Executive Summary

Executive Summary#

Note

This page is supplementary material for the NIST SP 1800-35 publication.

A zero trust architecture (ZTA) can help your organization to protect its data and resources no matter where they are located. A ZTA can also enable your workforce, contractors, partners, and other authorized parties to securely access the data and resources they need from anywhere at any time. ZTAs implement a risk-based approach to cybersecurity — continuously evaluating and verifying conditions and requests to decide which access requests should be permitted, then ensuring that each access is properly safeguarded commensurate with risk. Because of their effectiveness against both internal and external threats, ZTAs are increasingly being implemented, and some organizations are already required by legislation or regulation to use ZTAs.

This guide is intended to help your organization plan how to gradually evolve its existing environments and technologies to a ZTA over time. The insights in this guide are based on a project being led by the National Cybersecurity Center of Excellence (NCCoE) in collaboration with 24 ZTA technology providers. Together they have built 17 example ZTA solutions in lab environments and demonstrated each build’s ability to meet the principles of ZTA. Detailed technical information on each build can also serve as a valuable resource for your technology implementers by providing models they can emulate. The lessons they have learned from the implementations and integrations can benefit your organization by saving time and resources.

By utilizing this guide, your organization can be better positioned to implement a ZTA that achieves the following:

  • Supports user access to resources regardless of user location or device (managed or unmanaged)

  • Protects sensitive information and other business assets and processes regardless of their location (on-premises or cloud-based)

  • Limits breaches by making it harder for attackers to move through an environment and by addressing the insider threat (insiders are not automatically trusted)

  • Performs continuous, real-time monitoring, logging, and risk-based assessment and enforcement of corporate policy