To address cybersecurity challenges organizations may face, the National Cybersecurity Center of Excellence (NCCoE) part of NIST, works to create adaptable cybersecurity solutions showing how standards and best practices can be utilized in commercially available technology. In 2018, the Federal Chief Information Officer engaged NIST NCCoE to define Zero-Trust Architecture (ZTA) along with its benefits and limitations in the publication of NIST SP 800-207.

Implementing a zero-trust architecture has become a federal cybersecurity mandate and a business imperative. In this NextLabs white paper, “Implementing a Zero Trust Architecture: NIST National Cybersecurity Center of Excellence”, we review NCCoE’s proposed architecture(s) for on-premises and hybrid-cloud environments that inherit ZTA solution characteristics outlined in NIST SP 800-207.

In this overview, we dive into the principles, mechanisms, and architecture of ZTA, explaining how enterprises can extend the efficacy of ZTA. In addition, the paper covers how the NextLabs approach leverages dynamic authorization and Attribute-Based Access Control (ABAC) to achieve a cohesive security ecosystem with zero trust.

Below is an overview of the paper, for the full explainer, download the paper.

Solutions for Today’s Challenges 

The traditional perimeter-based security model has become insufficient in managing digital enterprise resources, thanks to the growing complexity in hybrid cloud environment and numbers of access points. ZTA introduces a data-centric model that focuses on protecting resources instead of perimeters, offering a solution with real-time access control, agile rules, and reduced risk of malicious attack.  

Principles of ZTA 

ZTA comprises the following three core zero trust principles: 

  • Never trust, always verify: Every single time a user, device, or application tries to make a new connection attempt, that attempt will be authorized and authenticated. 
  • Implement least privileged access: to grant users and applications the minimum amount of access needed to perform their jobs efficiently. 
  • Assume breach: prepare for worst case scenarios and plan when attacks do occur.  

Implementation of ZTA 

ZTA can be incorporated into a company’s cyber defense system by integrating zero-trust concepts into an existing perimeter-focused cybersecurity system. Applicable to safeguard data on-premises and in public or hybrid cloud, ZTA covers a broad range of use cases. ZTA offers a myriad of benefits to strengthen security strategies, such as real-time access control, increased visibility over data and applications, and simplified architecture.  

While ZTA offers a more dynamic option, organizations may face difficulties in adoption. Organizations may have low ability or willingness to implement ZTA since there is a lack of vendor product maturity to support ZTA, or insufficient financial and technical preparation for the adoption.  

Architecture Overview  

The technical components required of ZTA solution(s) include but are not limited to these main components: core, functional, and device and network infrastructure components, each responsible for a different aspect in the system.  

The core components act as the brain to administer policies and manage authorization through the policy engine and policy administrator, and control subject access through the policy enforcement point (PEP). These components enable fine-grained access management and control in a simple and flexible way.  

The functional components consist of different aspects of security management, and ensure data and resources are persistently protected in both internal and external environment. Specific measures include the data security component that protects data at rest and in transit, the endpoint security component that fights off external threats from managed or unmanaged devices, and identity & access management (IAM) component that manages subject accounts and identity records, along with the access to enterprise resources.  

The device and network infrastructure components include devices that connect to the enterprise, and enterprise resources that store data and applications on premise, in the cloud, or at the edge. The core and functional components are integrated into the network infrastructure for successful implementation.   

ZTA Architecture Overview

Leverage Dynamic Authorization and ABAC to Extend ZTA’s Efficacy 

ZTA leverages dynamic authorization to provide a more flexible, scalable, and secure solution to manage access. The incorporation of attribute-based access control (ABAC) further extends the efficacy of ZTA with the use of fine-grained authorization and real-time evaluation of attributes of subject and resources at each request.   

NextLabs Solution for ZTA 

To address ZTA requirements, NextLabs provides a data-centric security software suite which uses ABAC and dynamic authorization to automate access management, prevent wrongful disclosure, secure data access, and protect data. Enterprises can enforce secure access to network resources and segregate data through least privilege access in real-time, secure global data access, and persistent protection of data at rest and in transit.  

To learn more about the mechanisms of ZTA, the benefits and challenges organizations face while implementing ZTA, or NextLabs approach, please download the full whitepaper.