
The National Institute of Standards and Technology (NIST) has produced NIST Special Publication 800-207 outlining Zero Trust principles and guidelines that can be used to reduce cyber risk. This blog summarizes these guidelines for you and then shows how FileFlex Enterprise adheres to NIST standards to enable easy and secure zero trust remote access and sharing of files and folders from your organization’s multi-domain hybrid-IT storage infrastructure.
How to Meet NIST Guidelines for Zero Trust for Remote Data Access
Estimated reading time: 7.5 minutes
What is NIST
NIST or the National Institute of Standards and Technology, part of the U.S. Department of Commerce, was established as a physical science laboratory to set standards for a wide range of technologies ranging from the smart electric power grid and electronic health records to atomic clocks, advanced nanomaterials, earthquake-resistant skyscrapers, global communication networks, computer chips, and cybersecurity.
NIST and Cybersecurity
Their cybersecurity standards and best practices address interoperability, usability, and privacy and include the Computer Security Resource Center, the National Cybersecurity Center of Excellence, the National Initiative for Cybersecurity Education (NICE), and the Small Business Cybersecurity Center. They have established standards and guidelines for cybersecurity, privacy, risk management, and information security including Zero Trust.
How NIST Defines Zero Trust
NIST defines zero trust (ZT) as a term for an evolving set of tenants that move an organization’s cybersecurity from the existing paradigm based on a static, network-based perimeter to a new paradigm that focuses an organization’s cybersecurity on users, assets, and resources.
How NIST Defines a Zero Trust Architecture
NIST defines a zero trust architecture (ZTA) as one that applies zero trust principles to infrastructure and workflows. First, it assumes that there is no implicit trust granted to users simply because they are on the network or VPN. This is a response to today’s work environment where remote users need to access company assets over the Internet and their need to access cloud-based assets that are not located on the enterprise-owned network. Second, it assumes that there is no implicit trust granted to computers, tablets, or smartphones based on company ownership. This is in response to today’s bring-your-own-device (BYOD) workforce that often uses their own smartphones, tablets, and computers.
A zero trust architecture is not focused on protecting network segments (using firewalls, OS patches, and AV software, etc.) as the network location is no longer seen as the prime component of the security posture of the organization. Instead, ZTA uses the user identity authorized and verified for every transaction against policy to protect resources such as assets, services, workflows, and network accounts.
How NIST Defines the Goal of a Zero Trust Architecture
The goal, as defined by NIST, is to generate a zero trust architecture that prevents unauthorized access to data and makes access control enforcement as granular as possible.
What are the NIST Guidelines for Zero Trust Architecture?
Instead of defining zero trust in terms of perimeters in some way, NIST SP 800-207 outlines the NIST standards for zero trust and defines Zero Trust Architecture (ZTA) in terms of the following basic tenets that should be adhered to and implemented:
1. NIST guidelines for zero trust stipulate that all data sources and computing devices are considered resources.
- This is to address any wrong assumption that an organization only needs to consider protecting company-owned devices. Organizations today need to be able to protect company information even when accessed via today’s bring-your-own-device (BYOD) use of smartphones, tablets, and computers privately owned by users.
2. NIST guidelines for zero trust stipulate that all communication is secured regardless of network location.
- Network location alone does not imply trust. Organizations need to protect information even if it is accessed over the Internet, or if it is located on cloud-based assets that are not located on the enterprise-owned network.
3. Access to individual enterprise resources is granted on a per-session basis.
- Every request and every requester need to be evaluated before the request is granted. The request needs to be granted with the least privileges needed to complete the task and once authorized the authorization does not automatically grant access to other resources.
4. Access to resources is to be determined by dynamic policy.
- This means that access policies can be assigned to a user, data asset, or application on a user-by-user, asset-by-asset, or application-by-application basis or mixture thereof. Least privilege principles are applied to restrict both visibility and accessibility.
5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- No asset is inherently trusted. The enterprise evaluates the security posture of the asset when evaluating a resource request and should apply patches/fixes as needed or deny service if the asset is subverted
6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- This is a constant cycle of authentication and authorization of the user identity for all user transactions and includes the use of multifactor authentication (MFA).
7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.
- Since ZTA authorizes and verifies all transactions, organizations should use that data to improve policy creation and enforcement.
For more reading on zero trust security, see our other blogs – ‘Why Zero Trust. Why Now?’, ‘How to Protect Your Data with Zero Trust Data Access‘, and ‘How to Enable Your Remote Workforce with Zero Trust by Design‘.
1. FileFlex Enterprise Considers All Data Sources and Computing Devices as Resources.
2. FileFlex Enterprise Secures All Communications Regardless of Network Location
3. FileFlex Enterprise Grants Access to Enterprise Resources on a Per Session Basis
4. FileFlex Enterprise Grants Access to Resources According to Dynamic Policy
5. FileFlex Enterprise Provides Detailed Activity Logging
6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
7. FileFlex Enterprise Supports Branch Offices, Satellite Locations, Datacenters, and Multiple Domains.
8. FileFlex Enterprise Supports Secure Remote Access and Sharing of Contractors and Gig-Based Workers Controlled by IT.
9. FileFlex Enterprise Supports Collaboration with External Parties Controlled by IT.
Watch the webinar