Recently, the National Security Agency (NSA) published a cybersecurity guidance, “Embracing a Zero Trust Security Model.” This guidance shows how deploying Zero Trust security principles can better position cybersecurity professionals to secure enterprise networks and sensitive data. The guidance aims to provide users with a foundational understanding of Zero Trust and discusses its benefits along with potential challenges, and makes recommendations for implementing Zero Trust within their networks.

The Zero Trust model eliminates trust in any one element, node, or service by assuming that a breach is inevitable or has already occurred. The data-centric security model constantly limits access while also looking for anomalous or malicious activity.

Adopting the Zero Trust mindset and leveraging Zero Trust principles will enable systems administrators to control how users, processes, and devices engage with data. These principles can prevent the abuse of compromised user credentials, remote exploitation, or insider threats, and even mitigate effects of supply chain malicious activity.

In the guidance, NSA strongly recommends that a Zero Trust security model be considered for all critical networks within National Security Systems, the Department of Defense’s critical networks, and Defense Industrial Base critical networks and systems. NSA notes that Zero Trust principles should be implemented in most aspects of a network and its operations ecosystems to become fully effective. To address potential challenges of implementing Zero Trust solutions, NSA is developing and will release additional guidance in the coming months.

Commenting on the news, Kevin Dunne, President at Greenlight, a Flemington, New Jersey-based provider of integrated risk management solutions, says, "Zero Trust is a model that all organizations with sensitive data should consider.  Government agencies often set the standard, as they are the most frequent targets of cyber attacks, but the methods they employ should be used across the private sector as well.  Whether it is customer data, employee data, financial data, or intellectual property, Zero Trust principles function to keep critical assets secure.  Inevitably, the bad actor will compromise a device and or credential, what happens next depends on how well the organization has instituted least privilege access and narrowed the scope of what those devices and credentials can do.  Implementing a Zero Trust model across identities, networks, devices and applications can be the difference between a limited hack with insignificant damage or a major incident with loss of critical data.  Any organization that is uncertain about the value of Zero Trust should start with an audit of their identities, networks, devices and applications - undoubtedly, they will find cases of shadow IT, zombie accounts, and overprivileged users that represent clear and present danger.  A Zero Trust philosophy can immediately begin to address current gaps, and provide a foundation for managing risk going forward."

Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, notes, “Zero Trust is the modern manifestation of the epiphany that not all intrusions can be prevented and that the ability to detect these intrusion and respond to them before they do extensive damage is the key to resilience in the face of ever more ambitious cyberattacks. The principles of Zero Trust outlined by the NSA are a natural progression from CISA’s Continuous Diagnostics and Mitigation (CDM) program developed in 2012. There is more emphasis here on the combination of user and device identity along with more granular policy (least privilege) and the ability to continually look for meaningful anomalies in behavior (on both the device and in the network) which may signal that an attack is underway. This model aligns pretty well with Google’s BeyondCorp model which was initially created in response to the 2009 Aurora attack and has been refined over the intervening decade.

Tavakoli adds, "Private entities are already ahead of the federal government in adopting these Zero Trust principles, though that journey is by no means complete.”

Joseph Carson, Advisory CISO at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions, explains, “Today, trust is being abused by cyber-criminals targeting unsuspecting employees personal accounts to gain access, later elevating to privileged accounts that can move around corporate networks undetected, and roaming around the network for months or even longer. Once attackers gain access to the internal network they typically have access to the entire network as everything inside the network is automatically trusted. This is why the Zero Trust security model was introduced—to address a new stance on trust: never trust and always verify."

Carson adds, "As with most security strategies and architectures, we continue to have a failure to focus on the business value and how Zero Trust improves business efficiency or helps employees do their job.  How does Zero Trust make a positive security impact is the big question. As always, we need to have security that is usable and make the employees job better.  I strongly believe in a Zero Trust methodology, however, I don’t favor using the term when talking to the business. Instead, I refer to Building Digital Trust or Adaptive security when talking to business users as this focuses on a positive security experience.  The term Zero Trust resonates best within the Security and Risk teams, however, with the business it is just another security control.  Moving forward, the top focus of security must be on how it adds business value followed by how it reduces business risks and increases business resilience. Unfortunately, for now, we continue to focus on the threats.”