Risks Addressed by the ZTA Reference Architecture

Note

This page is supplementary material for the NIST SP 1800-35 publication.

Conventional network security has focused on perimeter defense. Historically, most organization resources have been located within and protected by the enterprise’s network perimeter, which tended to be large and static. Subjects that are inside the network perimeter are often assumed to be implicitly trusted and are given broad access to the resources within the network perimeter. Attempts to access resources from outside the network perimeter, i.e., from the internet, are often subject to more scrutiny than those originating from within. However, a subject can be compromised regardless of whether it is inside or outside of the network perimeter. Once a subject is compromised, malicious actors—through impersonation and escalation—can gain access to the resources that the subject is authorized to access and move laterally within the network perimeter to access adjacent resources.

By protecting each resource individually and employing extensive identity, authentication, and authorization measures to verify a subject’s requirement to access each resource, zero trust can ensure that authorized users, applications, and systems have access to only those resources that they absolutely have a need to access in order to perform their duties, not to a broad set of resources that all happen to be within the network perimeter. This way, if a malicious actor does manage to gain unauthorized access to one resource, this access will not provide them with any advantage when trying to move laterally to other nearby resources. To compromise those other resources, the attacker would be required to figure out how to circumvent the mechanisms that are protecting those resources individually because it is not possible to reach those resources from nearby compromised resources. In this way, ZTA limits the insider threat because instead of having permission to access all resources within the network perimeter, malicious insiders would only be permitted to access those resources they require to perform their official roles.

In addition, once a subject is granted access to a resource, this access is often permitted to continue for a substantial period of time without being reevaluated based on a defined policy. The access session is often not monitored or subject to behavioral analysis, and the configuration and health of the devices being used to access resources may be subject to initial, but not ongoing, scrutiny. So, if a subject does manage to gain unauthorized access to a resource, the subject often has ample time to exfiltrate or modify valuable information or further compromise the resource and/or use it as a point from which to pivot and attack other corporate resources. ZTA limits these threats by performing continual verification of a subject’s identity and authorization to access a resource. It may also perform behavioral analysis and validation of each system’s health and configuration, and consider other factors such as day, time, and location of subject and resource. Based on the organization’s defined policy, ZTA makes dynamic ongoing assessments of the risk of each access request in real-time to ensure it poses an acceptable level of risk.

A number of trends, including cloud computing and remote work, have also introduced additional security threats. The growth in cloud computing has meant that enterprises are now storing critical resources (e.g., databases, applications, servers) in the cloud (i.e., outside of the traditional network perimeter) as well as on-premises. As a result, these resources cannot be protected by the network perimeter strategy. A new protection paradigm is needed that focuses on protecting resources individually, no matter where they are located, so that they are not at risk of being subjected to security policies that are not under organization control or not enforced consistently across all enterprise resources. Often the clouds in which resources are hosted are multitenant, meaning that different enterprises have authorized access to their own portions of the cloud infrastructure, with each tenant reliant on the cloud service provider to enforce this separation. If a malicious actor were to figure out how to subvert cloud security and move from one tenant’s account to the next, the organization’s resources would be at risk. Use of ZTA to protect each resource individually serves as further assurance that the resources will not be accessible to cloud users from other enterprises, nor will they be accessible to users from within the enterprise who do not have a need to access them.

The growth of the remote workforce, as well as collaboration with partners and dependence on contractors are other trends that are also challenging the conventional security paradigm. The subjects requesting authorized access to resources may not necessarily be within the network perimeter. They may be employees working from home or from a coffee shop’s public Wi-Fi via the internet, or a partner, contractor, customer, or guest that requires access to some resources but must be restricted from accessing other resources. By relying on strong identity, authentication, and authorization services to determine precisely which resources a subject is authorized to access with respect to their role in or relationship to the organization, ZTA can restrict subjects to accessing only those resources that they have a need to access and ensure that they are not permitted to access any other resources.

While implementing ZTA addresses many risks, it also has limitations. It cannot remove all risk, and the ZTA implementation itself may introduce additional risks that need to be addressed. For more information on the limitations of ZTA, see Section 5 of SP 800-207.