The 7 tenets of zero trust provided in NIST SP 800-207, are an attempt to define what should be included in a zero trust architecture instead of what should be excluded.
Several authors define zero trust in terms of what should be excluded, like perimeters. But these attempts, go back to the use of perimeters in some way or another.
Let’s examine the 7 tenets provided by NIST. These 7 tenets guide the design and deployment of a zero trust architecture.
Table of Contents
- 1- All data sources and computing services are considered resources
- 2- All communication is secured regardless of network location
- 3- Access to individual enterprise resources is granted on a per-session basis
- 4- Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes
- 5- The enterprise monitors and measures the integrity and security posture of all owned and associated assets
- 6- All resource authentication and authorization are dynamic and strictly enforced before access is allowed
- 7- The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture
1- All data sources and computing services are considered resources
This tenet states that everything that provides/accesses data is treated as a resource.
Some examples of these resources are:
- IoT devices
- Software that the company uses from cloud providers
- Some personal-owned devices can access enterprise-owned resources.
As you can see, the data sources are comprised of different types of devices.
2- All communication is secured regardless of network location
This tenet establishes not to trust a client according to the network location.
If a system or person is trying to access a certain resource from inside the enterprise network, it should be treated as if it were outside of the network.
This principle shows us that without regard to where someone is trying to access a resource, the same security requirements should apply.
As the zero trust approach states, no device is trusted because they are within a certain network.
Also, do not trust according to the subject, who is accessing the resources. This establishes that even an enterprise director or CEO is treated the same way as everybody else regarding the security of the organization.
3- Access to individual enterprise resources is granted on a per-session basis
This establishes access bounded by time. According to a certain life cycle based on a session.
This should be a digitally signed session, token, or any other way that a session can be established.
The access will be granted only for that session. It does not matter to what group the user belongs, admin, management, etc.
Every time the user wants to access a resource, it must be done through a session. So, there is no more resource access granted based on who you are, what group of users you belong to, etc.
4- Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes
The policies to grant access should be dynamic.
As the first step, you need to create an inventory of the company resources, and what type of access is needed for each resource.
Also, you must apply the least privilege principle in defining access to every resource.
Every time a subject (person, computer, resource, …) request access to an enterprise resource, the enterprise security policies must be enforced.
5- The enterprise monitors and measures the integrity and security posture of all owned and associated assets
There is a need to always monitor and assess the integrity and security of the enterprise resources. Because no resource is trusted by default.
The monitoring and assessment should be a continuous process.
The goal is to diagnose when there is a security issue, and to apply security patches to software if needed.
In some cases, this can also apply to personal owned resources, like a cellphone or a laptop. Depending on whether these resources are used to access enterprise resources.
6- All resource authentication and authorization are dynamic and strictly enforced before access is allowed
In this case, the first step in every connection, or access to a resource, is to assess if the security policies allow the requester to be trusted. Also, the least-privilege principle applies. A system/user should be granted the minimum privileges needed to perform a particular transaction.
If we look at the zero trust components below, user trust is established at the Control Plane level. Only after authentication and authorization, the user will be able to access the Data Plane.
7- The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture
Data collection is important so you can use it to keep your network secure.
As many cybersecurity experts will say, more data is better than less.
However, as a word of caution, you should collect only meaningful data. Data that you can use for some purpose.
Collecting unnecessary data can also help hackers to gain information about private information.
The rule of thumb here is to use insights that you gain from the data collected, to improve the security of the resources.