Executive Summary

Executive Summary#

Note

This page is supplementary material for the NIST SP 1800-35 publication.

A zero trust architecture (ZTA) is an enterprise cybersecurity architecture that is based on zero trust principles, such as those outlined in NIST Special Publication (SP) 800-207, Zero Trust Architecture, and that is designed to prevent data breaches and limit internal lateral movement. A ZTA can help your organization protect its data and resources no matter where they are located. A ZTA can also enable your workforce, contractors, partners, and other authorized parties to securely access the data and resources they need from anywhere at any time. ZTA implements a risk-based approach to cybersecurity—continuously evaluating and verifying conditions and requests to decide which access requests should be permitted, then ensuring that each access is properly safeguarded commensurate with risk. Because of their effectiveness against both internal and external threats, this architecture is increasingly being adopted, and some organizations are required to use a ZTA.

There is no single approach for each organization to migrate to ZTA. Therefore, the NIST National Cybersecurity Center of Excellence worked with 24 technology providers to demonstrate practical implementation of ZTA principles from NIST SP 800-207. Together, we have built and implemented 19 example ZTA solutions in lab environments, leveraging the technology from our collaborators. For each of the example ZTAs, we have outlined detailed technical information, including architecture, sample technologies leveraged, specific configurations and integrations of technologies, and use cases and scenarios demonstrated. We have also created mappings between the example ZTAs’ security capabilities and the NIST Cybersecurity Framework (CSF) versions 1.1 and 2.0, NIST SP 800-53r5, and NIST critical software security measures.

This guide is intended to help your organization gradually evolve existing environments and technologies into a ZTA over time. It provides practical information that you can use to develop your ZTA roadmap, including models you can emulate and examples of how to best leverage existing technology infrastructure. The lessons we have learned from our demonstrations can benefit your organization by saving time and resources.

By utilizing this guide, your organization can be better positioned to implement a ZTA that achieves the following:

  • Supports user access to resources regardless of user location or device (managed or unmanaged)

  • Protects sensitive information and other business assets and processes regardless of their location (on-premises or cloud-based)

  • Limits breaches by making it harder for attackers to move through an environment and by addressing the insider threat (insiders are not automatically trusted)

  • Performs continuous, real-time monitoring, logging, and risk-based assessment and enforcement of corporate policy