Zero Trust Architecture - No Longer A ‘Nice to Have’

Uploaded on 2021-09-21 in TECHNOLOGY--Resilience, FREE TO VIEW

The US National Institute of Standards and Technology’s (NIST) recent Special Publication (SP 800-207) has changed the table stakes when it comes to cybersecurity best practice. While not mandatory, the federal agency’s role in enhancing economic security cannot be under-estimated.

As such, its guidance on refining the concept of Zero Trust and its high-level roadmap on how organisations can implement a standardised approach to a Zero Trust Architecture can also not be ignored.

Zero Trust

The concept of ‘zero trust’ is not new; originally defined in Stephen Paul Marsh’s doctoral thesis on computational security in 1994, it became a key cybersecurity concept when Forrester’s John Kindervag reignited it in the late 2000’s. The idea being that would-be attacks could come from both within, as well as from without, an organisation’s network.

However, until recently, the debate around zero trust has remained – in my view - focused solely on authenticating the user within the system rather than taking a more holistic approach and looking at user authentication and access to sensitive data using protected micro-segments.  This concept has changed with NIST’s Special Publication; no longer is the network the focus of zero trust, finally it is the data that traverses the network. 

At its core, NIST’s Special Publication decouples data security from the network. Its key tenets of policy definition and dynamic policy enforcement, micro-segmentation and observability offer a new standard of Zero Trust Architecture (ZTA) for which today’s enterprise is responsible.

Dynamic Policy Aligned to Business Intent

As data owners, organisations are responsible for protecting their sensitive information. Moreover, with increasing regulation that specifically targets the protection of this sensitive data, it is more important than ever that organisations adopt a cybersecurity stance that can ensure – and maintain – compliance, or information assurance. However, not all data has the same level of sensitivity. 

Under the latest zero trust standards, data needs to be classified according to differing levels of sensitivity and the business intent of that data. This business intent needs to define an organisation’s operational policy around how data is handled and accessed, when, where and by whom, with micro-segmentation protecting each data class from external compromise and providing isolation from other data classifications.

In addition, enterprises are encouraged to observe and collect as much information as possible about their asset security posture, network traffic and access requests; process that data; and use any insight gained to dynamically improve policy creation and enforcement. 

Authentication and Authorisation

Under NIST’s zero trust standards, access to individual enterprise resources is granted on a per-session basis based on a combination of component relationships, such as the observable state of client identity, application/service, and the requesting asset—and may include other behavioural and environmental attributes - with operational policy enforcement. 

Authentication and authorisation to one resource does not grant access to another resource. It is also dynamic, requiring a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually re-evaluating trust in ongoing communication.

Cyber security best practice demands that, by creating fine-grain policies, authentication and authorisation are done on a ‘per-packet’ basis, only allowing access to the resources required. Layer-4 encryption protects data as it transits between policy enforcement points, while providing full observability by encrypting the payload only, leaving the packet header in the clear, also allowing for granular enforcement of security policies.

Network visibility and observability tools are the linchpins that provide real-time contextual meta-data enabling rapid detection of out-of-policy data and fast response and remediation to any non-compliant traffic flow or policy change to maintain the required security posture on a continuous basis.

No Compromise

Fundamentally, a Zero Trust posture must be achievable without compromising the performance of the network, allowing users with authenticated and authorised access to the data they need to do their jobs seamlessly. 

Organizations need to be able to secure data in transit, across any network, with zero impact to performance, scalability or operational visibility. As the latest NIST zero trust standards advocate, decoupling security from network hardware in this way is a unique approach and enables security teams to be confident that their organisation’s data is assured, regardless of what is happening to the network – finally putting the focus for cyber security best practice where it belongs – the data.

Paul German is  CEO of Certes Networks.            Image: Unsplash

You Might Also Read: 

The Costs Of A Data Breach:

 

« AUKUS Defence Pact Between US, Britain & Australia
Cyberspace & Outer Space Are New Frontiers For National Security »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Redscan Cyber Security

Redscan Cyber Security

Redscan Cyber Security is a Managed Security Services Provider (MSSP) that enables businesses to effectively manage their information security risks.

Actiphy

Actiphy

Actiphy provides a tried and proven backup and disaster recovery software solution to ensure business continuity at all times.

Truth Technologies Inc (TTI)

Truth Technologies Inc (TTI)

TTI is a premier provider of worldwide anti-money laundering, anti-fraud, customer identification, and compliance products and services.

MNCERT/CC

MNCERT/CC

MNCERT/CC is the national Computer Emergency Response Team for Mongolia.

Intrusion

Intrusion

Intrusion provides IT professionals with the most robust tool set available for performing in-depth research and analysis of network traffic.

Temasoft

Temasoft

TEMASOFT is a software company focused on developing security and infrastructure products.

Hellenic Accreditation System (ESYD)

Hellenic Accreditation System (ESYD)

ESYD is the national accreditation body for Greece. The directory of members provides details of organisations offering certification services for ISO 27001.

Cybersec Infohub

Cybersec Infohub

Cybersec Infohub is a Hong Kong government programme to enhance the exchange of cyber security information with industry and enterprises to jointly defend against cyber attacks.

Kentik

Kentik

Kentik - one platform for Network Visibility, Performance, and Security.

Nucleus Security

Nucleus Security

Nucleus is a leading Vulnerability Management platform for Large Enterprises, MSPs/MSSPs, and Application Security Teams that want more from their vulnerability management tools.

Charles IT

Charles IT

Charles IT is your friendly, no-nonsense IT team focused on helping companies make their technology work for them. We focus on building relationships that deliver results.

Novacoast

Novacoast

Novacoast helps organizations find, create & implement solutions for a powerful security posture through advisory, engineering, development & managed services.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Sec3

Sec3

Sec3 is a security and research firm providing bespoke audits and cutting edge tools to Web3 projects.

Gutsy

Gutsy

Gutsy uses process mining to help organizations visualize and analyze their complex security processes to understand how they actually run, based on observable event data.

CyberSalus

CyberSalus

CyberSalus is a pioneering cyber tech services company dedicated to protecting the digital integrity of healthcare organizations.