banner

Thales Blog

Zero Trust 2.0: NIST’s identity-centric architecture

December 4, 2020

Danna Bethlehem Danna Bethlehem | Director, Product Marketing More About This Author >

In August, the National Institute of Standards and Technology (NIST) released its blueprint for establishing a Zero Trust security architecture, NIST SP 800-207. The publication provides “general deployment models and use cases where Zero Trust could improve an enterprise’s overall information technology security posture.”

Zero Trust is more critical than ever

This publication couldn’t have been more timely. The adoption of a “never trust, always verify” mentality seems like the only way for modern businesses to protect and safeguard their assets and resources. In traditional perimeter security, everything inside the corporate network is considered reliable and anything outside is deemed unreliable. Experience has shown that access to network resources may inadvertently be considered trusted, but not necessarily verified or monitored.

As we move into a more complex collaborative environment, corporate information is both inside and outside the network, and is accessed not only by internal users, but also by suppliers, customers, and all kinds of collaborators. Report findings and latest technology trends indicate there is a need for a different security approach, not based on trust:

  • The COVID-19 pandemic has propelled the adoption of work from home initiatives, requiring access to corporate resources from literally everywhere ;
  • According to the 2020 Verizon Data Breach Investigations report, 34% of data breaches are attributed to internal users – human error or disgruntled employees;
  • External bad actors sneak into corporate networks using stolen or compromised credentials and move laterally undetected exfiltrating sensitive corporate data; and,
  • According to the 2020 Thales Data Threat Report-Global Edition, more than 50% of corporate data is stored outside the corporate perimeter in multiple cloud environments.

Enterprises have transformed into castles without walls and the good knights of security need to solve the puzzle of defending the castle without relying on traditional security practices. It is obvious that traditional perimeter security based on a “castle-and-moat” concept is not adequate.

The NIST blueprint

According to NIST SP 800-207, the goal of Zero Trust security is “to prevent unauthorized access to data and services coupled with making access control enforcement as granular as possible.” A Zero Trust security architecture is based on three foundational principles:

  • Ensure that data, equipment, systems, etc. are securely accessed regardless of location;
  • Adopt the least privileged access model strategy and enforce strict access controls; and,
  • Monitor and audit everything.

At the heart of the NIST blueprint for an effective and efficient Zero Trust security architecture is resources – data, devices, networks, and workloads - and their identity. In fact, identity forms the core of all three approaches to a Zero Trust architecture, including:

  • Identity-centric, where access policies to corporate resources are based on identity and assigned attributes;
  • Network-centric, where network segmentation using intelligent switches (or routers), Next Generation Firewalls (NGFW) or Software Defined Networks (SDN) enforces protection to resources; and,
  • Cloud-based combination, which leverages cloud-based access management and Software at the Service Edge (SASE) solutions.

Implementing a Zero Trust solution centred on identity provides many benefits to businesses such as:

  • Facilitates innovation and implementation of new business demands through the secure implementation of new collaboration and productivity initiatives with suppliers and customers;
  • Facilitates growth based on knowledge about the identity to protect reliably and securely access to corporate data and resources.; and,
  • Allows effective response to potential threats and compliance with regulations such as GDPR, CCPA, and HIPAA.

Identity is the new perimeter

The modern enterprise security perimeter is no longer a physical location. It is a set of access points dispersed in and delivered from the cloud. Identities are now the new perimeter and should be at the core of access decisions. The identity of any resource, user, device or service provides the key context for the application of access policies.

Zero trust security concepts allow organizations to grow securely in the cloud and adjust to borderless and dispersed environments. Thales SafeNet Trusted Access meets these needs by ensuring a “trust no one, verify everywhere” stance through its ability to continuously protect applications and services at the access point, regardless of the underlying network deployed.

To implement an effective identity-centric Zero Trust architecture with the goal of achieving security in a post-perimeter environment, download our Meeting NIST Guidelines for Zero Trust Security white paper.