Zero Trust Architecture - No Longer A ‘Nice to Have’

Uploaded on 2021-09-21 in TECHNOLOGY--Resilience, FREE TO VIEW

The US National Institute of Standards and Technology’s (NIST) recent Special Publication (SP 800-207) has changed the table stakes when it comes to cybersecurity best practice. While not mandatory, the federal agency’s role in enhancing economic security cannot be under-estimated.

As such, its guidance on refining the concept of Zero Trust and its high-level roadmap on how organisations can implement a standardised approach to a Zero Trust Architecture can also not be ignored.

Zero Trust

The concept of ‘zero trust’ is not new; originally defined in Stephen Paul Marsh’s doctoral thesis on computational security in 1994, it became a key cybersecurity concept when Forrester’s John Kindervag reignited it in the late 2000’s. The idea being that would-be attacks could come from both within, as well as from without, an organisation’s network.

However, until recently, the debate around zero trust has remained – in my view - focused solely on authenticating the user within the system rather than taking a more holistic approach and looking at user authentication and access to sensitive data using protected micro-segments.  This concept has changed with NIST’s Special Publication; no longer is the network the focus of zero trust, finally it is the data that traverses the network. 

At its core, NIST’s Special Publication decouples data security from the network. Its key tenets of policy definition and dynamic policy enforcement, micro-segmentation and observability offer a new standard of Zero Trust Architecture (ZTA) for which today’s enterprise is responsible.

Dynamic Policy Aligned to Business Intent

As data owners, organisations are responsible for protecting their sensitive information. Moreover, with increasing regulation that specifically targets the protection of this sensitive data, it is more important than ever that organisations adopt a cybersecurity stance that can ensure – and maintain – compliance, or information assurance. However, not all data has the same level of sensitivity. 

Under the latest zero trust standards, data needs to be classified according to differing levels of sensitivity and the business intent of that data. This business intent needs to define an organisation’s operational policy around how data is handled and accessed, when, where and by whom, with micro-segmentation protecting each data class from external compromise and providing isolation from other data classifications.

In addition, enterprises are encouraged to observe and collect as much information as possible about their asset security posture, network traffic and access requests; process that data; and use any insight gained to dynamically improve policy creation and enforcement. 

Authentication and Authorisation

Under NIST’s zero trust standards, access to individual enterprise resources is granted on a per-session basis based on a combination of component relationships, such as the observable state of client identity, application/service, and the requesting asset—and may include other behavioural and environmental attributes - with operational policy enforcement. 

Authentication and authorisation to one resource does not grant access to another resource. It is also dynamic, requiring a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually re-evaluating trust in ongoing communication.

Cyber security best practice demands that, by creating fine-grain policies, authentication and authorisation are done on a ‘per-packet’ basis, only allowing access to the resources required. Layer-4 encryption protects data as it transits between policy enforcement points, while providing full observability by encrypting the payload only, leaving the packet header in the clear, also allowing for granular enforcement of security policies.

Network visibility and observability tools are the linchpins that provide real-time contextual meta-data enabling rapid detection of out-of-policy data and fast response and remediation to any non-compliant traffic flow or policy change to maintain the required security posture on a continuous basis.

No Compromise

Fundamentally, a Zero Trust posture must be achievable without compromising the performance of the network, allowing users with authenticated and authorised access to the data they need to do their jobs seamlessly. 

Organizations need to be able to secure data in transit, across any network, with zero impact to performance, scalability or operational visibility. As the latest NIST zero trust standards advocate, decoupling security from network hardware in this way is a unique approach and enables security teams to be confident that their organisation’s data is assured, regardless of what is happening to the network – finally putting the focus for cyber security best practice where it belongs – the data.

Paul German is  CEO of Certes Networks.            Image: Unsplash

You Might Also Read: 

The Costs Of A Data Breach:

 

« AUKUS Defence Pact Between US, Britain & Australia
Cyberspace & Outer Space Are New Frontiers For National Security »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Feedzai

Feedzai

Feedzai provide software that uses big data analysis and machine-based learning to prevent fraud in ecommerce.

Combitech

Combitech

Combitech is the Nordic region’s leading cyber security consultancy firm, with about 260 certified security consultants helping companies and authorities prevent and manage cyber threats.

Convercent

Convercent

We offer comprehensive and integrated compliance management, reporting, and analytics. A 360-degree view of compliance drives efficiency by aligning initiatives and data into a single dashboard.

Valire Software

Valire Software

Valire provide a solution for the automated detection of internal fraud.

SYSGO

SYSGO

SYSGO is the leading European provider of real-time operating systems for critical embedded applications in the Internet of Things (IoT).

ioXt Alliance

ioXt Alliance

The ioXt Alliance is a group of manufacturers, industry alliances and government organizations dedicated to harmonizing best security practices in a highly connected world.

Cord3

Cord3

Cord3 delivers data protection, even from trusted administrators – or hackers posing as administrators – with high privilege.

Anvilogic

Anvilogic

Anvilogic provides a unifying experience for security professionals aimed at providing improved visibility, enrichment, and context across hundreds of alerting datasets and security tools.

FoxTech

FoxTech

FoxTech is an independent, friendly and deeply specialised cyber security company in the UK, with expertise spanning decades of Public Sector and Government services.

Telesystem

Telesystem

Telesystem empowers businesses across the USA with a range of innovative network, communication and collaboration solutions.

CyberFOX

CyberFOX

CyberFOX is a global cybersecurity solutions provider focused on identity access management (IAM) for managed service providers (MSPs) and IT professionals.

All About Cookies

All About Cookies

All About Cookies is an informational website that provides tips, advice, and recommendations to help you with Online Privacy, Identity Theft Prevention, Antivirus Protection, and Digital Security.

Vana Solutions

Vana Solutions

Vana Solutions is an Information Technology Services company. We help commercial & federal organizations select, adapt, and integrate the right technology solution so you can move faster.

USX Cyber

USX Cyber

USX Cyber was founded on the idea that small and medium businesses deserve and require the same level and sophistication of cyber protection as large enterprises.

Tundra Managed Solutions

Tundra Managed Solutions

Tundra Managed Solutions is a comprehensive IT services division offering a wide range of managed solutions designed to meet the diverse needs of businesses.

EU CyberNet

EU CyberNet

EU CyberNet – the bridge to cybersecurity expertise in the European Union. We establish a network and a practical learning platform with the goal to strengthen cybersecurity globally.