NIST 800-207 (Zero Trust)

What is the Zero Trust Model?

Zero trust is a growing security model that is based on the principle of enforcing strict access controls. The Zero Trust concept focuses on the notion that organizations shouldn’t give immediate trust to any internal or external source, and must always examine and uphold anyone and anything that is requesting access to its systems.

The Zero trust architecture is not associated with a single technology; rather, It is a comprehensive approach to network security that incorporates a variety of principles and technologies. This extra layer of security has been shown to aid in the prevention of data breaches.  Zero Trust shifts cyber security from reactive, static defense to proactive user, and asset focused prevention. With cyber attacks on a sharp rise in the COVID-19 era, remote users and cloud-based assets are at greater risk, Zero Trust is certainly a welcomed approach. 

The National Institute of Standards and Technology recently released a draft special publication 800-207 for Zero Trust Architecture (ZTA), intending to develop standard requirements for ZTA components.

What are the requirements for Zero Trust Framework compliance?

Implementing Zero Trust relies on these six tenets:

  • Don’t trust, verify
  • Contextualize requests
  • Secure your admin environment
  • least privilege 
  • Audit everything
  • Use adaptive controls

To develop the best Zero Trust security strategy, organizations should address the following focus areas:

  • Zero Trust Data
  • Zero Trust Networks
  • Zero Trust People
  • Zero Trust Workloads
  • Zero Trust Devices

In order to enforce and focus Zero Trust on these areas:

  • Visibility and Analytics
  • Automation and Orchestration

The main elements and technologies underlying Zero Trust are as follows:

Principle of least privilege One of the Zero Trust security principles is the principle of least privilege (PLOP). The practice of limiting access rights for users, accounts, and computing processes to only those required to complete the task at hand is known as PLOP.

Multi-factor authentication Another important focus of Zero Trust is multi-factor authentication. MFA simply means that more than one piece of evidence is required to authenticate users. As a result, if an attacker reveals the password in a sensitive zone, he or she will be unable to authenticate without additional information such as biometric data or a one-time passcode.

Micro-segmentation Zero Trust employs micro-segmentation, which is the practice of dividing security perimeters into small zones to maintain separate access to different parts of the network.

Access control & monitor In addition to user access controls, Zero Trust entails strict physical device access controls. Zero Trust monitors the number of devices and IP addresses attempting to connect to a network, ensuring that each device is authorized.

Why should you be Zero Trust compliant?

Implementing Zero Trust is not required, but it is quickly becoming the security model of choice for many large organizations because it has been shown to help reduce cybersecurity risks by reducing security vulnerabilities, optimizing risk assessments and compliance, and reducing cyber threats.

Recent high-profile cyber attacks took place after cybercriminals abused weaknesses at key end-points and then relocated horizontally within the environment to their real target, which is typically data subject to the aforementioned compliance regulations.

Permissions alone do not confer or equate to trust in a zero trust paradigm. Each time an east-west movement is attempted, Zero Trust verifies identity and payload, halting the attack before data is reached, let alone breached. This goes above and beyond the compliance requirements of today’s regulatory frameworks.

How to achieve compliance?

A Zero Trust process means that you grant the least amount of privilege being requested by a user, based on the relevance of the request, and the threat of the access environment.

Centraleyes delivers streamlined, automated data collection and analysis, prioritized remediation guidance and real-time customized scoring to meet the Zero Trust requirements. The Zero Trust Framework has been implemented on the Centraleyes platform according to NIST 800-207 and mapped back to its control inventory, allowing to share data across multiple frameworks through the platform, which creates time savings, money savings and more accurate data. Through the Centraleyes platform, organizations can easily implement the Zero Trust model and gain full visibility to their cyber risk levels and compliance.

Read more:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

Related Content

7 Security Challenges Most SaaS Business Comes Across

7 Security Challenges Most SaaS Business Comes Across

Placing data on the cloud always sounds like a great idea – many big companies are…

NIST 800-82

What is the NIST SP 800-82 Framework? The National Institute of Standards and Technology (NIST) Special…

HECVAT

What is HECVAT? The Higher Education Community Vendor Assessment Toolkit (HECVAT) is a risk assessment template…