NSA Issues Guidance on 'Zero Trust' ImplementationAdvises Implementing the Model for Critical Networks Within National Security Systems
The U.S. National Security Agency has issued "zero trust" guidance aimed at securing critical networks and sensitive data within key federal agencies. The NSA adds it is also assisting Defense Department customers with the zero trust implementations.
The new guidance issued Thursday describes some of the basic zero trust principles, such as "assume breach," and lays down zero trust design concepts. It also describes threat scenarios and how organizations can prevent these attacks using the zero trust model.
"NSA strongly recommends that a zero trust security model be considered for all critical networks within national security systems, the Department of Defense’s critical networks and Defense Industrial Base critical networks and systems," the guidance states. "Adopting zero trust will enable systems administrators to control how users, processes and devices engage with data. These principles can prevent the abuse of compromised user credentials, remote exploitation or insider threats and even mitigate effects of supply chain malicious activity."
Zero Trust Design Concept
The NSA describes four key elements that organizations should consider before implementing zero trust models.
- Define mission outcomes: Adopt zero trust models after determining organization-specific requirements based on their critical data, assets, applications and services, or DASS.
- Architect from the inside out: Protect critical DASS first and then secure all paths to access them.
- Define access: Define access to DAAS and create access control policies and apply them consistently across all environments, such as LAN, WAN, endpoint, perimeter and mobile.
- Inspect and log all traffic before acting: Ensure there is full visibility to all activity across all layers from endpoints to the network to enable analytics that can detect suspicious activity.
The agency describes three attack scenarios and how zero trust models can help prevent these attacks.
- Compromised user credentials: When hackers use compromised credentials, they usually use an unauthorized device, either through remote access or with a rogue device joining the organization’s wireless LAN. By deploying zero trust, the NSA says, organizations can prevent unauthorized checks and ensure access is denied and any malicious activity is logged.
- Remote exploitation or insider threat: In an environment not using the zero trust model, hackers use credentials, enumerate the network, escalate privileges and move laterally to compromise vast stores of data. With the zero trust model in place, the compromised user’s credentials and the hacker's device are already assumed to be malicious, and the network is segmented, limiting both enumeration and lateral movement opportunities.
- Compromised supply chain: With zero trust, embedding of malicious codes into popular enterprise network devices or applications can be avoided because malicious applications will not be inherently trusted. Through a mature implementation of zero trust, data would be tightly controlled, minimized, monitored and segmented.
Need for Zero Trust
Kevin Dunne, president at security firm Greenlight, says government agencies need to implement tight security standards because they are the most frequent targets of hackers. He notes, however, that the private sector is equally vulnerable to cyberthreats.
"Any organization that is uncertain about the value of zero trust should start with an audit of their identities, networks, devices and applications. Undoubtedly, they will find cases of shadow IT, zombie accounts and over-privileged users that represent clear and present danger," Dunne says. "Implementing a zero trust model across identities, networks, devices and applications can be the difference between a limited hack with insignificant damage or a major incident with loss of critical data."
Joseph Carson, advisory CISO at Thycotic, notes that one significant drawback with zero trust is its limitation to focus on the business value. "The term zero trust resonates best within the security and risk teams. However, with the business it is just another security control," Carson says. "Moving forward, the top focus of security must be on how it adds business value followed by how it reduces business risks and increases business resilience. Unfortunately, for now, we continue to focus on the threats.”