Analysis
Attacks and Vulnerabilities
News
NIST
Regulation, Standards and Compliance
Zero Trust

NIST publishes updated preliminary draft practice guide covering zero trust architecture, calls for public input

January 09, 2023
NIST publishes updated preliminary draft practice guide covering zero trust architecture, calls for public input

The National Institute of Standards and Technology (NIST) announced in a Friday bulletin the publication of the second preliminary draft practice guide covering zero trust architecture (ZTA). The agency rolled out updated versions of the NIST Cybersecurity Practice Guide SP 1800-35 Vol A-D covering three additional ZTA implementations that have been added to the guide since the previous drafts were published, and the first preliminary draft of SP 1800-35 Vol E that provides a risk analysis and mapping of ZTA security characteristics to cybersecurity standards and recommended practices. The agency seeks public comments online on or before Feb. 6, 2023.

The ZTA team within the NIST’s National Cybersecurity Center of Excellence (NCCoE) division released these documents, and added that as the project progresses, the guide will be updated. The second preliminary practice guide works toward helping organizations develop an implementation plan and identify milestones for gradually integrating ZTA into the organizational environment, using a risk-based approach. 

The methodology adopted will support user access to resources, protect business assets and processes regardless of their location, limit insider threats and breaches, protect sensitive corporate information, improve visibility, and perform real-time and continuous monitoring and logging, and policy-driven, risk-based assessment and enforcement of resource access. 

“As an enterprise’s data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging,” the NCCoE wrote in a December statement. “Many users need access from anywhere, at any time, from any device. The NCCoE is addressing these challenges by collaborating with industry participants to demonstrate several approaches to a zero trust architecture applied to a conventional, general-purpose enterprise IT infrastructure on-premises and in the cloud.”

The NCCoE initiated this project in collaboration with industry participants to demonstrate several approaches to a ZTA applied to a conventional, general-purpose enterprise information technology (IT) infrastructure on-premises and in the cloud, which will be designed and deployed according to the concepts and tenets documented in NIST Special Publication (SP) 800-207, Zero Trust Architecture. The example implementations integrate commercial and open-source products that leverage cybersecurity standards and recommended practices to showcase the robust security features of zero trust architectures.  

The project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement the cybersecurity reference designs for zero trust. 

The first document summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based ZTA implementations that align with the concepts and principles in NIST Special Publication (SP) 800-20 publication, to protect conventional, general-purpose infrastructure. The goal is to enable organizations to thoughtfully apply ZTA controls that best protect their business while enabling them to operate as they need to.

The initial implementations focus on enhanced identity governance (EIG) deployment because EIG is seen as the foundational component of ZTA. “The identity-based controls provided by EIG are needed to secure and monitor administrative access to the ZTA infrastructure itself. Our EIG implementations use the identity of subjects and device health as the main determinants of access policy decisions, and we provide support for device discovery and protecting access to cloud-based resources,” the document added.

Depending on the current state of identity management in the enterprise, deploying EIG solutions is an initial key step that may be enhanced with the addition of identity protection solutions to monitor for identity compromise or misuse and that will be leveraged to support micro-segmentation and software-defined perimeter (SDP) deployment approaches.

The second document has been designed to help address the existing challenges by building, demonstrating, and documenting several example ZTAs using products and technologies from a variety of different vendors. The example solutions are designed to provide secure authorized access to individual resources by enforcing enterprise security policy dynamically and in near-real-time. They restrict access to authenticated, authorized users and devices while flexibly supporting a complex set of diverse business use cases. 

The use cases involve legacy enterprise networks; remote workforces; use of the cloud; use of corporate-provided, bring-your-own-device (BYOD), and guest endpoints; collaboration with partners; guest users; and support for contractors and other authorized third parties. The concepts and principles in NIST SP 800-207 are applied to enterprise networks that are composed of pre-established devices and components and that store critical corporate assets and resources both on-premises and in the cloud.  

The third document helps users develop a plan for migrating to ZTA. It demonstrates a standards-based reference design for implementing a ZTA and provides users with the information they need to replicate five different implementations of this reference design. Each of these implementations, known as builds, is standards-based and aligns with the concepts and principles in NIST SP 800-207. 

The key advantage of the reference design is that they are modular and can be deployed in whole or in part, enabling organizations to incorporate ZTA into their legacy environments gradually, in a process of continuous improvement that brings them closer and closer to achieving the ZTA goals that they have prioritized based on risk, cost, and resources.

The fourth document provides functional demonstrations through use cases that have been defined to showcase ZTA security capabilities and the results of demonstrating them with each of the example implementations. This playbook is intended to guide the operator through the set of ZTA scenarios and use cases that have been defined for demonstration in this project. To reduce the number of iterations, some potential demonstrations have been omitted because they are not sufficiently different from another demonstration that has been included. 

The demonstration playbook is not exhaustive, and it does not capture all possible demonstration cases. As it is still under development, additional scenarios and use cases will be included in the next version, as the implementations evolve and add capabilities.

The fifth and latest document provides a risk assessment and maps ZTA security characteristics to cybersecurity standards and best practices. The reference architecture provides mappings between cybersecurity functions performed by the ZTA reference design’s logical components and security characteristics enumerated in relevant cybersecurity documents. These mappings are intended for any organization that is interested in implementing ZTA or that has begun or completed a ZTA implementation. The cybersecurity practice guide details how commercially available technology can be integrated and used to build various ZTAs.

The mappings also provide information on how ZTA cybersecurity functions from the NCCoE’s ZTA project are related to Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework—CSF) 1.1 Subcategories, NIST SP 800-53r5 (Security and Privacy Controls for Information Systems and Organizations) security controls, and U.S. President Joe Biden’s Executive Order 14028, issued in May 2021, on security measures defined in Security Measures for ‘EO-Critical Software’ Use Under Executive Order (EO) 14028. 

Furthermore, all of the elements in these mappings—the ZTA cybersecurity functions, CSF Subcategories, SP 800-53 controls, and EO 14028 security measures—are concepts involving ways to reduce cybersecurity risk and meet compliance requirements involving sectors’ specific recommended practices. 

The NCCoE said that in future versions of the document, it may perform additional mappings between ZTA cybersecurity functions and security characteristics enumerated in other cybersecurity standards, directives, recommended practices, memoranda, etc.

Last week, the NIST released a bulletin inviting industry participants and other interested collaborators to participate in the NCCoE project, which focuses on responding to and recovering from a cyber incident within an operational technology (OT) environment. The NCCoE project focuses on the ‘Respond and Recover’ portions of the NIST CSF while guiding manufacturing organizations in designing mitigations into OT environments to address cyber incidents.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights