Zero Trust Architecture (ZTA)

Zero Trust Architecture (ZTA)

The National Institute of Standards and Technology (NIST) has defined the Zero Trust Architecture (ZTA) model in cybersecurity as “an evolving set of security paradigms that narrows defenses from wide network perimeters to individual or small groups of resources.”

ZTA is based on the assumption that an attacker could be present in any environment, including those owned by enterprises. As such, the enterprise must enact protections to reduce the risks to its assets and business functions through constant monitoring and evaluation. ZTA comprises of the following three core zero trust principles to plan industrial and enterprise infrastructure and workflows:

  • Never trust, always verify: every single time a user, device or application tries to make a new connection attempt, that attempt will be authorized and authenticated.
  • Implement least privileged access: to grant users and applications the minimum amount of access needed to perform their jobs effectively.
  • Assume breach: prepare for worse case scenarios and plan when attacks do occur.

Instead of focusing on protecting access to a network by hardening the perimeter, a ZTA model prioritizes the protection of individual resources within an organization’s network and is an example of a data-centric approach to security. It assumes threats can originate from both inside and outside the network, and continuously evaluates risks and enforces controls to mitigate them. The focus shifts downstream to user access of the specific resources and data that requires protection.

Recent Updates in the Federal Government’s Zero Trust Guidelines and Requirements

Within the last couple years, the government has put increasing importance on zero-trust architecture (ZTA)  requirements for cybersecurity.

On May 12, 2021, Executive Order (EO) 14028 titled “Improving the Nation’s Cybersecurity” was released, requiring agencies to enhance cybersecurity and software supply chain integrity by developing a plan to implement zero trust principles. EO 14028 marked a renewed commitment to and prioritization of federal cybersecurity modernization. This order requires service providers to share cyber incident and threat information that could impact Government networks and establishes baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available.

Then, in January 2022, Memorandum 22-09 was released as a follow-up to EO 14028. This memorandum sets forth a Federal ZTA strategy, requiring agencies to meet cybersecurity objectives by the end of Fiscal Year 2024 to reinforce Federal Civilian Executive Branch (FCEB) defense. In this document, the government states that we must make a “dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.” The Department of Defense’s (DoD) Zero Trust Reference Architecture is also referenced in M-22-09. The DoD states that the foundational tenet of the Zero Trust Model is that no user, system, network, or service operating outside or within the security perimeter is trusted. Instead, anything and everything attempting to establish access must be verified.

The latest government update regarding zero trust security is The Cybersecurity and Infrastructure Security Agency’s (CISA), Cybersecurity Maturity Model Version 2.0, which was released in March of 2022. CISA’s Zero Trust Maturity Model (ZTMM) is one of many paths that an organization can take in designing and implementing their transition plan to zero trust architectures in accordance with EO 14028 and M-22-09. A typical plan will assess an agency’s current cybersecurity state and plan for a fully implemented ZTA. CISA’s ZTMM assists agencies in development of their zero trust strategies and continued evolution of their implementation plans.

Dynamic Authorization and ZTA

A core pillar of ZTA and a data-centric approach to security is dynamic authorization. In contrast to traditional or static authorization models, in which authorization is granted before resources are accessed and is valid for subsequent access requests, dynamic authorization re-evaluates data access policies at the time of each access request, and either grants or denies access and entitlements to the requested resource based on the evaluation result at that specific point in time. In addition to granting access, dynamic authorization can be used to implement the ZTA principle of “Least Privileged Access” to only provide the minimum level of access needed by the user at that specific time.

Dynamic Authorization can be used to extend role-based access control (RBAC), where access is granted based on a user’s role, or to apply attribute-based access control (ABAC), in which access rights and entitlements to an organization’s resources are based on attributes of the user, environment, and the data itself. Whether in extending RBAC or in applying ABAC, dynamic authorization can be used to implement a data-centric approach to an organization’s security, dynamically evaluating access and entitlement policies for every access request to protect specific resources at the specific time they need to be protected. This is the essence of the ZTA principle of ‘Never Trust, Always Verify’.

ZTA Architecture Overview

NextLabs’ Zero Trust Data-Centric Security Suite

ZTA and Dynamic authorization are the foundation upon which the NextLabs Zero Trust Data-Centric Security suite of products rests. NextLabs’ products allow our users to balance the need to share with the need to protect by allowing access to an organization’s data, network, applications, and other sensitive assets to be granted or denied dynamically in real-time. This is done through the definition and enforcement of ABAC policies utilizing attribute values, such as the user’s clearance level and assigned role, data type and classifications, and environmental attributes such as time of day and IP address. By evaluating ABAC policies dynamically at the time of access request, NextLabs allows organizations to grant fine-grained access and entitlement to resources, allowing users access to only what they need, and granting them the entitlements to only do what they should be authorized to do once they have that access.

NextLabs’ data-centric dynamic authorization system with ABAC significantly streamlines the management process. It removes the need to individually administer thousands or even hundreds of thousands of access-control lists and/or role and role assignments on a daily basis. Additionally, organizations do not need to deploy expensive and complex identity governance solutions. With ABAC, hundreds of roles can be replaced by just a few policies. These policies are managed centrally across all sensitive applications and systems, providing a single pane of glass over the “who, what, where, when, and why.” Centralized management makes it easy to add or update policies and quickly deploy them across the enterprise.

Authorization policies are managed externally from the NextLabs Control Center (CloudAz), so they can be modified without requiring code changes or application downtime. This enables organizations to react quickly to changes in business or regulatory environments, greatly increasing agility and flexibility, and enhancing overall data protection. Dynamic authorization with ABAC also provides central monitoring and tracking of user activity and data access providing compliance and security officers with insight into user behavior and suspicious activities.

NextLabs’ data-centric dynamic authorization allows organizations to implement the three principles of ZTA and is integrated into all NextLabs product lines, including:

  • CloudAz, a unified policy platform that centralizes administration and utilizes the “never trust, always verify” principle, ensuring data is protected at any access point.
  • Data Access Enforcer (DAE) helps enterprises protect data access from anywhere, by securing access and protecting critical data stored in databases and data lakes.
  • SkyDRM ensures persistent protection of critical files and documents to protect data on the move and at rest.
  • Entitlement Management / Externalized Authorization Management which can be used to secure applications, enforce data security controls, and simplify role management.