NIST Releases Zero Trust Architecture Guidance

NIST has released Special Publication 1800-35 to help organizations implement a zero trust architecture (ZTA). The new guidance augments NIST SP 800-207, a document from 2020 that describes zero trust at a conceptual level. NIST 1800-35 provides nineteen examples of ZTA implementations built with commercial technologies. The publication is the result of a four-year collaboration between dozens of leading technology companies and the NIST National Cybersecurity Center of Excellence (NCCoE).

What is Zero Trust Architecture

Zero trust architecture is a cybersecurity strategy with a “never trust, always verify” approach. As remote work, cloud environments, and other connected devices located outside of a traditional network perimeter become more common, ZTA has grown in relevance as it emphasizes protecting devices and services regardless of location.

The Key principles of ZTA are:

Verify Explicitly

Every user and device access request should be verified before access is granted, regardless of whether they are inside or outside the network. This includes verifying their identity, device health, and the application or resource they are trying to access. 

Least Privilege Access

Allow users and devices only the minimum necessary access to perform their tasks. This means limiting access to resources based on their roles and responsibilities, minimizing the potential impact of a breach. 

Assume Breach

Organizations should assume that breaches are likely and design their security measures accordingly. This includes implementing robust security controls, monitoring for suspicious activity, and incident response planning. 

What is in NIST 1800-35

NIST 1800-35 is available in two formats, a high-level PDF and the full document web format. NIST recommends reading the PDF first for an introduction to the project. It contains a high-level summary of the project goals, ZTA reference architecture, ZTA implementations, and findings.

The more in-depth NIST 1800-35 website contains the following details:

• An overview of the “Implementing a Zero Trust Architecture,” including the motivation for the project, challenges in implementing ZTA, the project execution and implementation approach, and collaborating organizations and their contributions to the project.
• Architecture and Builds discusses the architectures considered for demonstrating various ZTA deployment approaches used across nineteen implementations. It also lists the technology products, along with out-of-the-box capabilities used in each build. This section provides information regarding the NCCoE lab’s physical architecture platform used to implement the builds.
• Build Implementation Instructions lists build instructions for the following nineteen example implementations:
  • EIG Crawl – Okta Identity Cloud and Ivanti Access ZSO as PEs Product Guides
  • EIG Crawl – Ping Identity Ping Federate as PE Product Guides
  • EIG Crawl – Azure AD Conditional Access (later renamed Entra Conditional Access) as PE Product Guides
  • EIG Run – Zscaler ZPA Central Authority (CA) as PE Product Guides
  • EIG Run – Microsoft Azure AD Conditional Access (later renamed Entra Conditional Access), Microsoft Intune, Forescout eyeControl, and Forescout eyeExtend as PEs Product Guides
  • SDP – Zscaler ZPA CA as PE Product Guides
  • Microsegmentation – Cisco ISE, Cisco Secure Workload, and Ping Identity Ping Federate as PEs Product Guides
  • SDP and Microsegmentation – Microsoft Azure AD Conditional Access (later renamed Entra Conditional Access), Microsoft Intune, Microsoft Sentinel, Forescout eyeControl, and Forescout eyeExtend as PEs Product Guides
  • EIG Run – IBM Security Verify as PE Product Guides
  • SDP – Appgate SDP Controller as PE Product Guides
  • SDP and SASE – Symantec Cloud Secure Web Gateway, Symantec ZTNA, and Symantec Cloud Access Security Broker as PEs Product Guides
  • SDP – F5 BIG-IP, F5 NGINX Plus, Forescout eyeControl, and Forescout eyeExtend as PEs Product Guides
  • SDP, Microsegmentation, and EIG – VMware Workspace ONE Access, VMware Unified Access Gateway, and VMware NSX-T as PEs Product Guides
  • SASE and Microsegmentation – PAN NGFW and PAN Prisma Access as PEs Product Guides
  • SDP and SASE – Lookout SSE and Okta Identity Cloud as PEs Product Guides
  • SDP and SASE – Microsoft Entra Conditional Access (formerly Azure AD Conditional Access) and Microsoft Security Service Edge as PEs Product Guides
  • SDP and Microsegmentation – AWS Verified Access and Amazon VPC Lattice as PE
  • SDP and Microsegmentation – Ivanti Neurons for Zero Trust Access as PEs Product Guides
  • SASE – Google Chrome Enterprise Premium (CEP) – Access Context Manager as PE
• General Findings explores the findings and conclusions recorded throughout the demonstration of each ZTA deployment approach across nineteen unique lab implementations.
• Functional Demonstrations focuses on the essence of functional demonstrations scoped for the project from the viewpoints of demonstration methodology, use cases, and scenarios. It also lists the functional demonstration results for each implementation, both in summary and fully detailed formats.
• Risk and Compliance Management details each build’s implemented security capabilities and their mappings to the NIST CSF versions 1.1 and 2.0, NIST SP 800-53r5, and NIST critical software security measures.
• Zero Trust Journey Takeaways includes a list of takeaways as recommended steps for a zero trust journey, intended for organizations considering ZTA adoption for their environments.

CompliancePoint’s cybersecurity experts deliver a variety of services to help your organization strengthen all aspects of its security program. Contact us at connect@compliancepoint.com to learn more.