NIST SP 800-207 Zero Trust Architecture
NIST Special Publication 800-207, titled "Zero Trust Architecture (ZTA)", is a foundational cybersecurity framework published by the National Institute of Standards and Technology (NIST) in August 2020. It redefines how organizations should approach security in a world where traditional network perimeters are no longer sufficient.
What Is Zero Trust?
Zero Trust (ZT) is a security philosophy that assumes no user, device, or system should be trusted by default, regardless of whether it is inside or outside the network perimeter. Every access request must be:
- Explicitly verified
- Continuously validated
- Contextually evaluated
This model is a response to modern threats, remote work, BYOD (Bring Your Own Device), and cloud computing.
Core Principles of NIST SP 800-207
NIST outlines seven core tenets of Zero Trust:
1. All data sources and computing services are considered resources.
2. All communication is secured, regardless of network location.
3 Access is granted per session, not permanently.
4 Dynamic policy decisions are based on identity, device posture, and context.
5. Authentication and authorization are enforced before access is granted.
6. Continuous monitoring of asset integrity and security posture.
7. Logging and telemetry are essential for trust evaluation and policy updates.
Key Components of Zero Trust Architecture
NIST SP 800-207 defines a modular architecture with these core components:
Policy Engine (PE): Makes access decisions using identity, risk scores, and telemetry.
Policy Administrator (PA): Enforces decisions by issuing session credentials.
Policy Enforcement Point (PEP): Applies access control near the resource.
These components work together to ensure that access is granular, dynamic, and revocable.
Zero Trust Workflow
A typical ZTA access flow looks like this:
1. Subject (user/device) requests access.
2. PEP intercepts the request.
3. PA consults the PE to evaluate the request.
4. If approved, access is granted only for that session.
This model minimizes the "implicit trust zone" and reduces lateral movement risk.
Deployment Models
NIST SP 800-207 outlines three reference architectures:
1. Enhanced Identity Governance (EIG): Uses IdPs, MFA, and SSO for app-level control.
2. Microsegmentation: Isolates workloads using SDN or host-based agents.
3. Software-Defined Perimeter (SDP): Builds encrypted tunnels between users and services.
Most organizations adopt a hybrid approach tailored to their infrastructure and maturity level.
Implementation Strategy
NIST recommends a phased approach:
1. Asset Discovery
2. Define Trust Zones
3. Model Policies
4. Pilot in a Small Environment
5. Monitor, Adjust, and Expand
This ensures low disruption and high visibility during rollout.
Real-World Threat Mitigation
ZTA helps mitigate:
- Lateral movement via microsegmentation
- Credential theft with MFA and session expiration
- Insider threats through least privilege and behavioral monitoring
- Supply chain attacks with software attestation and signed artifacts
Compliance and Alignment
SP 800-207 aligns with:
- NIST 800-53 Rev. 5
- CMMC 2.0
- ISO/IEC 27001
- CIS Controls v8
- Executive Order 14028
This makes it a strong foundation for both security and regulatory compliance.
No comments:
Post a Comment