KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
All right. Like I said, my name is Scott Rose. I am a computer scientist at the it lab in N here in Gaithersburg, Maryland. And we are part of the department of commerce. And we work primarily to one of our missions is to help other federal agencies with their, it, both cybersecurity and general it research and development. And as one of the, kind of the trends, just like in the private sector, there's kind of these growing trend towards zero trust.
We've had, you know, obviously there's been some well known and well-documented issues and breaches, especially in the last few months, but even going back to say 2012, where there's been an attacker has gotten in somehow, usually like a, a fishing attempt or some sort of zero day. And exfiltrated some data because they were able to move laterally through the network and they were able to obtain what they need or even have persistent access to the network.
So this federal CIO council heard, you know, about this new trend back then it was called zero trust networking, but then we kind of evolved zero trust architecture, and they thought there needs to be some sort of reference architecture or at least a conceptual framework to help federal agencies who wanna move towards zero trust architecture, kind of get their minds around it to see like, what are they doing when they're talking about it? And more importantly, what they, what are they doing when they're talking to their procurement officials and to vendors?
So they can actually purchase what they need and deploy what they need and actually set up something to improve their, their state of security. So we came up with this guide published as N special publication, 802 0 7 0 trust architecture. And in there, this is a conceptual framework. There's no hard guidance in this document. This is meant to be more of a, a definition type document. NIST actually is published some others, one aboutt some on cloud computing where it kind of like, kind of roughly define these set of terms.
So we have a common sense of framework when we're, when we're talking to everybody else. What, what do we mean by we say this? And for example, we define like zero trust. And when we mean zero trust, and we want people to talk about when they say zero, trust is a set of principles. There is no single zero trust technology or architecture or something like that, where you can say point to and say, that's zero shots. It's actually a set of principles that are guiding the way deploy and use and configure your it infrastructure. And building on top of that, zero, just architectures.
We're saying it's basically an architecture that is based off of, on those ZT principles. So people that believe in those et principles, they're buying into it as tenants and saying, okay, now we're designing our architecture around these and our workflows and our business models. And lastly, an enter a zero trust enterprise is basically any kind of organization that's using a zero trust architecture, trying to deploy and implement it that way. So you can say like, Hey, we have a, when one agency says another, we have this trust architecture, the other agency go, yeah, I know what that means.
You means you're following a set of zero trust principles, but in, you know, at a broad sense, you look down below that's, it's kind of a, you know, you have an untrusted zone. You're going from an untrusted zone, a subject from a device, a user going through a policy enforcement point or in a policy decision point to access a resource.
And you, the idea is you wanna strict or, you know, shrink that implicit trust zone to be as small as possible. And that's, you know, that's in a nutshell, that's what we consider zero trust in the guide. In the special publication, we, we laid out about seven tenants. We're calling them.
These are, these are the zero trust principles. They're one of several, these are, we're not calling it the, the strictly definitive one.
In fact, there are several other kind of sets of principles out there. I think one's from like Forester. I think there's one coming outta the UK. All these can be mapped one to one, cause all basically are saying the same thing and a few of our tenants. We're we're, you know, you can kind of break 'em down into ones that are user-centric about identity and access and authorization. Some are device centric about device health patching and updating and monitoring the devices. And some that are kind of data-centric or workflow centric. We're calling them.
This is like end to end encryption, you know, continu monitoring and logging of, of activity. The one thing, the two things that set up are principles or tenants from other ones is we take a more general approach. We call instead of like, instead of taking a data centric approach, we're calling it basically resource centric. We're calling anything, a resource, cause not just your data sources that are important, but also the end systems that people are using mobile devices that people are using any kind of T deployments, compute resources.
All of those can, you know, should be protected in a zero trust architecture. And lastly, we're not taking a hard stance on deep packet inspection as, as people call it when it comes to end to end, cuz we know that there are several policy, several protocols coming out that actually are used to defeat third party monitoring a lot of these third party man in the middle network taps that people have been relying on for security are, you know, are, are, are, you know, actively viewed as a tax by some protocol standard setting bodies. And so there's gotta be ways around that.
