The U.S National Institute of Standards and Technology (“NIST”) recently published its “Zero Trust Architecture,” which outlines a road map for cybersecurity measures across an organization. NIST explained that the security concept was created with the purpose of “mov[ing] defenses from static, network-based perimeters to focus on users, assets, and resources.” “Zero trust” is a term for a security model based on the principle that there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). It is a response to enterprise network trends that include increasing numbers of remote users, bring your own device policies, and cloud-based assets that are not located within an enterprise-owned network perimeter. Zero trust focuses on protecting resources, not network segments, as the network location is no longer considered the prime component to the security posture of the resource.
The NIST 800-207 draft is a detailed document that includes a wealth of information for would-be practitioners of Zero Trust. Given the rapid evolution of “reasonable security procedures and practices,” cybersecurity professionals should give the Zero Trust Architecture serious consideration.