NSA embraces the Zero Trust Security Model

The National Security Agency (NSA) published a document to explain the advantages of implementing a zero-trust model.

The National Security Agency (NSA) recently published a document to explain the benefits of adopting a zero-trust model, and advice to navigate the process.

Modern infrastructure are complex environments that combine multiple technologies and that are exposed to sophisticated cyber threats.

A Zero-Trust security model eliminates implicit trust in any entities inside or outside the perimeter of an organization, instead, it recommends implementing authorization and authentication for any processes within the company.

“Zero Trust is a security model, a set of system design principles, and coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.” reads the document published by the “This security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.”

This security model assumes a data-centric security approach and is based on security monitoring and granular risk-based access controls. The model applies the concept of least-privileged access for every resource and decision.

The adoption of this approach for modern dynamic threat environment requires:

• Coordinated and aggressive system monitoring, system management, and defensive operations capabilities.
• Assuming all requests for critical resources and all network traffic may be malicious.
• Assuming all devices and infrastructure may be compromised.
• Accepting that all access approvals to critical resources incur risk, and being prepared to perform rapid damage assessment, control, and recovery operations.

For example, adopting a strong multi-factor authentication of users for Zero Trust environments, can reduce the risk of a data breach.

The implementation of this model could be a gradual process that requires additional resources, capabilities, and a strong commitment of the executives.

“NSA recommends embracing the Zero Trust security model when considering how to integrate Zero Trust concepts into an existing environment.” concludes the document. “Zero Trust efforts should be planned out as a continually maturing roadmap, from initial preparation to basic, intermediate, and advanced stages, with cybersecurity protection, response, and operations improving over time.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybersecurity)

[adrotate banner=”5″]

[adrotate banner=”13″]