As zero trust is more of a concept rather than a standard, there is no official set of rules that define it.
However, in August 2020, cybersecurity researchers from the U.S. National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) published SP 800-207 – Zero Trust Architecture. This document contains an abstract definition of zero trust architecture (ZTA) and describes general deployment models and use cases. This publication can serve as an excellent handbook for any organization looking to implement zero trust security.
According to the SP 800-207 document, zero trust architecture has the following basic tenets:
Consider all data sources and computing services as resources – You should consider any device that can access your organization’s data as a resource of your organization. No matter how small the footprint of a device, if it’s accessing your organization’s data, it should be deemed as a resource.
Secure all communications regardless of network location – You must secure the communication with a resource regardless of its location. For example, a server rack present in the local data center of your organization’s office should not be trusted even though it’s within the company’s premises and network perimeter. A zero trust network should not implicitly trust anything.
Grant access to individual resources as needed – When a user sends a data access request for a resource, the user should be identified and authenticated before granting access. The user should receive least-privilege access (bare minimum access permissions to complete a task) to the authorized resource. The request should time-out after a predefined interval so that the user needs to go through the authentication process once again. Also, getting access to a resource should not grant a user access to other similar or associated resources.
Resource authentication and authorization are dynamic and strictly enforced – Organizations must use several attributes to verify and confirm the identity of a resource. Attributes may include device characteristics (such as software version, network location), behavioral attributes (such as device analytics, previous usage patterns), and environmental attributes (time of the request, reported active attacks). These attributes may vary based on the acceptable level of risk to the business and the sensitivity of the resource and data. Use policies to define the attributes required for verification and authentication of resources, users, and tasks.
Monitor and measure the integrity and security posture of all owned and associated assets – Automate all the authorization and mechanisms so that it does not affect the business operations. Each action should be logged so that anyone can go back and check historical data. Organizations should collect as much information as possible about the current state of its assets, network infrastructure, and communications. This data should be utilized to improve the security posture of the organization.