Applying the NIST Zero Trust Model via App Access Cloud
Though the term Zero Trust was originally minted in 2010; defining what precisely Zero Trust means and how to deliver it has been a process. Ten years later in August 2020, NIST released SP 800-207 defining what the best practices are for creating a Zero Trust Network Architecture. Rather than static “once and done” security measures of the past such as turning on a VPN or setting up Firewall/static LDAP rules, NIST affirms that a Zero Trust architecture must operate as a dynamic workflow analysis, and respond to all stages of credential/user validation, authentication, and authorization.
A VPN is not a Zero Trust architecture
A Zero Trust architecture is quite different from a VPN even if that VPN is in the cloud. A VPN creates a private network for a public internet connection solving the problem of users who are off network, but that’s not adequate security for today’s environments. A VPN is not a Zero Trust solution because once the user gets connected, they are on the network and fully trusted with open access to potentially everything — even if that network is software defined. Plus, that VPN is an attack surface open to the public internet. And as many learned in 2020, the VPNs are not just a weak link for security, they are also hard to scale overnight in the event of a sudden change of location or migration of employees toward a work from home model.
For application resources in any location, Axis Security can replace the VPN and provide secure access that conforms with the NIST Zero Trust architecture tenets.
How does NIST define a Zero Trust architecture?
NIST defines Zero Trust architecture in special publication 800-207 has seven basic tenets:
- All data sources and services are resources
- Authentication and authorization rules must be enforced before access is permitted
- Access to resources must be granted session by session
- Access is granted by dynamic policy
- All communication is secured
- Monitor and measure the security posture of all assets
- Collect information about security hygiene, network entities, and communication, and use the information to constantly improve in a regular program cycle
Shift left fast to a Zero Trust model
Applications are the main data sources and services for almost every organization. Axis Security’s Application Access Cloud is a fast and simple way to shift left to Zero Trust without reconfiguring your existing network and in many cases without requiring installation of an agent on the endpoint. The App Access Cloud is designed to enforce the NIST Zero Trust architecture tenets for users accessing work applications and resources located anywhere — on company premises or in the cloud. It was built to deliver and enforce Zero Trust access from any user, anywhere, to any destination resource for the organization. Here’s how it works.
It starts with the user and their device
With so much malware in the marketplace and attacks being based on user credential theft or forgery, the first step is all about device posture and hygiene – what kind of device is attempting to access the resource? Before initiating a session, App Access Cloud checks a list of acceptable parameters for connection, including user and device context awareness. If a user is at home attempting to access an application with a company issued laptop that’s passed a device posture check, they may get full access permissions for that application, but later they attempt to access that application using a personal device that’s not managed by the company, policies can step right up and limit permissions to read-only. Once authentication is confirmed, access is granted — however, authorization is continuously confirmed throughout the access session.
It is continuous
Once a user is confirmed and connected, Zero Trust principles do not stop. The App Access Cloud monitors each user session, offering adaptive policy enforcement appropriate to the sensitivity and data control policies of the application and the changing context of the user and device. Nuanced policies can restrict permission attempts to copy and paste, or download files based on changing user context as well as the device security posture and hygiene. If context changes mid-session, policies will enforce the change in real-time. Down to the granular level, every request a user make to an application is brokered and sanitized before being forwarded on, ensuring only well-formed requests are ever delivered.
It keeps applications and data isolated
Application Access Cloud isolates applications and then governs access for each app and resource individually – the user is never on the corporate network. Every application remains isolated from the internal network and the internet.
It has continuous visibility and centralized policies
App Access Cloud includes centralized access policy management to govern which users can access specific applications and tracks their activity, providing detailed views of user and application behavior during each session. This visibility and control over connections and subsequent data flow help prevent breach and data loss by rogue users and malware alike, and provide a step-by-step log of session activity for any necessary post-event incident investigations.
Complying with NIST SP 800-207 is a good idea
Good Zero Trust architecture principles include more than just secure assets behind high walls. The workflow of every user’s interaction with organizational resources are all steps in the Zero Trust model, from data and users to analytics and automation. Axis Security can show you how to apply these principles to all your work applications.
Download our NIST Zero Trust Architecture Compliance whitepaper to learn more.