Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

NSA Publishes Guidance on Adoption of Zero Trust Security

The U.S. National Security Agency (NSA) has published guidance on how security professionals can secure enterprise networks and sensitive data by adopting a Zero Trust security model.

The U.S. National Security Agency (NSA) has published guidance on how security professionals can secure enterprise networks and sensitive data by adopting a Zero Trust security model.

Titled “Embracing a Zero Trust Security Model,” the document details the benefits and challenges of the security model, and also provides a series of recommendations on the implementation of Zero Trust within existing networks.

Leveraging a set of system design principles and a cyber-security management strategy, the Zero Trust model assumes that a breach has occurred or is inevitable and eliminates trust in systems, nodes, and services, requiring continuous verification through real-time information.

Zero Trust allows administrators to limit access and control the manner in which devices, processes, and users engage with data, to eliminate the abuse of compromised credentials, along with remote exploitation, and insider threats.

“Systems that are designed using Zero Trust principals should be better positioned to address existing threats, but transitioning to such a system requires careful planning to avoid weakening the security posture along the way. NSA continues to monitor the technologies that can contribute to a Zero Trust solution and will provide additional guidance as warranted,” the NSA notes.

Addressing the modern threat environment, the agency says, requires aggressive system monitoring and management, defensive operations capabilities, assuming requests for critical resources may be malicious, assuming the compromise of any device or infrastructure, accepting the risks associated with access to critical resources, and preparedness for rapid damage assessment and remediation.

With Zero Trust, every user, application/workload, device, and data flow is considered untrusted and access is denied by default, resources are protected and operated with the assumption that they might have been compromised, and access to all resources is provided in a secure manner.

The design of a Zero Trust solution, the NSA notes, implies defining mission outcomes, first protecting Data/Assets/Applications/Services (DAAS) and securing access paths, determining who needs access to the DAAS, creating control policies, and constantly looking for suspicious activity through full visibility into all activity (the inspection of all traffic logs).

The NSA also explains that implementing Zero Trust requires time and effort, and that additional capabilities are required to transition to a mature Zero Trust architecture, for full benefits. Furthermore, the agency says, it is not necessary to move to a mature Zero Trust architecture all at once, as such implementations mature over time, enabling defenders to keep up with threats.

Challenges faced when implementing Zero Trust may include the lack of full support within the enterprise, “possibly from leadership, administrators, or users,” scalability, the need to continuously apply access control decisions, and fatigue from constantly applying default-deny security policies.

“The Zero Trust mindset focuses on securing critical data and access paths by eliminating trust as much as possible, coupled with verifying and regularly re-verifying every allowed access. However, implementing Zero Trust should not be undertaken lightly and will require significant resources and persistence to achieve,” the NSA also points out.

Related: Microsoft Launches Free Zero Trust Assessment Tool

Related: NIST’s Zero Trust Taxonomy Introduces Components, Threats and Migration Routes

Related: Cyber Security’s New Center Point: Zero Trust

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.