NIST recently released a draft publication, SP 800-207: Zero Trust Architecture (ZTA), an overview of a new approach to network security.
While ZTA is already present in many cybersecurity policies and programs that sought to restrict access to data and resources, this document is intended to both “abstractly define” ZTA and provide more guidance on deployment models, uses cases and roadmaps to implementation.
What’s the problem they’re trying to solve? Agencies and enterprise networks have given authorized users broad access to resources, since they’ve traditionally focused on perimeter defenses. But that’s led to lateral movement within the network – one of the biggest security challenges for federal agencies.
Realistically, NIST recognizes that the migration to a ZTA is more of a journey rather than a complete replacement of an enterprise’s infrastructure. Most enterprises will likely continue to operate in a hybrid model – of both zero trust + legacy mode – for awhile as they continue their IT modernization investments.
And despite the misleading name, they state that ZTA is not a single network architecture, but rather a set of guiding principles.
While traditional methods block attacks coming from the internet, they may not be effective at detecting or blocking attacks originating from inside the network.
ZTA seeks to focus on the crux of the issue, which NIST defines as two main objectives:
NIST lists out a few conceptual guidelines that the design and deployment of a ZTA should align with (summarized for brevity below):
What follows is a summary of some of the key potential ZTA threats listed in the publication:
To reduce the risk of an insider threat, a ZTA can:
To prevent the threat of unauthorized access, Duo provides MFA for every application, as part of the Cisco Zero Trust framework. An additional layer of identity verification can help mitigate attacker access using stolen passwords or brute-force attacks. That paired with Duo’s device insight and policies provides a solid foundation for zero trust for the workforce.
Learn more about Duo’s new federal editions tailored to align with:
See more about FedRAMP authorized authentication, providing secure application access for federal agencies and other public sector customers, including role/location-based access policies, biometric authentication, and more.
In a ZTA, all traffic should be inspected, logged and analyzed to identify and respond to network attacks against the enterprise. But some enterprise network traffic may be difficult to monitor, as it comes from third-party systems or applications that cannot be examined due to encrypted traffic.
In this situation, NIST recommends collecting encrypted traffic metadata and analyzing it to detect malware or attackers on the network. It also references Cisco’s research on machine learning techniques for encrypted traffic (section 5.4, page 22):
“The enterprise can collect metadata about the encrypted traffic and use that to detect possible malware communicating on the network or an active attacker. Machine learning techniques [Anderson] can be used to analyze traffic that cannot be decrypted and examined. Employing this type of machine learning would allow the enterprise to categorize traffic as valid or possibly malicious and subject to remediation.”
Cisco Encrypted Traffic Analytics (ETA) allows you to detect and mitigate network threats in encrypted traffic to gain deeper insight without decryption. It also allows you to quickly contain infected devices and uses, while securing your network. Paired with Cisco Stealthwatch, you can get real-time monitoring using machine learning and context-aware analysis.
The publication also references having a strong Continuing Diagnostics and Mitigations (CDM) program as “key to the success of ZTA.”
This is a complete inventory of physical and virtual assets. In order to protect systems, agencies need insight into everything on their infrastructure:
Having visibility into the different areas of connectivity and access provides a baseline to start evaluating and responding to activity on and off the network.
Asking the above discovery questions and finding a solution that can accurately and comprehensively answer them can be challenging, as it requires user, device, system and application telemetry that spans your entire IT environment – from the local corporate network to branches to the multi-cloud; encompassing all types of users from employees to vendors to contractors to remote workers, etc.
Get visibility into everything on your infrastructure, and get control over who can access what, on an ongoing basis. Cisco Zero Trust provides a comprehensive approach to securing all access across your applications and environment, from any user, device and location. It protects your workforce, workloads and workplace.
It is comprised of a portfolio of the three following primary products:
This complete zero-trust security model allows you to mitigate, detect and respond to risks across your environment. Verifying trust before granting access across your applications, devices and networks can help protect against identity-based and other access security risks.
Cisco was recently named a leader in The Forrester Wave: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 – read the report to learn more about our market leadership in current zero-trust offerings and strategy.
The post An Overview of Zero Trust Architecture, According to NIST appeared first on Cisco Blogs.