Zero trust: NIST explains how to block hackers from within

The National Institute of Standards and Technology, or NIST, recently unveiled guidance about implementing zero-trust architecture, or ZTA, offering a valuable resource for organizations, particularly U.S. banks and credit unions, seeking to fortify their cybersecurity defenses.

While traditional perimeter-based defense models have served financial institutions for decades, they are now considered "antiquated" and "insufficient to prevent malicious actors from causing financial, operational, reputational and client harm," according to a 2022 report from the Bank Policy Institute, or BPI. The hardened network perimeter organizations historically relied upon for protection is "failing to prevent breaches," BPI said at the time.

Zero trust is a cybersecurity paradigm that assumes no user, application, service or device can be implicitly trusted, regardless of its physical or network location, or whether it's enterprise owned or personally owned. Zero trust focuses on continuous evaluation and verification of conditions and requests, ensuring that all access to enterprise resources is granted on a per-session basis with the least privileges necessary to complete the task.

To help organizations, including banks, implement zero trust, NIST detailed 19 examples of ZTA implementations using commercial, off-the-shelf technologies in the report released Wednesday, giving organizations multiple blueprint options for adopting their own architecture.

"This guidance gives you examples of how to deploy ZTAs and emphasizes the different technologies you need to implement them," said Alper Kerman, a NIST computer scientist and co-author of the publication, in a press release. "It can be a foundational starting point for any organization constructing its own ZTA."

How zero trust protects companies

A key cybersecurity vulnerability for any organization lies with individuals, who often become a weak link in security by allowing malicious actors to gain network access, for a variety of reasons including manipulation, negligence or bad faith.

Flat (i.e., non-segmented) network architectures exacerbate this problem, allowing threat actors, once inside, to move freely and gain unauthorized access to sensitive data, leading to potential data loss or critical system damage. The accelerating trend of remote work, mobile devices and the proliferation of cloud footprints further diminish the effectiveness of traditional perimeter controls.

ZTA directly addresses these critical shortcomings. It operates on the assumption that a malicious actor is "already within an FI's [financial institution's] network," according to the 2022 BPI report, and employs various strategies to reduce the likelihood of lateral movement and privilege escalation. The goal is to protect each individual enterprise resource, such as systems, applications and data, by adding real-time controls that restrict access.

Core objectives and benefits for financial institutions

Zero trust shifts financial institutions from a traditional perimeter-based protection model to an identity-centric model, continuously validating subjects and allowing access to data and applications based on business models, real-time signals and risk scores. In its report, BPI provided the following key objectives and benefits of a ZTA for financial institutions:

• Assuming malice until validated: ZTA "assumes that all subjects are malicious until the subject can validate its identity and the policy engine concludes that the subject has authorization to access the resource," according to BPI. This means explicit authentication and authorization for every access request.
• Reduced attack surface and improved data protection: By implementing granular access controls and micro-segmentation, ZTA limits the damage bad actors can inflict and makes it much harder for them to pivot from a compromised system. This significantly reduces the so-called splash associated with a breach and the dwell time an attacker can remain undetected.
• Enhanced visibility and faster breach detection: ZTA increases visibility into users, devices and network traffic, enabling anomaly detection and decreasing breach detection time.
• Support for modern workforces and operations: ZTA enhances the security of remote workers by centering security on identity, reducing reliance on perimeter controls. It also supports bring-your-own-device efforts, allowing approved personnel to securely access resources on personal devices. Furthermore, it facilitates mergers and acquisitions by simplifying the integration of new companies.
• Streamlined compliance and dynamic access: ZTA streamlines compliance reporting by increasing visibility into authentication and access events. It also allows for dynamic, contextual and policy-based access to enterprise resources through attribute-based access controls.

Zero Trust Architecture, explained through examples

The ZTA implementation guidance from NIST aims to "remove the shroud of complexity around designing for zero trust with 'how to' guides and example approaches," according to the National Cybersecurity Center of Excellence, or NCCOE, the NIST subdivision that worked on the publication.

The guide augments a 2020 publication from NIST that detailed the core concepts behind ZTA. The new publication provides more practical help for organizations to address their unique needs.

"Switching from traditional protection to zero trust requires a lot of changes," said NIST's Kerman. "You have to understand who's accessing what resources and why," and "everyone's network environments are different, so every ZTA is a custom build. It's not always easy to find ZTA experts who can get you there."

NCCOE partnered with 24 industry collaborators — including cloud providers Amazon Web Services and Google Cloud, identity management company Okta, and various cybersecurity companies — to build and implement the 19 example ZTA solutions in laboratory environments.

The effort involved installing, configuring and troubleshooting these implementations over four years. The guidance details the specific builds and covers a variety of approaches, such as enhanced identity governance, or EIG, which uses the identity of actors as the key component of policy creation, and software-defined perimeter, or SDP, which ​​involves using the network infrastructure to implement ZTA.

A phased journey to zero trust

As the new NIST document states, "There is no single approach for each organization to migrate to ZTA." Instead, the standards-maker recommends a phased journey for organizations to gradually evolve existing environments toward ZTA. Key steps highlighted in the new guidance include:

• Discover and inventory the existing environment: Organizations must identify and catalog all assets — hardware, software, applications, data and services — as these are the entities ZTA protects.
• Formulate access policy: Based on the inventoried resources, organizations formulate policies defining who can access each resource and under what conditions, adhering to least privilege principles.
• Identify existing capabilities: Organizations should inventory their current security technologies and capabilities to determine what can be repurposed, optimizing investment.
• Address gaps with risk-based approach: Using a risk-based approach, organizations should segment their infrastructure, protecting critical resources with policy enforcement points.
• Implement ZTA components incrementally: Organizations implement ZTA components, starting with foundational elements like identity, credential and access management solutions and multifactor authentication.
• Verify the implementation: Continuous monitoring of network traffic for suspicious activity, alongside periodic testing, ensures ZTA policies are effective and enforced correctly.
• Continuously improve and evolve: ZTA is an ongoing process, requiring adaptation to changes in threat landscapes, technology and organizational requirements.