The National Security Agency (NSA) has released Zero Trust security model guidance for organizations to boost security of sensitive data, systems, and services.
“To be fully effective to minimize risk and enable robust and timely responses, Zero Trust principles and concepts must permeate most aspects of the network and its operations ecosystem,” the guidance says. “Organizations, from chief executive to engineer and operator, must understand and commit to the Zero Trust mindset before embarking on a Zero Trust path.”
To adopt a Zero Trust cybersecurity mindset, NSA says that a dynamic threat environment requires the following:
- “Coordinated and aggressive system monitoring, system management and defensive operations capabilities;
- Assume all requests for critical resources and all network traffic may be malicious;
- Assume all devices and infrastructure may be compromised; and
- Accepting that all access approvals to critical resources incur risk, and being prepared to perform rapid damage assessment, control, and recovery operations.”
NSA also highlights potential challenges in implementing Zero Trust, including a lack of full support throughout the enterprise, potentially from the top down; scalability of capabilities; and persistent adherence to the mindset and application of Zero Trust over time.
“The Zero Trust mindset focuses on securing critical data and access paths by eliminating trust as much as possible, coupled with verifying and regularly re-verifying every allowed access,” NSA said. “However, implementing Zero Trust should not be undertaken lightly and will require significant resources and persistence to achieve.”
“When properly and fully implemented, Zero Trust should be able to prevent, detect, and contain intrusions significantly faster and more effectively than traditional, less integrated cybersecurity architectures and approaches,” the guidance continues.
NSA said it released the guidance as part of its mission of identifying threats to national security, defense, and defense industrial base systems, and to develop cybersecurity specifications and mitigations.