Zero Trust Model: How It Looks to the NSA

The IT landscape is constantly evolving. Throughout 2020, we saw cybersecurity professionals change and adapt to the current situation to appropriately address many emerging cyber threats.

But as security professionals change their tactics and strategies, cybercriminals change theirs.

So, what can be done to combat this ebb and flow within cyberspace?

The National Security Agency (NSA) says that embracing a Zero Trust security model can better position organizations to secure sensitive data and systems.

This strategy, which has been gaining in popularity for years, takes on new urgency following the SolarWinds data breach, and also following the theft of FireEye's red team tools and news that attackers accessed some of Microsoft's source code.

How does the NSA define Zero Trust?

The NSA has released a report which dives into what Zero Trust is and why it is crucial for organizations to implement.

It says that many cybersecurity professionals have begun to fall behind due to the increasing complexity of emerging cloud, multi-cloud, and hybrid network environments. And it doesn't help that threat actors have become much more persistent and stealthy in recent years.

The Zero Trust principles present a solution to these problems. Here is how the NSA defines Zero Trust:

"Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. Zero Trust repeatedly questions the premise that users, devices, and network components should be
implicitly trusted based on their location within the network.

Zero Trust embeds comprehensive security monitoring; granular, dynamic, and risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus specifically on protecting critical assets (data) in real-time within a dynamic threat environment."

The NSA recommends that the Zero Trust model be considered for critical networks to include National Security Systems (NSS), Department of Defense (DoD) networks, and Defense Industrial Base (DIB) systems. 

However, many private organizations are looking to implement a Zero Trust model. Let's look at crucial steps for this, according to the NSA.

What is a Zero Trust mindset?

In order to address the current threat environment, the NSA has provided some pointers on how to adopt the Zero Trust mindset:

• "Coordinated and aggressive system monitoring, system management, and defensive operations capabilities.
• Assuming all requests for critical resources and all network traffic may be malicious.
• Assuming all devices and infrastructure may be compromised.
• Accepting that all access approvals to critical resources incur risk, and being prepared to perform rapid damage assessment, control, and recovery operations."

In addition to adopting the Zero Trust mindset, it also mentions some guiding principles to use:

• Never trust, always verify – Treat every user, device, application/ workload, and data flow as untrusted. Authenticate and explicitly authorize each to the least privilege required using dynamic security policies.
• Assume breach – Consciously operate and defend resources with the assumption that an adversary already has presence within the environment. Deny by default and heavily scrutinize all users, devices, data flows, and requests for access. Log, inspect, and continuously monitor all configuration changes, resource accesses, and network traffic for suspicious activity.
• Verify explicitly – Access to all resources should be conducted in a consistent and secure manner using multiple attributes (dynamic and static) to derive confidence levels for contextual access decisions to resources.

How do you leverage Zero Trust design concepts?

Now that you have the Zero Trust mindset and understand the basic guiding principles, a crucial next step is implementing a Zero Trust solution. Here is advice from the National Security Agency:

• Define mission outcomes – Derive the Zero Trust architecture from organization-specific mission requirements that identify the critical Data/Assets/Applications/Services (DAAS).
• Architect from the inside out – First, focus on protecting critical DAAS. Second, secure all paths to access them.
• Determine who/what needs access to the DAAS to create access control policies – Create security policies and apply them consistently across all environments (LAN, WAN, endpoint, perimeter, mobile, etc.).
• Inspect and log all traffic before acting – Establish full visibility of all activity across all layers from endpoints and the network to enable analytics that can detect suspicious activity.

There is no question the Zero Trust concept is rising in prominence among information security leaders; we often hear about it at SecureWorld conferences across North America.

And now there is further guidance on Zero Trust security models in the NSA Zero Trust security model report.