"Trust nothing, verify everything." NIST
What is Zero Trust?
The National Institute of Standards and Technology (NIST) defines Zero Trust as the concept of minimizing uncertainty in enforcing accurate, least privilege per-request access decisions in a network that is viewed as being compromised.
As indicated by the rising number an increasing severity of cyber attacks, including those on critical national infrastructure, building a defensive perimeter around the network is no longer sufficient. Traditional security perimeters must be replaced with systems that require continuous verification and carefully control access within the network. Moving towards a zero trust approach to security is critical to improving resilience and prevent attacks.
Prepare for Zero Trust with Nipper >
Zero Trust Principles
Least Privilege Access
Verify All Users
Zero trust architecture (ZTA) is based on a guiding set of principles, these are designed to limit the amount and severity of data breaches and limit lateral movement within the network.
The NIST Special Publication 800-207 outlines seven basic tenets of zero trust. It states that these tenets are the ideal goal and no not need to all be implemented in their purest form for a given ZT strategy.
Zero Trust Requirements for U.S. Federal Agencies
President Biden’s 2021 Cyber Executive Order first set the expectation for all federal agencies to implement zero trust architecture within their networks. In January 2022 a memorandum from the Office of Management and Budget (OMB) then set forth a ZTA strategy that requires all federal agencies to meet specific requirements by the end of the 2024 fiscal year.
In this memorandum, the OMB outline their zero trust strategic goals the align with the Cybersecurity & Infrastructure Security Agency’s (CISA) five pillars (Identity, Device, Network, Application Workload, and Data).
Read more about how federal agencies are preparing for zero trust.
The Challenge for Federal Agencies
Federal agencies are facing several challenges as they transition towards zero trust. Most legacy systems are built on implicit trust, which conflicts with the core principles of zero trust architecture. Replacing these systems comes at a significant cost. Lack of consensus on a zero trust maturity model is also slowing progress and current initiatives focus on the network layer and fail to take on a holistic approach.
The Zero Trust Maturity Model
The Department of Defense’s (DoD) Zero Trust Maturity Model shows five distinct stages of maturity, starting with preparedness, and then moving towards evolving capabilities and controls.
Zero Trust is not shown as a single technological solution, but an evolution of capabilities and controls that starts with identifying and assessing the current status before evolving capabilities and controls in order to develop Zero Trust maturity, moving through the levels from baseline to advanced.
Zero Trust Security for Private Sector Organizations
Private sector organizations are also shifting to a zero trust mindset. According to a recent Market Dynamics Survey, 80% of organizations across other sectors now plan to embrace a zero trust security strategy.
These organizations recognize that failure to carefully control access within their network could severely impact day-to-day operations and cause significant financial and reputational harm.
Zero Trust for PCI Compliance
Verifying rather than trusting that devices maintain a secure configuration is key is a zero trust principle and one that progressive frameworks like PCI DSS have included in recent updates to their compliance standards.
PCI DSS v4.0 was released in early 2022 in response to increasingly sophisticated cyber attacks. The latest version of the standard recognizes that security should be a continuous process. To comply, organizations are encouraged to step away from time-based auditing and embrace continuous security assessments and reporting.
At the recent PCI Europe Community Meeting in Milan, Phil Lewis, Titania CEO, discussed how adopting a zero trust mindset, combined with accurate, risk and remediation focused automation helps to continually validate that users, networks and applications can be trusted, and ultimately deliver security from PCI DSS v4.0 compliance.
Video coming soon
How Nipper and Nipper Enterprise can work towards Zero Trust Maturity
Nipper and Nipper Enterprise can support businesses on their road to Zero Trust maturity. Nipper solutions are designed to provide network owners with full visibility of misconfigurations in their network devices, complete with risk prioritized remediation recommendations.
Find out more about how Nipper solutions can help your organization prepare for zero trust and transition to zero trust capabilities and controls.
Download Zero Trust Use Case
Check out our latest resources
Memo provides guidance and explains the necessary competencies for enabling cATORead more
Titania Research Suggests Disconnect Between Network Security Perception and Reality; Firewalls Prioritized Over Switches and RoutersRead more
Memo released detailing zero trust requirements for federal agenciesRead more
No more wasting time on false-positives. Save your auditors up to 3 hours per device.Read more