Attacks and Vulnerabilities
Critical infrastructure
News
NIST
Zero Trust

NCCoE’s zero trust architecture team publishes two more preliminary draft practice guides, calls for comments

August 10, 2022
NCCoE’s zero trust architecture team publishes two more preliminary draft practice guides, calls for comments

The NIST’s National Cybersecurity Center of Excellence (NCCoE) has published volumes C–D of a preliminary draft practice guide on zero trust architecture. The preliminary draft of the ‘How-To Guides,’ volume covers instructions for building example implementations, including security-relevant details that would allow replication of all or parts of the project. The other initial draft guide, ‘Functional Demonstrations,’ deals with use cases to showcase zero trust architecture security capabilities and the results of demonstrating them with each example implementation.

The draft practice guide titled ‘Implementing a Zero Trust Architecture’ is open for public comment until  Sept. 9, 2022. NIST is adopting an agile process by publishing each volume as soon as possible instead of delaying the release until all volumes are completed. Work continues to implement the example solutions and develop other parts of the content. The agency will further, as a preliminary draft, publish at least one additional draft for public comment before it is finalized. 

The cybersecurity strategy of zero trust focuses on moving perimeter-based defenses from wide, static perimeters to narrow dynamic and risk-based access control for enterprise resources regardless of where they are located. Zero trust access control is based on several attributes, such as identity and endpoint health. The NCCoE project showcases various examples of zero trust architecture solutions applied to a conventional, general-purpose enterprise IT infrastructure, which are designed and deployed according to the concepts and tenets documented in NIST Special Publication (SP) 800-207, Zero Trust Architecture. 

In the ‘How-To Guides’ volume, the NCCoE addresses the challenge of using standards-based protocols and available technologies to build a zero-trust architecture. “In our lab at the NCCoE, we plan to implement and demonstrate a variety of builds that serve as example zero trust architecture solutions, each of which is designed to dynamically and securely manage access to resources across a set of use cases that a medium or large enterprise might typically deploy,” the document said. “Our plan is to implement these builds in a series of phases, starting with a baseline enterprise architecture that represents the typical legacy components that an enterprise might start with when deciding to begin adding zero trust capabilities,” it added. 

The NCCoE began with builds for enhanced identity governance (EIG) that were restricted to a limited set of capabilities called the EIG crawl phase builds. The central capabilities of these builds are identity, credential, and access management (ICAM) and endpoint protection. In particular, these EIG crawl phase builds do not include the separate, centralized policy engine (PE) or policy administration (PA) components. Instead, these initial EIG crawl phase builds rely upon the PE and PA capabilities provided by their ICAM components. 

After completing the EIG crawl phase builds, the NCCoE plans to gradually enhance these implementations by adding specialized PE and PA components and capabilities, such as software-defined perimeter and micro-segmentation, the agency said. 

The EIG crawl phase builds that have been created so far differ from this reference design insofar as they do not include separate, dedicated PDP components, the NCCoE said. “Their ICAM component serves as their PDP, and they include very limited data security and security analytics functionality. These limitations were intentionally placed on the initial builds in an attempt to demonstrate the ZTA functionality that an enterprise that currently has ICAM and endpoint protection solutions deployed will be able to support without having to add additional ZTA-specific capabilities.” 

The NCCoE said that each EIG crawl phase build is instantiated uniquely, depending on the equipment used and the capabilities supported. Briefly, the two builds are EIG E1B1 which uses products from IBM, Ivanti, Mandiant, Okta, Radiant Logic, SailPoint, Tenable, and Zimperium. Furthermore, the EIG E3B1 build deploys products from F5, Forescout, Lookout, Mandiant, Microsoft, Palo Alto Networks, PC Matic, and Tenable. For both builds, certificates from DigiCert are also used.  

With the Functional Demonstration playbook, the NCCoE intends to guide the operator through the set of zero trust architecture scenarios and use cases that have been defined for demonstration in the project. Some potential demonstrations have been omitted because they are not sufficiently different from another demonstration that has been included, to reduce the number of iterations.

“For example, if the requester’s access to a resource is blocked due to a non-compliant on-premises resource, then it is sufficient to demonstrate this once with an on-premises-to-on-premises request; this demonstration does not need to be repeated by making the request from a branch office or remote access location because the location of the requester in this demonstration is irrelevant,” the document said. “The demonstration playbook is not exhaustive, and it does not capture all possible demonstration cases. This playbook is still under development. Additional scenarios and use cases will be included in the next version as the implementations evolve and add capabilities.” 

As discussed in Volume B of the guide, the scenarios are limited to on-premises or public internet resources with only EIG considered. Subject endpoints are located on-premises or at the branch or remote locations. Therefore, only EIG approach solutions are present in the builds. Microsegmentation and software-defined perimeter solutions are out of scope.

Earlier this year, the NCCoE collaborated with the NIST’s Engineering Laboratory (EL) and cybersecurity technology providers to address the manufacturing sector’s cybersecurity challenges. As a result, nine vendors aligned with the NCCoE to pull together the guide titled ‘NIST Special Publication (SP) 1800-10, Protecting Information and System Integrity in Industrial Control System Environments.’ The document offers vetted information and guidance on ways manufacturers can strengthen operational technology (OT) systems to mitigate industrial control system integrity risks and protect the data these systems process.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings