In September 2019, NIST (National Institute of Standards and Technology) published the first draft of its Zero Trust Architecture (ZTA) for public feedback. A second draft was issued in February 2020 that incorporated industry feedback from the first cycle and solicited more comments. The document is extremely well written, and I would highly recommend all security and business continuity practitioners read it here.
The move to Zero Trust Architectures is firmly underway. NIST, Gartner, and Forrester are all recommending Zero Trust as a security design principle, particularly for provisioning and securing access to resources.
The NIST ZTA recognizes the reality of a modern, digital enterprise -- that apps and users have left the building. An increasing number of employees and contractors access corporate applications remotely today, and the applications themselves may be located anywhere. Traditional perimeter-based security approaches relied on most employees and applications operating within an implied trust zone, i.e., the enterprise network. The NIST ZTA works on the assumption that every access request, whether it comes from within the enterprise network or from outside, is hostile. This design principle works much better in an increasingly digital world.
The NIST ZTA offers very detailed recommendations on how organizations can secure their resources in the new digital reality. These recommendations are very timely in the current environment where enterprise business continuity plans are heavily focussed on securely enabling remote access use cases.
(Note: This NIST ZTA framework is currently in the draft stage and may change in its final version. Our opinions here are based on the current second draft published in February 2020)
These two quotes from the NIST document summarize Zero Trust well:
- Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move network defenses from static, network-based perimeters to focus on users, assets, and resources.
- Perimeter-based network security has also been shown to be insufficient since once attackers breach the perimeter, further lateral movement is unhindered.
Perimeter-based network security controls are insufficient because they are designed to provide access to a segment of the network, not an application or resource. This opens up the enterprise to more risk than is acceptable. What's more, attackers are actively exploiting vulnerabilities in common perimeter-based security appliances to compromise enterprise environments (as identified by the NSA and NIST in their advisories.
ZTA is different because it increases the focus on authentication and authorization prior to granting access on a per-resource basis and also on reducing the risk surface by design. Enhanced identity governance is one of the ways to achieve these goals. Figure 1 outlines NIST's abstracted model of Zero Trust Access:
In this model, the user authenticates to a policy engine (PDP, PEP) that makes a decision about authentication and authorization. The logic behind the access decision should be based on users' identity attributes, behaviour, device security posture, and external threat intelligence data, among other things. There is no implied trust in user access requests -- trust is continually evaluated in order to make a resource access decision. The ZTA infrastructure should shield the resource from discovery by attackers, thereby reducing the risk surface significantly. The idea is to minimize the implicit trust zone substantially by moving the policy enforcement point closer to the application.
Unlike the perimeter-based security model (which effectively provides access to a segment of a network), ZTA is focussed on a "least privilege" access model. This means the access decision and associated security policies are enforced at an application level, not a network level. This model therefore offers better support for hybrid environments where enterprises will have applications deployed on-premises as well as in the public cloud.
How can adopting the NIST ZTA help with business continuity efforts?
Zero Trust Architecture is based on the principle of "no inside." The design of the architecture is such that it treats access requests from within the corporate network with the same level of scrutiny as those coming from the outside. This architectural principle lends itself well to business continuity scenarios where organizations are having to enable mass-scale "work from home" scenarios in a very short time frame.
This quote from the NIST ZTA draft offers some insight into this dimension of ZTA:
- A ZTA makes many COOP (continuity of operations) factors easier as remote workers may have the same access to resources that they had on-premises.
Not all ZTA implementations are created equal, however. CISOs should ensure that their ZTA implementation can scale up rapidly without impacting application performance. It is also critical for the policy engine and its components to be resilient to attacks by malicious actors. This can be done by shielding the applications themselves from external discovery and by building in DDoS protection into the PDP/PEP infrastructure. NIST recognizes the importance of the scalability and resiliency of the ZTA infrastructure as a key criteria for evaluation.
How can organizations go about adopting Zero Trust Architecture for improved business continuity?
NIST clearly recognizes that transitioning to ZTA is a journey:
- Transitioning to ZTA is a journey concerning how an organization evaluates risk in its mission and cannot simply be accomplished with a wholesale replacement of technology.
There are two dimensions to this journey: immediate and long term.
In the near term, given the current global drive to enable remote working and business continuity, enterprises are looking for rapid rollout of remote working arrangements. The ZTA implementation of choice should allow for this rapid rollout while improving the enterprise security posture and user experience.
In the medium to long term, enterprises should be prepared to operate in a hybrid environment which includes a mix of traditional perimeter-based approaches (such as VPNs) and newer ZTA concepts such as those described by NIST in their publication. CISOs should always be on the lookout for candidate applications to move to a ZTA -- NIST recognizes that the migration to ZTA will happen one business process at a time. Strong early candidates for moving to a ZTA include third-party/partner applications and cloud-hosted applications.
How can Akamai help?
Akamai's own internal journey towards ZTA began approximately three years ago. More details about key learnings from Akamai's own journey to ZTA can be found here.
The same technology that we use internally for our Zero Trust Architecture is available to our customers in the form of a cloud-based service called Enterprise Application Access (EAA). Several enterprises worldwide are using EAA as a strategic platform for their ZTA migration as well as to enable rapid business continuity capabilities in the current environment.
We recognize that a majority of organizations today need to quickly enable work-from-home (WFH) arrangements due to the ever-changing global scenario. Akamai is offering enterprises a 60-day free usage period for Enterprise Application Access to help manage the sudden increase in WFH requirements. Learn more about our Business Continuity Access Program here.