The National Security Agency (NSA) published a document to explain the advantages of implementing a zero-trust model.
The National Security Agency (NSA) recently published a document to explain the benefits of adopting a zero-trust model, and advice to navigate the process.
Modern infrastructure are complex environments that combine multiple technologies and that are exposed to sophisticated cyber threats.
A Zero-Trust security model eliminates implicit trust in any entities inside or outside the perimeter of an organization, instead, it recommends implementing authorization and authentication for any processes within the company.
“Zero Trust is a security model, a set of system design principles, and coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.” reads the document published by the “This security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.”
This security model assumes a data-centric security approach and is based on security monitoring and granular risk-based access controls. The model applies the concept of least-privileged access for every resource and decision.
The adoption of this approach for modern dynamic threat environment requires:
- Coordinated and aggressive system monitoring, system management, and defensive operations capabilities.
- Assuming all requests for critical resources and all network traffic may be malicious.
- Assuming all devices and infrastructure may be compromised.
- Accepting that all access approvals to critical resources incur risk, and being prepared to perform rapid damage assessment, control, and recovery operations.
For example, adopting a strong multi-factor authentication of users for Zero Trust environments, can reduce the risk of a data breach.
The implementation of this model could be a gradual process that requires additional resources, capabilities, and a strong commitment of the executives.
“NSA recommends embracing the Zero Trust security model when considering how to integrate Zero Trust concepts into an existing environment.” concludes the document. “Zero Trust efforts should be planned out as a continually maturing roadmap, from initial preparation to basic, intermediate, and advanced stages, with cybersecurity protection, response, and operations improving over time.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, cybersecurity)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
The National Security Agency (NSA) published a document to explain the advantages of implementing a zero-trust model.
The National Security Agency (NSA) recently published a document to explain the benefits of adopting a zero-trust model, and advice to navigate the process.
Modern infrastructure are complex environments that combine multiple technologies and that are exposed to sophisticated cyber threats.
A Zero-Trust security model eliminates implicit trust in any entities inside or outside the perimeter of an organization, instead, it recommends implementing authorization and authentication for any processes within the company.
“Zero Trust is a security model, a set of system design principles, and coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.” reads the document published by the “This security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.”
This security model assumes a data-centric security approach and is based on security monitoring and granular risk-based access controls. The model applies the concept of least-privileged access for every resource and decision.
The adoption of this approach for modern dynamic threat environment requires:
- Coordinated and aggressive system monitoring, system management, and defensive operations capabilities.
- Assuming all requests for critical resources and all network traffic may be malicious.
- Assuming all devices and infrastructure may be compromised.
- Accepting that all access approvals to critical resources incur risk, and being prepared to perform rapid damage assessment, control, and recovery operations.
For example, adopting a strong multi-factor authentication of users for Zero Trust environments, can reduce the risk of a data breach.
The implementation of this model could be a gradual process that requires additional resources, capabilities, and a strong commitment of the executives.
“NSA recommends embracing the Zero Trust security model when considering how to integrate Zero Trust concepts into an existing environment.” concludes the document. “Zero Trust efforts should be planned out as a continually maturing roadmap, from initial preparation to basic, intermediate, and advanced stages, with cybersecurity protection, response, and operations improving over time.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, cybersecurity)