s called Zero Trust Architecture Special Publication 800-207. NIST computer scientist Scott Rose said the publication is meant to help generate a “conceptual framework” for agencies and cybersecurity experts to apply zero trust principles within their enterprise — both in their network infrastructure and how they actually do operations.

Zero Trust typically means the security belief that organizations should not automatically trust everything accessing their systems, and should be more selective about who can connect with what and why. It’s not a single technology solution, Rose clarified.

“Think of it as a set of principles in which to kind of generate a set of architecture and operations, which then become your zero trust architecture. And then when you execute that architecture and actually start building to it, you could say you are building a zero trust enterprise,” he said on Federal Monthly Insights — Zero Trust Month. “So you go from zero trust to kind of a set of principles that guide the generation of zero trust architecture, which then results in the creation of kind of a zero trust network or zero trust enterprise because it’s not just your network infrastructure. You also want to think about how you’re actually doing security operations or even network operations and this kind of new regime.”

The first draft of this guidance last fall received several public comments. And then, while refining it NIST added a whole new subsection, compelling the agency to rerelease it for a second round of public comments — albeit only until March 13.

The guidance contains several sections describing the zero trust ecosystem of products and solutions, which gives agencies a way to think about the concept. Then, Rose said, it gives a series of approaches and models to form an abstract zero trust architecture map. The document also gives examples of zero trust’s connection to existing federal policies.

Rose said agencies’ trust levels are mixed but over the last decade they’ve moved toward zero trust enterprises. New technology has facilitated this internal security, and moving to the cloud means traditional network boundaries no longer apply — to the dismay of firewalls.

“You have instances, at the various cloud providers throughout the country, you have remote workers, you have branch offices,” Rose said on Federal Drive with Tom Temin. “The whole idea of wrapping all your security around a single set of, say firewalls on a network perimeter, kind of just doesn’t work anymore.”

NIST hopes zero trust doesn’t bring headaches for users, in the form of repeatedly entering credentials to complete tasks. The zero trust demonstration project planned to launch at the National Cybersecurity Center of Excellence will examine user experience. Rose said the principle of the architecture is that all access be authenticated and authorized is not to say some background technologies can’t be used. User experience can affect changes in user behavior.

“A lot of these are kind of open-ended questions, and we’re not 100% sure how a kind of really strictly enforced zero trust architecture would work at an enterprise with regards to how everyday users are interacting with that. There’s still not enough data,” he said.

And whether a legacy network can be retrofitted to zero trust depends on how it’s currently built. Additional equipment or services may be needed for a strict identity governance system or device management, Rose said.

“So it all kind of depends on what the agency already has in place and how they’re currently set up,” said.