Zero%20Trust%20and%20NIST%20SP%20800-207%3A%20What%20CISOs%20Need%20to%20Know

Background

In a post-pandemic environment where employees can work from anywhere and on multiple devices, it’s an increasing challenge for organizations to protect their networks from cyber threats using traditional tools and approaches.

The National Institute of Standards and Technology (NIST) is tasked with developing cybersecurity standards and best practices. In its Special Publication 800-207, NIST lays out guidelines on implementing Zero Trust Architecture (ZTA) as a defense against network attacks.

In this article, we’ll discuss the philosophy behind Zero Trust, NIST SP 800-207 recommendations, and what Chief Information Security Officers need to know about both.

What Is NIST SP 800-207?

The National Institute of Standards and Technology SP 800-207 is a special publication entitled, A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Cloud Environments.

The document provides guidelines on how to implement Zero Trust Architecture with the following approaches:

1. Identity and Access Management (IAM): Any user attempting to access the network must pass several layers of authentication. 
2. Network Segmentation: An organization’s network should be broken up into smaller networks in order to prevent lateral movement threats. 
3. Microsegmentation: The organization’s network should be further micro segmented into access levels that correspond to job roles and responsibilities.
4. Continuous Monitoring: The network should be monitored 24/7 to detect potential threats and to measure network health and traffic patterns.
5. Automation and Orchestration: Organizations should embrace automation and orchestration in order to streamline security and respond to threats in real time. 
6. Risk Assessment and Adaptive Security: Organizations are encouraged to take a proactive approach with continuous risk assessment and adaptive security measures. Insights gained from observability signals should be fed continuously back into the system to improve policy.

Overall, NIST SP 800-207 stresses the philosophy of “trusting no one” when it comes to network access. Regardless of location, device, or job title, all access to an organization’s network is treated as a potential threat, until proven otherwise.

What Do CISOs Need to Know about NIST SP 800-207?

Once CISOs understand the concept of Zero Trust as laid out in SP 800-207, their main challenge is implementation. This requires a top-down approach with buy-in from all stakeholders. 

Key considerations for CISOs implementing NIST SP 800-207 guidelines include:

• Performing a thorough risk assessment of the organization’s vulnerabilities and weaknesses
• Segmenting networks to allow for different access levels according to job role
• Implementing company-wide multi-factor authentication processes and procedures
• Automating network security and monitoring

The easiest way to go about implementing  Zero Trust Architecture is by using modern security infrastructure with built-in Zero Trust features. Tetrate’s application networking and security platform provides Zero Trust architecture that meets all the rigorous NIST cybersecurity requirements.

Conclusion

By regularly monitoring risks and adapting Zero Trust security protocols accordingly, CISOs can stay in compliance with NIST standards and protect their organization against costly data breaches.