How many people do you trust? This is a pretty difficult question, but luckily, in a zero trust network, that question is answered for you. The idea of this network is that everyone, no matter who they are, needs to be verified. You might imagine that this has been effective in preventing breaches.
But what is a zero-trust network? Let’s take a few minutes to break down the National Institute of Standards and Technology’s definition of zero trust, based on the seven “tenets” that must be followed. There can be found in their Special Publication 800-207.
How Does NIST Define Zero Trust?
This is the definition of Zero Trust, found in the publication:
“Zero trust (ZT) provides a collection of concepts and ideas designed to minimize
uncertainty in enforcing accurate, least privilege per-request access decisions in
information systems and services in the face of a network viewed as compromised. Zero
trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust
concepts and encompasses component relationships, workflow planning, and access
policies. Therefore, a zero trust enterprise is the network infrastructure (physical and
virtual) and operational policies that are in place for an enterprise as a product of a zero
trust architecture plan.”
Zero trust makes it harder for threats to get in and also simplifies the task of identifying how threats got in.
NIST’s Seven Tenets, Reviewed
Here is the list of the seven tenets, so let’s see what each of them requires.
“All data sources and computing services are considered resources.”
This means that anything that is connected to the network has to abide by all access controls and security requirements that have been established on the network.
“All communication is secured regardless of network location.”
Whether a device is on the network or not, all communication should maintain the highest levels of security, just as it would if external networks were involved.
“Access to individual enterprise resources is granted on a per-session basis.”
One of your users may need access to one of your assets for a limited time or even for a single session. Requiring authentication every time resources are accessed will help limit any chance of unauthorized usage.
“Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.”
Business technology is super complicated, which is the hard fact of the matter. Especially now that remote work is an option for your employees, it gets even more complicated. A lot of data is being handed out because of this, and taking into account the permission can make it more secure.
“The enterprise monitors and measures the integrity and security posture of all owned and associated assets.”
Zero trust, even though it may sound a little cliche, means that you can’t trust anyone or anything. All assets should be monitored carefully so that threats can’t intrude and patches are taken care of in a timely manner.
“All resource authentication and authorization are dynamic and strictly enforced before access is allowed.”
Zero trust approached makes sure that access permissions are confirmed continuously, and takes a lot of different inputs into consideration to determine whether to grant access.
“The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.”
Keeping track of everything in the network environment is important for security to be kept. This includes three core components: the policy administrator, the policy enforcement point, and the policy engine.
Security is so important and MyTek can help by monitoring your network for you. Give us a call today at 623-312-2444 to learn more about zero trust networks.