7 tenets of NIST's Zero Trust Architecture (ZTA)
3 minute read
Our Zero Trust whitepaper focuses on Zero Trust approach for software development, specifically hosted web apps (APIs, Microservices, background jobs and so on). For this reason, the Zero Trust tenets mentioned in the whitepaper have been adapted to be particularly relevant for developers developing such hosted services, so they can write code which is secure by design based on the Zero Trust model.
That said, it’s also useful to learn about the tenets of Zero Trust Architecture (ZTA) mentioned by National Institute of Standards and Technology (NIST), which deals with the security posture of the entire enterprise.
Seven tenets of NIST ZTA
I present a simplified summary of each of the tenets of NIST’s Zero Trust Architecture below, so that it’s easy to remember them. For a longer explanation, refer the original NIST document.
- All data sources and computing services are considered resources. Even personal devices owned by employees can be considered resources if they can access enterprise-owned resources.
- No trust is automatically assumed based on network location. All communication should be done in the most secure manner available. Access requests from every device must be verified with authentication and other methods, with no relaxation based on the device being on enterprise network.
- Access to resources is granted on a per-session basis, following the least privilege principle. Authorization to one resource will not automatically grant access to a different resource.
- Access to resources is determined by dynamic policy, which includes the set of access rules based on the state of client identity, requesting asset as well as behavioural and Environmental attributes.
- The enterprise establishes a continuous diagnostics and mitigation (CDM) system to monitor and measure the integrity and security posture of all devices and applications. Subverted, vulnerable or unmanaged (such as personal devices) assets may be denied or given limited access to secure and fully owned enterprise assets.
- The enterprise is expected to use Identity, Credential, and Access Management (ICAM) and asset management systems to enforce reauthentication, reauthorization as per the policy (time-based, new resource requested, resource modification, anomalous subject activity detected etc.), balancing security, availability, usability, and cost-efficiency.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture (e.g., to improve policy creation and enforcement).
Build Zero Trust thinking for software development
Because Zero Trust is not just an approach; it’s a mindset.
You can also develop this mindset by going through the hands-on tutorials from the Zero Trust Thinking (ZTT) series. ZTT is brought to you by ASPSecurityKit, the first true security framework for ASP.NET and ServiceStack built from scratch on the Zero Trust model.
Leave your email below to receive a notification of new ZTT articles and videos right in your inbox, once every two weeks or so.
Looking for an expert team to build a reliable and secure software product? Or, seeking expert security guidance, security review of your source code or penetration testing of your application, or part-time/full-time assistance in implementation of the complete web application and/or its security subsystem?