NIST Released Zero Trust Architecture Guideline

August 12, 2020
Canming Jiang

The National Institute of Standards and Technology (NIST) published their final version of Zero Trust Architecture guideline on August 11: NIST Special Publication 800–207. The publication provides an abstract definition of zero trust architecture (ZTA) and gives general deployment models and use cases where zero trust could be employed to improve enterprises’ overall cybersecurity posture.

Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on the security perimeter, e.g., inside the corporate network or on the corporate VPN. The publication points out how to implement authentication and authorization to resources becomes essential when trying to adopt ZTA. Enterprises need to verify the identity (authenticate) and check the access rules (authorize) when a session tries to connect to an enterprise resource (e.g., applications, servers, Kubernetes clusters).

The guideline also mentions that enterprises cannot expect transit from perimeter-based security to zero trust security overnight: “Many organizations already have elements of a ZTA in their enterprise infrastructure today. Organizations should seek to incrementally implement zero trust principles, process changes, and technology solutions that protect their data assets and business functions by use case.”

We at Datawiza are helping organizations implement ZTA by accomplishing the two essential elements: authentication and authorization.

For authentication, we are leveraging organization’s existing Identity infrastructures (e.g., Microsoft Azure AD, or Okta) and help organizations achieve single sign on (SSO) via OpenID Connect (OIDC) or SAML for their applications, legacy or new cloud-native. Integrating a cloud-based Identity Provider (IdP) is not an easy thing. One large organization with 10,000 employees told us they have spent 1 month integrating one legacy application to a cloud IdP and they have 50 more applications remaining. By leveraging our solution, we could reduce the whole processes to weeks, even days for all 50 more applications.

For authorization, we are helping enterprises achieve granular access control so that they can enforce least privileges needed to perform the action in the request. Thus, enterprises don’t have to ask their developers to implement disparate access control policies for different applications or services in hybrid environments, e.g., in AWS, GCP, Azure or on-premise. Meanwhile, we provide a unified cloud-based management console for enterprises to manage or configure the access policies. Such policies could be based on a user’s identity attributes (e.g, role, group), location, IP, time and request’s URL, method and other information.