The core principles of Zero Trust – NIST
Note: This is part three of a five-part series on the origins and tenets of Zero Trust.
There are two organizations that helped define Zero Trust and advocate for widespread adoption. In this post, we will review the core principles as defined by NIST in the document we mentioned earlier.
The National Institute of Standards and Technology (NIST) is a laboratory and government agency that was created to promote U.S. innovation and industrial competitiveness. Federal law dictates that NIST is responsible for developing information security standards and guidelines. These standards and guidelines are voluntary for most organizations.
NIST’s seven tenets of Zero Trust
NIST Special Publication 800-207 was created to “describe zero trust for enterprise security architects” and includes seven basic tenets of Zero Trust. Below are the tenets and an unofficial summary of each:
- All data sources and computing services are considered resources. Internet of Things (IoT), SaaS applications, printers, and other connected devices and services are included here.
- All communication is secured regardless of network location. Internal transaction requests from inside the network should meet the same security requirements as external requests.
- Access to individual enterprise resources is granted on a per-session basis. Trust is not automatically granted, and it should not exceed the least privilege necessary to complete the task.
- Access to resources is determined by dynamic policy — including the observable state of client identity, application/service, and the requesting asset — and may include other behavioral and environmental attributes. Policy is the set of access rules based on attributes that an organization assigns to a subject, data asset, or application. This tenet describes what a dynamic policy is and the attributes used in a policy.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets. No asset is inherently trusted, and assets that may be less secure should be treated differently than those in their most secure state.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed. Zero Trust is “a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually reevaluating trust in ongoing communication.”
- The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture. Ongoing collection of data provides insights to improve policy creation and enforcement.
These tenets outline what is needed to achieve the NIST definition of Zero Trust. They define resources, attributes, and other components necessary in the Zero Trust model. The tenets also reinforce the message that every request must be verified and that the concept of least privilege applies to all requests. The NIST document can be found here and should be considered required reading for anyone who wants a comprehensive understanding of Zero Trust.
The next post in this series will review The Open Group’s white paper on the core principles of Zero Trust and Boundaryless Information Flow™. You can read all posts in the series here.