8 things to watch out for in the NSTAC Zero Trust report
A number of sources and guidance from government agencies focused on zero trust are pouring in. Now, doubts about Zero Trust seem to have no place. In the United States, shortly after the release of the Federal Zero Trust Strategy, the National Security Telecommunications Advisory Committee (NSTAC) issued the Zero Trust and Trusted Identity Management report. ) ‘ was announced.
This report well summarizes the history of Zero Trust, which started in the private sector, and various Zero Trust-related activities, guidelines, and requirements that government agencies have consistently issued. A representative example is ‘ Executive Order 14028: National Cybersecurity Improvement ‘. Under this executive order, NSTAC focused on key issues including zero trust and trusted identity management.
The report also highlighted the challenges of implementing zero trust and the conditions for its realization. Adequate oversight and maturity indicators, transparency, and the need to focus on continual improvement are conditions that apply to the private sector as well as the federal government. Security leaders in the public and private sectors have compiled eight key points to note in the NSTAC report.
1. Zero Trust is a long-term, transformative effort
Most importantly, recognize that Zero Trust is a transformative activity that requires a long-term commitment of more than 10 years. Industry and organizational policy changes are also needed to begin the massive work of leading a zero-trust culture and radically redesigning an organization’s system of technological systems. Organizations contemplating the adoption of zero trust should always keep this in mind when they hear from solution providers claiming that they can become ‘zero trust compliant’ companies overnight.
2. Use the Zero Trust Guidelines
To gain knowledge of Zero Trust, you can turn to well-established guidelines and resources. For the United States : NIST 800-207: Zero Trust Architecture , Department of Defense (DoD) Zero Trust Reference Architecture , National Security Agency (NSA) Guide to Adoption of Zero Trust Security Model , Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity model , and the Federal Zero Trust Strategy of the Office of Management and Budget (OMB) . A variety of Zero Trust guidelines and documents can help businesses better understand the characteristics and recommendations of Zero Trust that attract large institutions such as the federal government, and the goals of each government.
The report also includes content from other sources, such as the CISA and NSA’s 5G Cloud Security Guidelines, highlighting fundamental aspects of zero trust, such as encryption, fine-graining, strong authentication, and the transformative role cloud computing can play in implementing zero trust. have.
3. Develop an implementation plan
As with all long-term, strategic projects, implementing zero trust requires planning. The NSTAC guidelines propose five steps for implementing zero trust.
Defining protective surfaces
Transaction flow mapping
Build a Zero Trust Architecture
Establish a zero trust policy
Network monitoring and maintenance
The five-step process emphasizes the need for an iterative and time-consuming process to achieve zero trust, and corrects the misconception that zero trust can be implemented simply by purchasing a product.
4. Align your zero trust strategy with your compliance requirements
It cannot be denied that pursuing zero trust is a tedious process. It is a process that requires input of cost, time and labor. However, pursuing zero trust does not negate traditional requirements such as compliance. The report highlights the need to articulate and align zero trust strategies with existing compliance requirements (FISMA in the US).
Organizations are already struggling to address existing reporting and compliance requirements, so if the two are not aligned, they are very likely to fail. The main recommendation is that NIST has mapped the control functions in 800-53 to zero trust so that the two efforts are performed together rather than isolated from each other.
The reality is that when organizations begin redesigning their systems and networks for zero trust, they may have to redo the tasks related to compliance and certification. In this case, if it is not automated, organizations and organizations will find it difficult to execute two tasks at the same time. This work is quite arduous. If Zero Trust is pursued separately, the burden will be further increased.
5. Build a Zero Trust Program Office
A dedicated office for the Zero Trust program, maximizing the use of shared services in key areas is also a recommendation and a requirement for achieving Zero Trust. The DoD recently established an office dedicated to the Zero Trust program. The NSTAC report emphasized that the federal government should do the same. It also helps create a dedicated department to run implementation guidelines, architectures, playbooks, and more.
These offices serve as a kind of central control point for speeding up Zero Trust implementation. Private organizations, especially large corporations, where each business unit often operates in silos, can do the same. Zero trust is a business-wide task that requires a central point of control for cohesion.
6. Share security services for specific functions
It’s good to share security services for specific functions, such as internet access asset discovery, based on a central program office. Shared IT/cybersecurity services can provide government agencies and organizations with several benefits, such as cost/licensing efficiencies, improved visibility, and increased effectiveness.
A sprawl of tools and siled solutions cannot build the enterprise-wide visibility and impact needed for Zero Trust to succeed, especially in large organizations like the DoD. The reality of tool sprawl has something to do with Zero Trust leading to market overheating and solution vendors riding the fad. The NSTAC report points out that the various solutions present challenges of management complexity, end-user integration and friction, and impede the success of Zero Trust.
7. Accelerate adoption with cloud services
As anyone who has worked in IT over the past few years will know, the cloud is a technology that plays an important role. Zero Trust is no exception. “The rapid adoption of cloud services will significantly accelerate the adoption of zero trust by federal agencies,” NSTAC noted. The benefits of the cloud cover all areas such as data, identity, and automation. Cloud adoption can also benefit institutions and organizations that need to cope with a growing remote workforce.
8. Effective identity management is essential for success
The final point is that identity is fundamental to zero trust. Both people and non-human entities are included in the ID. The guidance highlights the need for modern identity management solutions that address the modern cloud-native and remote workforce environments facing federal and private sector organizations. NIST 800-63-3: Digital ID Guidelines is a good starting point.
What we’ve looked at so far is just some of the recommendations and useful information on the opportunities and challenges of adopting zero trust. The NSTAC report will be a useful resource for any organization starting zero trust.