You have to you've you have to maybe admit that sometimes you may not be able to monitor all the traffic on your network, or you may not want to monitor all the, the network traffic, maybe due to some compliance regions like in the us, you have, you may have HIPAA traffic crossing your network, you know, health information. You may not want your it staff to have full access to that data. But then we came up with this kind of, we calling it a base logical architecture.
Again, this is all in the guide, but we kind of broke down the kind of major logical components. Now these are not actual, may not be actual software components operating in a network, but they're, they serve a kind of a logical function.
And again, you have the subject and the system and they're going through a policy enforcement point. That's kind of the gatekeeper think of that as the bouncer, that's standing in front of the resource, whatever that is, database web app IOT device, who cares. And then they're separate. We separated out the policy decision point into two components. The we're calling it the policy engine and the policy administrator.
Think of the policy engine as the brains of zero trust that is actually doing any kind of calculation of either your trust score, confidence level, whatever you wanna call it or performing a series of checks to say, you know, is this access request legitimate or not? Should I authorize this or not?
You know, is, has the user been authenticated? Is the device up to a corporate policy is the environmental factor. Okay. Are they coming from, you know, a valid network or known bad set of IP addresses?
You know, then do I allow that access request? It's a binary.
Yes, no. At that point. And then the administrator is the, the executor of that decision.
It says, okay, it talks to the policy enforcement points to allow or shut down that connection. In some cases, you know, in some products we'll seeing out there, the policy engine in the policy administrator are kind of one blob. That's sometimes located in the cloud, but they're, you know, these are two distinct logical functions as we, as we kind of seen it and the things coming in from the left and the right, these are all the kind like the data sources that help the policy engine in its actual decision making.
You got ID management systems, data, policy, threat intelligence, activity, logs, that's the feedback loop. And lastly, at least one thing that's different that people outside of the government may not know is the one in the upper left. We're calling it a CDM system. That's another, there's gonna have a government policy is continuous diagnostics, mitigation. That's kind of device health and network monitoring pro program in the us government.
We're, we've seen that. That's a, that's a previous program that's been going on for several years out of the department of Homeland security for, for agencies. And we're seeing that as that's, that's kind of a, kind of a prototype of zero trust. They were kind of being zero trust before the rest of us recognize that as zero trust.
And so we're saying that, you know, building upon that success to make up full zero trust architecture, and then in our kind of in our work, we interacted with a lot of vendors and brought 'em in and we had an interagency meeting and we kind of broke down a lot of what we saw into kind of various approaches and deployment models for zero trust. Again, this has helped, this has kind of help formulate kind of conceptual models.
You know, there's, we found three main approaches again, there's basically, this is, you know, where, where, what is the load bearing technology in your, in your CTA? And that's, we're kind of thinking is either what we're calling enhanced identity governments. That's the kind of the identity based models that you've seen microsegmentation based again, that could be through, you know, smart firewalls, appliances, whatever, and then the software defined perimeter kind of approach.
And that's kind of where that you see this in a lot of the software defined networking, there's intent based networking technologies out there, those kind of ideas kind of in the, especially for cloud based stuff and all these are different kind of approaches to, to zero trust. It's like, where do you put that emphasis on again, but in a full zero trust architecture, you're gonna find elements of all three, because all three are kind of important. You need to have this kind of micro segmentation of resources away from each other to prevent lateral movement.
Identity is, is very important to zero trust. You know, and then, you know, for cloud-based based stuff, you can't do a lot of micro segmentation because it's all software based you, so you have software device perimeters and those sort of things. So you'll find elements of all three and then there's, you know, deployment models.
Again, we're kind of saying, this is what we've kind of seen out there. A lot of it is agent gateway based. And that is where that pep, that policy enforcement point is broken up into two components. One that resides on the client machine and one that sits in front of any kind of resource a Porwal is just kind of the same thing. Only. There's no agents sitting on the client and then we've seen some, you know, application sandbox kind of things. All these models may work.
