The National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA) in August 2020 published NIST Special Publication 800-207. This special publication follows the focused interest in zero-trust initiatives, which almost every organization has adopted to some extent in 2022. With more reliance on cloud-based and SaaS offerings coupled with the evolving state of remote work, this SP 800-207 offers sound design advice, implementation considerations, use case examples, and technology gaps for modern zero-trust architectures (ZTAs).
It is widely recognized that NIST has become the de facto standard not only for federal agencies, but also for private sector companies to strengthen the security of their information systems. It's also generally accepted that zero-trust has become the new set of principles that CISO's use to align their security programs. So for organizations looking to make zero-trust a practical reality, NIST SP 800-207 offers a great way to get started or use as a strong reference point.
Most organizations have made the necessary adjustments to remove all implicit trust from their users and systems and continuously monitor how users interact with data. However, security pros should look at zero-trust more as a vision - something organizations strive to achieve but never fully accomplish. Similarly, as with security programs in the general sense, most zero-trust initiatives are ongoing, with continual improvements and adjustments required to mitigate advanced threats.
A focus on resource protection
According to NIST, "zero-trust focuses on protecting resources (assets, services, workflows, network accounts), not network segments, as the network location is no longer seen as the prime component of the security posture of the resource."
Organizations no longer depend on the network as the backbone to security posture. Identity has become the new perimeter and it's critical to wrap security around all users’ various identities – especially the ones that are more privileged. The lines of what organizations consider “privileged" have truly become commingled. Under certain circumstances, a standard user can gain privileged access. However, it's not enough to secure the identity. It is critical to provide granular access controls to the actual resources so the organization can mitigate the risk of a company's crown jewels becoming compromised.
The data access control engine and policy elements covered in detail in this publication must be considered - it's not just NIST's zero-trust reference architecture; the same considerations exist within Google's BeyondCorp Enterprise. BeyondCorp Enterprise and NIST ZTA are the two most leveraged references for building a zero-trust security model. These logical components are foundational to these architectures, as they dictate which identities can access which resources.
Data access engines and policies, as defined by NIST, are what many would expect. The security team defines the access policy, and the engine enforces whatever corresponding (secure) workflow that has been set. But the policies are just a starting point in authorizing the appropriate access to resources, which need to be established with the principle of least privilege in mind. In the same vein, data access should be segmented in terms of "who should be able to access what, and when it should be accessed." It's necessary to consider the downstream implications of "what would happen if 'xyz' identity is compromised?" As with network segmentation, segmenting the access to data will minimize the blast radius in the event of a breach.
The policy engine becomes responsible for enabling the appropriate access to the identity or user. Security teams need context-based and dynamic data access policies and fully-automated engines to support these types of workflows. The team needs to connect self-service tools for data access monitoring, control, and remediation to the policy engine to enable IT and security teams to intervene manually and take immediate action if necessary. The engine essentially acts as the gatekeeper by granting, denying, or revoking access to the organization's resources, and the team needs a nimble approach to support flexible and dynamic workflows. Inputs from external sources, as well as observable information about users, attributes and roles, metadata sources, and historical and deterministic behavioral patterns should help power the policy engine.
What SP 800-207 mean for software-as-a-service security
Today, organizations of all sizes and types are universally adopting SaaS applications. Analysts that cover this area continually highlight the soaring adoption rates and predicted market spend in SaaS. SaaS applications now address almost every aspect of doing business, and they all let organizations become nimbler and more productive at a much faster rate. However, organizations can't make security an afterthought. Companies need to enable the business in a secure manner, and they need to do it in a consistent and centrally- enforced way.
Today, most SaaS applications and platforms are open by design via APIs for collaboration. Securing them can be a challenge for both CISOs and practitioners. Organizations need to ensure they have a consistent security strategy across all the critical SaaS applications being used to maintain business continuity.
If this ZTA publication elevates the importance of resource protection, then organizations should prioritize both a strong data access engine and policies. Within SaaS applications are some of an organization's most critical data and files. Per NIST, the agency defines zero-trust as "an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources." Let's quickly review these three areas of focus for context:
Defense-in-depth with security wrapped around every identity and around every asset – each time they connect to business-critical applications takes a zero-trust strategy to the next level. A combination of preventative controls and detective mechanisms can help get companies closer to zero trust. It's not just about controls either. Organizations need to find the right balance between technology, people, and process. Adopt an "assume breach" mentality to the organization's security programs. In the context of zero trust, it's not a matter of “if" but "when," which demands that the company focuses on breach recovery and not just breach prevention. Ensure the success of the organization's IT and security teams. Start enabling the business in a secure way by extending zero-trust to the SaaS application data layer.
Corey O'Connor, director of product marketing, DoControl