What NIST SP 800-207 Means for SaaS Security
This blog was originally published by DoControl here.
Written by Corey O'Connor, DoControl.
The National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA) in August 2020 published NIST Special Publication 800-207. This special publication follows the focused interest in zero-trust initiatives, which almost every organization has adopted to some extent in 2022. With more reliance on cloud-based and SaaS offerings coupled with the evolving state of remote work, this SP 800-207 offers sound design advice, implementation considerations, use case examples, and technology gaps for modern zero-trust architectures (ZTAs).
It is widely recognized that NIST has become the de facto standard not only for federal agencies, but also for private sector companies to strengthen the security of their information systems. It's also generally accepted that zero-trust has become the new set of principles that CISO's use to align their security programs. So for organizations looking to make zero-trust a practical reality, NIST SP 800-207 offers a great way to get started or use as a strong reference point.
Most organizations have made the necessary adjustments to remove all implicit trust from their users and systems and continuously monitor how users interact with data. However, security pros should look at zero-trust more as a vision - something organizations strive to achieve but never fully accomplish. Similarly, as with security programs in the general sense, most zero-trust initiatives are ongoing, with continual improvements and adjustments required to mitigate advanced threats.
A focus on resource protection
According to NIST, "zero-trust focuses on protecting resources (assets, services, workflows, network accounts), not network segments, as the network location is no longer seen as the prime component of the security posture of the resource."
Organizations no longer depend on the network as the backbone to security posture. Identity has become the new perimeter and it's critical to wrap security around all users’ various identities – especially the ones that are more privileged. The lines of what organizations consider “privileged" have truly become commingled. Under certain circumstances, a standard user can gain privileged access. However, it's not enough to secure the identity. It is critical to provide granular access controls to the actual resources so the organization can mitigate the risk of a company's crown jewels becoming compromised.
The data access control engine and policy elements covered in detail in this publication must be considered - it's not just NIST's zero-trust reference architecture; the same considerations exist within Google's BeyondCorp Enterprise. BeyondCorp Enterprise and NIST ZTA are the two most leveraged references for building a zero-trust security model. These logical components are foundational to these architectures, as they dictate which identities can access which resources.
Data access engines and policies, as defined by NIST, are what many would expect. The security team defines the access policy, and the engine enforces whatever corresponding (secure) workflow that has been set. But the policies are just a starting point in authorizing the appropriate access to resources, which need to be established with the principle of least privilege in mind. In the same vein, data access should be segmented in terms of "who should be able to access what, and when it should be accessed." It's necessary to consider the downstream implications of "what would happen if 'xyz' identity is compromised?" As with network segmentation, segmenting the access to data will minimize the blast radius in the event of a breach.
The policy engine becomes responsible for enabling the appropriate access to the identity or user. Security teams need context-based and dynamic data access policies and fully-automated engines to support these types of workflows. The team needs to connect self-service tools for data access monitoring, control, and remediation to the policy engine to enable IT and security teams to intervene manually and take immediate action if necessary. The engine essentially acts as the gatekeeper by granting, denying, or revoking access to the organization's resources, and the team needs a nimble approach to support flexible and dynamic workflows. Inputs from external sources, as well as observable information about users, attributes and roles, metadata sources, and historical and deterministic behavioral patterns should help power the policy engine.
What SP 800-207 mean for software-as-a-service security
Today, organizations of all sizes and types are universally adopting SaaS applications. Analysts that cover this area continually highlight the soaring adoption rates and predicted market spend in SaaS. SaaS applications now address almost every aspect of doing business, and they all let organizations become nimbler and more productive at a much faster rate. However, organizations can't make security an afterthought. Companies need to enable the business in a secure manner, and they need to do it in a consistent and centrally- enforced way.
Today, most SaaS applications and platforms are open by design via APIs for collaboration. Securing them can be a challenge for both CISOs and practitioners. Organizations need to ensure they have a consistent security strategy across all the critical SaaS applications being used to maintain business continuity.
If this ZTA publication elevates the importance of resource protection, then organizations should prioritize both a strong data access engine and policies. Within SaaS applications are some of an organization's most critical data and files. Per NIST, the agency defines zero-trust as "an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources." Let's quickly review these three areas of focus for context:
- Users: Today, most organizations have identity solutions to manage and secure access at the user level by establishing the appropriate levels of access for all the relevant identities for each user. Least privilege has become paramount here. "Never assume trust" demands authentication and authorization for each identity, and it needs to enforce it in a dynamic and strict manner before granting access.
- Assets: To connect users to the assets they need to do their jobs, organizations can bring zero-trust network access (ZTNA) into the fold. ZTNA solutions are a category of VPN-less technologies that deliver secure access to users wherever they are located, which is pretty much exclusive to remote or hybrid in today's environment. Security teams need to broker a secure connection for the user trying to access target systems and applications.
- Resources: Once security teams get past these two foundational components of identity security and ZTNA, users can now access, manipulate and share sensitive company data and files. Controlling "who has access to what" has become paramount in the world of zero-trust. Most organizations have introduced some of the tools and technologies to address identity, device, and network levels – but to protect critical resources, the security team needs to go beyond these three layers and into the SaaS application data layer.
Defense-in-depth with security wrapped around every identity and around every asset – each time they connect to business-critical applications takes a zero-trust strategy to the next level. A combination of preventative controls and detective mechanisms can help get companies closer to zero trust. It's not just about controls either. Organizations need to find the right balance between technology, people, and process. Adopt an "assume breach" mentality to the organization's security programs. In the context of zero trust, it's not a matter of “if" but "when," which demands that the company focuses on breach recovery and not just breach prevention. Ensure the success of the organization's IT and security teams. Start enabling the business in a secure way by extending zero-trust to the SaaS application data layer.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.