Executive Summary

Executive Summary#

Note

This page is supplementary material for the NIST SP 1800-35 publication.

A zero trust architecture (ZTA) can help your organization protect its data and resources no matter where they are located. A ZTA can also enable your workforce, contractors, partners, and other authorized parties to securely access the data and resources they need from anywhere at any time. ZTAs implement a risk-based approach to cybersecurity—continuously evaluating and verifying conditions and requests to decide which access requests should be permitted, then ensuring that each access is properly safeguarded commensurate with risk. Because of their effectiveness against both internal and external threats, ZTAs are increasingly being implemented, and some organizations are already required to use ZTAs.

This guide is intended to help your organization evolve existing environments and technologies to a ZTA gradually over time. The insights in this guide are based on a project at the NIST National Cybersecurity Center of Excellence (NCCoE) in collaboration with 24 technology providers. Together we have built and implemented 19 example ZTA solutions in lab environments, each demonstrating the principles of ZTA as outlined in NIST Special Publication (SP) 800-207, Zero Trust Architecture. For each of the ZTA examples, we have provided detailed technical information including architecture, sample technologies leveraged, specific configurations and integrations of technologies, and use cases and scenarios demonstrated, as well as mappings to the NIST Cybersecurity Framework (CSF) versions 1.1 and 2.0, NIST SP 800-53r5, and security measures outlined in “EO-Critical Software” under Executive Order (EO) 14028. This guide provides practical information that you can use to develop your ZTA roadmap, including models you can emulate and examples of how to best leverage existing technology infrastructure. The lessons we have learned from our demonstrations can benefit your organization by saving time and resources.

There is no single approach for migrating to ZTA that is best for all enterprises. ZTA is a set of concepts and principles, not a set of technical specifications that can be complied with. The objective is continuous improvement of access control processes and policies in accordance with the principles of ZTA.

By utilizing this guide, your organization can be better positioned to implement a ZTA that achieves the following:

  • Supports user access to resources regardless of user location or device (managed or unmanaged)

  • Protects sensitive information and other business assets and processes regardless of their location (on-premises or cloud-based)

  • Limits breaches by making it harder for attackers to move through an environment and by addressing the insider threat (insiders are not automatically trusted)

  • Performs continuous, real-time monitoring, logging, and risk-based assessment and enforcement of corporate policy