New NIST Zero Trust Guidance Reinforces Agent Hygiene Value
This week, the National Institute for Standards and Technology (NIST) released “Implementing a Zero Trust Architecture (NIST SP 1800-35)” for public comment. The guide is written by NIST’s National Cybersecurity Center of Excellence (NCCoE) in collaboration with 24 cybersecurity companies.
Now in its fourth draft, NCCoE has opened up comments for this Zero Trust Architecture (ZTA) guide through Sept. 30, 2024, as part of a 60-day review cycle. The NCCoE describes the need for improved network security in the project abstract as follows:
“The proliferation of cloud computing, mobile device use and the Internet of Things has dissolved conventional network boundaries … Organizations must evolve to provide secure access to company resources from any location and asset, protect interactions with business partners, and shield client-server as well as inter-server communications.”
The goal of this project is to help those who are rethinking or beginning to design for Zero Trust – and need practical advice. The NCCoE wants to show how to architect and create Zero Trust environments using today’s technology with ‘how to’ guides and real-world examples.
“I was glad to see this coming together and have used it multiple times as a great primer for people who are getting serios about ZT Architecture,” says Tim Jones, Regional Vice President of Systems Engineering for US Federal, at Forescout. “The common business items within and the art of the possibility hit home on reducing the risk of cyber attacks.”
Since 2018, Forescout has been a proud collaborating vendor in this project as part of the National Cybersecurity Excellence Partnership (NCEP) program.
We highly encourage security practitioners to read, share and give feedback on the guidance during this open comment time period.
How Forescout Participated in NIST SP 1800-35
To be clear, our participation in this project is not an endorsement from NIST NCCoE of Forescout or any of the 24 collaborating vendors.
To test and verify ZTA compliance, Forescout technology leveraged its native Policy-Decision Engine for vendor ZTA agent discovery and hygiene. If our solution didn’t find an agent, then host-based remediation actions were taken, and/or network access was restricted.
More specifically, Forescout was used to verify several crucial areas within ZTA, including enhanced identity governance (EIG), software-defined perimeters (SDP), network segmentation (‘microsegmentation’), and secure access service edge (SASE) for many commonly used network and cloud computing technologies.
NCCoE has this to say in its SDP, Microsegmentation, and SASE Phase Findings of the report:
“Endpoint compliance is essential for security. It is important to have tools that are capable of detecting when an endpoint is not compliant and ensuring that the endpoint is not permitted to access resources as a result. Furthermore, automatic solutions to remediate noncompliance issues on the endpoint should be deployed when possible, and these should be integrated with the organization’s configuration and patch management systems.”
Forescout continues to contribute feedback to this project.
Need help with the latest NIST Cybersecurity Framework? Here’s what you need to know.
Key Takeaways from the NIST Zero Trust Guide
In the Introduction section, the draft guide lays out who this is for, how to use it and its scope. The audience targets medium to large enterprises. As far as scope, this paper does not include ZTA for Industrial Control Systems (ICS) or Operational Technology (OT). The NCCoE says “[a]pplication of ZTA principles to these environments would be part of a separate project.” However, the NCCoE does provide related information for IoT and manufacturing.
Here are the section headers for the “Zero Trust Journey Takeaways” from the guide:
- Discover and inventory the existing environment
- Formulate access policy to support the mission and business use cases
- Identify existing security capabilities and technology
- Eliminate gaps in Zero Trust policy and processes by applying a risk-based approach based on the value of data
- Implement ZTA components (people, process, and technology) and incrementally leverage deployed security solutions
- Verify the implementation to support zero trust outcomes
- Continuously improve and evolve due to changes in threat landscape, mission, technology and regulations
Each of these takeaways is supported by detailed explanations and recommendations. We encourage security practitioners to review the entire document.
Here is a snapshot of the discover and inventory takeaway:
“The first step any organization should take on its zero-trust journey is to identify all of its assets by determining what resources it has in its existing environment (hardware, software, applications, data, and services). This may involve deploying tools that monitor traffic to discover what resources are active and being accessed and used. It is necessary to have a complete understanding and inventory of the organization’s resources because these are the entities that the zero-trust architecture will be designed to protect. If resources are overlooked, it’s likely that they won’t be appropriately protected by the ZTA. They could be vulnerable to exfiltration, modification, deletion, denial-of-service, or other types of attack. It is imperative that all of the organization’s resources, whether on-premises or cloud-based, be identified and inventoried.
“Discovery tools that are used to identify organization resources may do so, for example, by monitoring transaction flows and communication patterns. These tools may also be useful in helping the organization identify the business and access rules that are currently being enforced, and in identifying access patterns that business operations require. Understanding how resources are accessed, by whom, and in what context will help the organization formulate its access policies. In addition, once the organization has begun deploying a ZTA, continuing to use the discovery tools to observe the environment can be helpful to the organization as it audits and validates the ZTA on an ongoing basis.”
Go deeper. Read our papers:
- Network Segmentation in the Age of Zero Trust Security
- Best Practices for Extending Zero Trust to Government Networks
- Case Study: Visibility, Control & Zero Trust Segmentation
- A Mapping Guide for the NIST CSF 2.0
Watch on-demand: