NIST Releases Enterprise Zero Trust Architecture Draft Document

• The National Institute of Standards and Technology (NIST) of the US Department of Commerce has released Enterprise Zero Trust Architecture Draft Document.
• The document is open for comments till November 22, 2019.

The special publication discusses the components of a Zero Trust Architecture (ZTA) and provides use cases where ZTA can enhance the security posture of an enterprise.

What is zero trust architecture?

Zero Trust is when a network or data architecture is focused on data protection through limiting trust.

• In this architecture, authentication of both the user and device is done before establishing a connection.
• Implicit trust is not granted to systems based on their physical or network locations.
• Policy Decision Point (PDP) and Policy Enforcement Point (PEP) are used to grant access to a resource.
• The focus of ZTA is on protecting resources, and not on network segments.

The draft defines ZTA as, “Zero Trust Architecture (ZTA) provides a collection of concepts, ideas, and component relationships (architectures) designed to eliminate the uncertainty in enforcing accurate access decisions in information systems and services.”

ZTA has a different set of assumptions for enterprise-owned and non-enterprise-owned network infrastructures, that it operates on.

Gaps identified in current ZTA

Certain gaps were identified in the current ZTA ecosystem in a survey for producing the document. These gaps included a lack of common terms for ZTA, knowledge gaps, and unavailability of a solution that provides all the necessary components, among others.

Draft open for comments

It is stated that the publication’s purpose is to develop a technology-neutral set of terms, definitions, and logical components of network infrastructure and not provide guidance on implementing ZTA. Reviewers are welcomed to provide comments till November 22, 2019, keeping the purpose in mind.