How does a zero trust security architecture work?

Zero trust architectures (ZTAs) are a reaction to the emergence of cloud computing, remote work, and bringing your own device (BYOD) into enterprise networks. Those trends result in networks not completely contained within an enterprise-owned boundary, significantly complicating network security needs.

This article briefly reviews the purpose and structure of ZTAs, looks at some relevant Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology (NIST) standard 800-53, and closes with an overview of the Zero Trust Maturity Model (ZTMM) from the Cybersecurity and Infrastructure Security Agency (CISA).

In a ZTA, pre-authorized user access is eliminated, and each user must earn trust during each interaction based on context and content. Trust is no longer granted automatically to assets or user accounts based on their network or physical location. User and device authentication and access are established before a session on an enterprise resource.

As described in FIPS 199, ZTA is not really an architecture. It’s an approach and a set of principles for workflow, system design, and operation that result in improved cybersecurity. The guiding principles for a ZTA are never trusting users or devices, always verifying the network, environment, applications, and data, assuming a breach is imminent, and using analytics and automation to monitor and maintain cybersecurity continuously, as shown in Figure 1.

Figure 1. ZTA guiding principles are never trusted, always verify, and assume a breach is imminent. (Image: Cybeready)

Additional principles that apply when implementing a ZTA include:

Least privilege access where users only get the minimal access needed to perform specific tasks
Micro-segmentation of networks to isolate systems and restrict movement of potential threats between systems
Continuous monitoring and evaluation of user and device activity to identify anomalous and suspicious activities

FIPS 199 sets standards for assessing systems and data based on confidentiality, integrity, and availability. Should a security breach occur, each of the three categories is rated as having a low, moderate, or high impact. The overall system receives the most severe rating, and the security environment must be implemented accordingly.

FIPS 200 and NIST 800-53

While FIPS 199 outlines the approach and need for using ZTAs, FIPS 200 identifies minimum security requirements based on 17 key security considerations and refers users to NIST 800-53 for implementation details. NIST 800-53 is a comprehensive cybersecurity and compliance framework.

It’s continuously updated to maximize its ability to address changing threat environments. NIST 800-53 uses the three impact categories outlined in FIPS 199 and extends the 17 key security considerations in FIPS 200 to include 20 security and control families.

Zero trust maturity model

The CISA developed the ZTMM to guide the measurement of progress when organizations transition from a traditional cybersecurity model to a ZTA. The ZTMM recognizes that organizations don’t instantly switch to using a ZTA. It can be used to understand the current level of ZTA maturity and plan the steps needed to move to a higher level.

The existence of deeply rooted legacy systems is usually a primary challenge when moving to a ZTA. When assessing the maturity level, the ZTMM focuses on five key pillars: identity, devices, networks, applications and workloads, and data. It supports a structured approach to prioritizing changes and transitioning to a full ZTA.

Within each of the five pillars, the ZTMM describes increasing maturity levels as traditional, initial, advanced, and optimal. Three key maturity levels include those shown in Figure 2.

ZTA — Figure 2. Three key ZTMM maturity levels. (Image: InterSec)

Traditional means that the legacy system operation has been partitioned into five pillars, but still requires manual intervention for configuration, incident response, and mitigation.
Advanced identifies a network with some cross-pillar coordination, some pre-defined incident responses, some least privilege changes implemented, and the initial deployment of centralized identity control and network visibility.
Optimal is when full automation has been achieved, including assigning attributes to assets and resources, dynamic access policies including least privilege access based on observed triggers and actions, and full alignment with industry standards.

Summary

ZTAs have been developed to address the insecurities inherent in cloud computing, remote work, and BYOD in enterprise networks. Several standards, including FIPS 199, FIPS 200, and NIST 800-53, are important when developing a ZTA. In addition, the ZTMM can provide a roadmap for incrementally transitioning from a traditional network architecture to a ZTA.