NIST Rules of Zero Trust Security Policy

In a zero trust network, you trust nobody, no matter how long they have been around or how invested they are in your organization’s future. Everyone’s identity on your network must be verified, a concept that has been quite helpful in limiting data breaches. Today, we are going to discuss the National Institute of Standards and Technology’s definition of zero trust and what they recommend to businesses wishing to implement it.

According to NIST, there are seven tenets found in their security standards.

How Does NIST Define Zero Trust?

Here is NIST’s definition of zero trust:

“Zero trust (ZT) provides a collection of concepts and ideas designed to minimize
uncertainty in enforcing accurate, least privilege per-request access decisions in
information systems and services in the face of a network viewed as compromised. Zero
trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust
concepts and encompasses component relationships, workflow planning, and access
policies. Therefore, a zero trust enterprise is the network infrastructure (physical and
virtual) and operational policies that are in place for an enterprise as a product of a zero
trust architecture plan.”

Zero trust, in essence, aims to make it as difficult as possible for a threat to infiltrate your network, but it also seeks to make it easier to figure out how the threat would get in.

NIST’s Seven Tenets, Reviewed

Let’s take a look at what these seven tenets are and what kind of policies your business should adopt to implement them.

“All data sources and computing services are considered resources.”

All devices that connect to your network should abide by your network’s security requirements and access controls.

“All communication is secured regardless of network location.”

Even if two devices on the same network are communicating with each other, they should share information in the same way they would if external networks were involved.

“Access to individual enterprise resources is granted on a per-session basis.”

It’s possible that some of your employees will only need temporary access to assets or files, so you should only grant them access on an as-needed basis to prevent unauthorized access.

“Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.”

This has grown increasingly more challenging as the amount of data collected by businesses has grown. If you use this data to your advantage, it can help to determine access permissions and increase security.

“The enterprise monitors and measures the integrity and security posture of all owned and associated assets.”

All assets need to be monitored at all times, including those owned by both the company and the employee. This keeps threats from making their way into your network and ensures that something like patch management doesn’t get swept under the rug.

“All resource authentication and authorization are dynamic and strictly enforced before access is allowed.”

Zero trust means that you are confirming access permissions even after the user has officially been confirmed and created in the system. It’s not a one-time thing; it happens continuously.

“The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.”

The architecture surrounding a zero trust policy consists of the policy engine, the policy administrator, and the policy enforcement point. These three components work together to collect all data needed to ensure that zero trust is actually upheld.

KB Technologies Managed IT can help your business work toward greater network security. To learn more about what we can do for your business, reach out to us at (954) 834-2800.