Industry Best Practices for Zero Trust Architecture
Abstract
In the modern era of cybersecurity, zero trust architecture (ZTA) has emerged as an important topic of discussion in both the public and private sectors. The National Institute of Standards and Technology (NIST) defines zero trust (ZT) and ZTA as follows [NIST 2020]: Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) is an enterprises cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan. ZTA has the potential to improve an enterprises security posture. Recent executive orders M-22-009 [White House 2022] and M-21-31 [White House 2021] have accelerated the timeline for zero trust adoption in the federal sector, and many private sector organizations are following suit. However, there is still considerable uncertainty about the ZT transformation process and how ZTA will ultimately appear in practice.
Document Details
- Document Type
- Technical Report
- Publication Date
- Nov 01, 2022
- Accession Number
- AD1187390
Entities
People
- Matthew Nicolai
- Nate Richmond
- Tim Morrow
Organizations
- Carnegie Mellon University