?? Zero Trust and NIST SP 800-207: A Guide for CISOs

Background

In a post-pandemic environment where employees can work from anywhere and on multiple devices, it’s an increasing challenge for organizations to protect their networks from cyber threats using traditional tools and approaches.

The National Institute of Standards and Technology (NIST) is tasked with developing cybersecurity standards and best practices. In its?Special Publication 800-207, NIST lays out guidelines on implementing Zero Trust Architecture (ZTA) as a defense against network attacks.

In this article, we’ll discuss the philosophy behind Zero Trust, NIST SP 800-207 recommendations, and what Chief Information Security Officers need to know about both.

What Is NIST SP 800-207?

The National Institute of Standards and Technology?SP 800-207?is a special publication entitled,?A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Cloud Environments.

The document provides guidelines on how to implement Zero Trust Architecture with the following approaches:

1. Identity and Access Management (IAM): Any user attempting to access the network must pass several layers of authentication.?
2. Network Segmentation: An organization’s network should be broken up into smaller networks in order to prevent lateral movement threats.?
3. Microsegmentation:?The organization’s network should be further micro segmented into access levels that correspond to job roles and responsibilities.
4. Continuous Monitoring: The network should be monitored 24/7 to detect potential threats and to measure network health and traffic patterns.
5. Automation and Orchestration:?Organizations should embrace automation and orchestration in order to streamline security and respond to threats in real time.?
6. Risk Assessment and Adaptive Security:?Organizations are encouraged to take a proactive approach with continuous risk assessment and adaptive security measures. Insights gained from observability signals should be fed continuously back into the system to improve policy.

Overall, NIST SP 800-207 stresses the philosophy of “trusting no one” when it comes to network access. Regardless of location, device, or job title, all access to an organization’s network is treated as a potential threat, until proven otherwise.

What Do CISOs Need to Know about NIST SP 800-207?

Continue reading on Tetrate Blog