It's just depending on what vendor you're using and you know, it may have different models for different workflows, depending your, your HR systems that we're doing. Employee onboarding may use a different set of systems than your mobile teleworkers out there that are submitting reports from, you know, while on the road, you know, then we kind of go into like, where, where do we start again? We're trying to help agencies kind of develop a conceptual framework and, and move forward in deploying their own zero trust architecture.
There are two main things that you need to do at least start the groundwork. One is technical. And when you need to have an inventory of everything, you need to know what is on your network.
What is, what is enterprise owned versus not, you know, who are the users? What are their accounts? These are not just user accounts. You gotta think system accounts, you know, any kind of AI systems that may be out there. What are the actual workflows in the, in the, in the enterprise, not just, you know, what is, what is your business processes or what is your mission when it comes to agencies, but how do these things actually happen? Who is involved? What do they doing at what time and what order?
And then, you know, the other one is cultural. Again, we've heard some talk and some previous talks, you know, silos are kind of a big thing. And the government, we sometimes refer to those as, you know, cylinders of excellence. But the idea is that you need to get teams connected. You gotta find out who owns the data who owns these processes, because they're gonna be the champions of that. And you need to bring them into the table in order to develop these policies and the security team. Can't just sit back off on their own, look at a set of check boxes and say, yes, this is good security.
Everybody do this because that's becomes quite onerous. And the operations teams then see this and say, these don't work and they find tribes, you know?
And, and then they, they try to find ways to work around it. And again, then you get shadow it problem. So the ideas that you need to get these teams connected, the security team needs to talk to operations and the, and both teams need to talk to the actual workflow owner.
So like, you know, again, going back to the HR model, who does employee onboarding, how do they do that? Who exactly is involved?
And you, you can't develop these policies until you actually know that. So it's kind of a, you know, it's, it's a team effort to develop a, a zero trust architecture. But at that as to, to wrap up our, our publication is, is out there.
It's, it's free, it's on the internet. It's, it's a public resource. And on top of that, there is what we, it's a entity known. It's associated with N the national cybersecurity center of excellence. It's a research lab. They have a building block project where they're actually trying to demonstrate some of these architectures that we've written in the guide. They're right now it's focused on resource access.
So they're doing things such as on-prem access by employees, by employees of the enterprise collaboration scenarios, branch office scenarios, remote workers, both re trying to reach resources on-prem. And in the cloud, basically, they're trying to run through all these kind of access scenarios. And they're bringing in a bunch of vendors, vendors join in. That's a cooperative agreement between the, the public sector and these private vendors to develop what they call a practice guide. And the practice guide describes how they built their solution to these problems.
How did they meet these scenarios? And it's more, you know, it's partially a kind of a descriptive guide about, you know, what is the problem they're trying to tackle? And at the end, it's kind of more of a, how to cookbook guide of saying, how did they actually use these vendor products, these vendor participants, how did we configure them, set them up to, to actually go through these scenarios? So it's kind of a, kind of a cookbook thing at the end. So they're gonna be developing that are probably gonna be about a year long project that's underway right now.
I think they are identifying the, the vendor collaborations. We've had a lot of interest from, from the vendor community to participate. And I think it's just resource constrained as to how many we can invite in for the first wave. And then there might be building blocks on top of that. And lastly, some comment, some contact information, both for the N C E project, then two of the N authors for the zero trust architecture documents there, again, feel free to reach out if anybody's interested.
There is a community of interest, especially I know for the N C O E project, that'll be kind of announcement, email as well as maybe a kind of a forum collaborative space for people to contribute and review some of the work that as it's ongoing and provide feedback to kind of improve it. So that's kind of a whirlwind review of SB 800 dash 2 0 7, and kind of the, the zero trust project here at NIST. If there's any questions, I guess I could, I could take them now.
