OMNINET PLUS Blog

OMNINET Plus has been serving the Washington D.C. metropolitan area since 1994, providing IT Support such as technical help-desk support, computer support, and consulting to small and medium-sized businesses.

Tip of the Week: Examining NIST’s Definition of Zero Trust

Tip of the Week: Examining NIST’s Definition of Zero Trust

Let me ask you something: how many people do you fundamentally trust? Well, in a zero trust network, that number is reduced to zero. The idea of such a network is that everyone, whether they’re operating inside of the network or out, needs to be verified… and as you might imagine, it has proven effective in preventing data breaches. 

Let’s take some time to break down the National Institute of Standards and Technology’s definition of zero trust, and the seven “tenets” that must be followed, as found in their Special Publication 800-207.

How Does NIST Define Zero Trust?

Such a definition can be found in that special publication:

“Zero trust (ZT) provides a collection of concepts and ideas designed to minimize
uncertainty in enforcing accurate, least privilege per-request access decisions in
information systems and services in the face of a network viewed as compromised. Zero
trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust
concepts and encompasses component relationships, workflow planning, and access
policies. Therefore, a zero trust enterprise is the network infrastructure (physical and
virtual) and operational policies that are in place for an enterprise as a product of a zero
trust architecture plan.”

In other words, zero trust seeks to not only make it more difficult for a threat to get in, it also simplifies the task of identifying how such a threat would get in.

NIST’s Seven Tenets, Reviewed

Let’s go through the list and discuss what each of these policies requires that a business do to abide by them.

“All data sources and computing services are considered resources.”

In other words, anything that connects to the network needs to abide by any security requirements and access controls that have been established on that network. 

“All communication is secured regardless of network location.”

Regardless of whether a device is on the network or not, all communication between it and other network resources needs to maintain the security it would have if external networks were involved.

“Access to individual enterprise resources is granted on a per-session basis.”

It is entirely possible that one of your users might only need one of your company’s assets for a limited time, if not for a single session. Locking down your business’ resources and requiring authentication each time these resources are accessed helps to limit the chance that unauthorized usage takes place.

“Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.”

The hard fact of the matter is that business technology is increasingly complicated, especially now that remote work has become a viable option. This gives the business access to a lot of data that can be used to help its authentication measures. Taking this data into account when determining access permissions in the moment can make a business’ access more secure.

“The enterprise monitors and measures the integrity and security posture of all owned and associated assets.”

At the risk of sounding cliche, zero trust means that you trust nothing and no one. As this would imply, the zero trust model requires all assets to be monitored constantly—whether an asset is owned by the workplace or the employee. This helps to prevent threats from intruding, as well as ensures that patch management is seen to appropriately.

“All resource authentication and authorization are dynamic and strictly enforced before access is allowed.”

Putting it simply, a zero trust approach continues to confirm access permissions even after the user has been initially confirmed and created in the system. This continuous process takes a lot of different inputs into consideration to determine whether trust can be given.

“The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.”

A zero trust policy is based on a business’ capability to keep track of everything in its network environment. The architecture that supports this kind of policy has three core components: the policy engine, the policy administrator, and the policy enforcement point. These components all collect data that benefit the decision making processes of the system.

Interested in learning more about your business’ security and how to improve it? OMNINET PLUS can do you one better by actively monitoring your network for you. Give us a call at 301-869-6890 to learn more.

Comments

 
No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Sunday, 28 November 2021
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Security Tip of the Week Technology Cloud Privacy Hackers Hosted Solutions Best Practices Backup Internet Productivity IT Services Business Business Computing Business Continuity Google Malware Software Hardware Windows 10 Miscellaneous Innovation Computer Mobile Device Management Microsoft Disaster Recovery Mobile Computing IT Support Mobile Devices VoIP Managed Service Provider Smartphone Network Security Server Efficiency Data Windows Workplace Tips Save Money communications Virtualization Upgrade Email Small Business Android Office Employer-Employee Relationship User Tips Budget Holiday Chrome Best Practice Apps Quick Tips Outsourced IT Hacking IT solutions Network Data Management Microsoft Office Telephone Systems Managed IT BYOD Recovery Application Managed IT Services VPN Information Technology Business Intelligence Hard Drives Disaster Going Green Gmail Firewall Operating System Communication Bandwidth The Internet of Things Computers Remote Computing Social Engineering Saving Money Ransomware BDR Smartphones Automation Lithium-ion battery Tablet Avoiding Downtime Wireless Technology Hosted Solution Streaming Media Mobility Telephony Gadgets Private Cloud Biometrics Government Passwords Cybercrime Office Tips Remote Monitoring Browser Risk Management Humor Network Congestion Health Unified Threat Management Administration Proactive IT Big Data Cost Management Spam Password Facebook DDoS WiFi Customer Service Social Phone System Alert Solid State Drive Branding Teamwork Cybersecurity Two-factor Authentication Access Cameras eWaste Retail Best Available History Excel Meetings Data Breach Transportation Printer intranet App Law Enforcement IT service Avoid Downtime Virtual Reality Social Media Apple Data Backup Saving Time Robot Computer Accessories Printer Server Science SaaS Buisness Reputation Domains Tech Support Data Recovery Customer Relationship Management Data storage Mouse Near Field Communication HaaS Business Management Shadow IT Internet Exlporer Remote Workers WIndows 7 Google Drive Colocation IT Technicians Document Management Instant Messaging Uninterrupted Power Supply Marketing Wearable Technology Virtual Desktop Managing Stress Applications Antivirus hacker Networking Bluetooth Save Time IT consulting Internet of Things Phishing Running Cable Maintenance Laptop iPhone Trending Human Resources Fax Server HIPAA Sports PowerPoint User Error Touchpad Education Search Update Entertainment Content Filtering Bloatware Files Regulations Presentation Storage Money Analytics Collaboration Safety Reliable Computing Chromecast Shortcut Operating Sysytem Benefits SharePoint Emergency Administrator Television Distributed Denial of Service User