Long Standing Foundations of Zero Trust
Blog Article Published: 09/26/2023
Looking under the covers of Zero Trust, it quickly becomes apparent some long-time security principles are at work. These principles are applied differently than we historically did because of changes in the way we now work and live, combined with advances in technology and threats. When viewed as a tool, Zero Trust becomes a foundation for cybersecurity, for privacy, and to reduce the cost of compliance.
The most fundamental principle of Zero Trust is Identification and Authentication (IA). Major standards like NIST 800-63, 800-171, NIST 800-53, and ISO 27001, dedicate entire domains to this principle. Identities must be verified commensurate with the risk level of assets. It cannot be inferred or presumed like we did when a finite set of assets could be collected behind a strong physical perimeter of walls, fences, guards, guns, and sensors. A source of truth for identities is critical to achieving Zero Trust. Identities must be managed throughout the entity’s life-cycle. They must be reviewed regularly and as roles change. It is also good to review access with major technological changes like adoption of the Cloud or an organizational change like an acquisition.
The Concept of Least Privilege is defined by each standards body. While the words may be different, the spirit remains the same. NIST 800-171 AC.3.1.5 talks to the Concept of Least privilege as “…each entity is granted the minimum system authorizations and resources that the entity needs to perform its function.” By limiting access to what is required, both sites of the standard risk equation are improved - the likelihood of an incident is reduced while the impact of an incident is also reduced.
Concept of Least Functionality, also referred to as hardening, limits the use of only essential capabilities while prohibiting (or restricting) non-essential functions, ports, protocols, and/or services that are not integral to the operation. Basically, what is not required to operate is disabled or removed so it cannot be used against us. NIST 800-171 documents the Concept of Least Functionality in NIST 800-171, CM 3.4.6. Common examples include the Security Technical Implementation Guides (STIGS) produced by the US Defense Information Systems Agency (DISA) (aka, the DISA STIGS) and the Critical Security Controls produced by the Center for Internet Security (aka CIS Controls).
Separation of Duties refers to the principle that no user should be given enough privileges to misuse the system on their own. NIST 800-192 entitled Verification and Test Methods for Access Control Policies/Models is a good resource. Separation of Duties is also well understood across other disciplines. Despite its history, Separation of Duties is not widely appreciated as a tool for cybersecurity. It is widely implemented in finance and mandated for many financial institutions. The military makes extensive use of the concept to prevent unauthorized use of weapons including nuclear weapons.
Separation of Duties is an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task.
Separation of Roles. Is often conflated with Separation of Duties. The distinction is simple. Separation of Roles recognizes an individual may have different roles within an organization. For example, a highly privileged system administrator is also an employee. Treating each separately helps ensure compromising one does not compromise the other while also reducing confusion and mistakes. The details are sprinkled throughout different NIST control domains: Access Control (AC), Audit & Accountability (AU), Identification & Authentication (IA), Maintenance (MA), Risk Assessment (RA or RM), and the System & Communications Protection (SC).
In summary, the many foundations of Zero Trust are not new. They are long-standing security principles applied differently to align with the way we work and live today, accommodating new threats, and advances in technology. When viewed correctly, Zero Trust forms a foundation for security, privacy, and compliance instead of a series of one-off initiatives.
Develop and demonstrate an in-depth understanding of Zero Trust with CSA’s Certificate of Competence in Zero Trust (CCZT). Learn more here.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.