Zero Trust

 View Only
  • 1.  NIST SP 1800-35 Implementing a Zero Trust Architecture: High-level Overview 4th Preliminary Draft for comment

    Posted Aug 06, 2024 10:08:00 AM
      |   view attached

    Hi All,

    The NIST National Cybersecurity Center of Excellence (NCCoE) has released the fourth version of our preliminary draft practice guide, Implementing a Zero Trust Architecture (NIST SP 1800-35), for public comment. This publication outlines results and best practices from the NCCoE effort to work with 24 vendors to demonstrate end-to-end zero trust architectures.

    As an enterprise's data and resources have become distributed across on-premises and multiple cloud environments, protecting them has become increasingly challenging. Many users need options to access information across the globe, at all hours, across devices. The NCCoE is addressing these unique challenges by collaborating with industry participants to demonstrate 17 sample zero trust architecture implementations (applied to a conventional, general-purpose enterprise IT infrastructure).

    Detailed technical information for each sample implementation can serve as a valuable resource for technology implementers by providing models they can replicate. The lessons learned from the implementations and integrations can help organizations save time and resources.
    Starting with this release, we are introducing our traditional NIST SP 1800-35 document in two formats; one "High-Level Document in PDF Format" and one "Full Document in Web Format."

    The PDF document is meant to serve as introductory reading and provide insight into the project effort (since it provides a high-level summary of project goals, reference architecture, various ZTA implementations, and findings).
    The web-format document provides in-depth details about the technologies leveraged, their integrations and configurations, and the use cases and scenarios demonstrated. It also contains information on the implemented security capabilities and their mappings to the NIST Cybersecurity Framework (CSF) versions 1.1 and 2.0, NIST SP 800-53r5, and security measures outlined in "EO-Critical Software" under Executive Order 14028.

    We welcome your input and look forward to your comments by September 30, 2024.

    PDF Version

     https://www.nccoe.nist.gov/sites/default/files/2024-07/zta-nist-sp-1800-35-preliminary-draft-4.pdf

    Web Version

    https://pages.nist.gov/zero-trust-architecture/index.html



    ------------------------------
    Michael Roza CPA, CISA, CIA, CC, CCSKv5, CCZTv1, MBA, Exec MBA,
    ------------------------------


  • 2.  RE: NIST SP 1800-35 Implementing a Zero Trust Architecture: High-level Overview 4th Preliminary Draft for comment
    Best Answer

    Posted Aug 07, 2024 08:24:00 AM
    Edited by Erik Johnson Aug 19, 2024 01:04:36 PM

    Main NIST 1800-35 landing page: https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture

    "Conventional network security has focused on perimeter defenses, but many organizations no longer have a clearly-defined perimeter. To protect a modern digital enterprise, organizations need a comprehensive strategy for secure “anytime, anywhere” access to their corporate resources (e.g., applications, legacy systems, data, and devices) regardless of where they are located."

    The ZT9 workgroup is reviewing this document and is taking the lead in assembling an aggregate set of CSA comments to submit to NIST. 

    Link to ZT9 CSA comments aggregation spreadsheet

    NIST is particularly interested in feedback on the following questions:

    1. How well do the practices in this guide relate to existing practices leveraged by your organization?
      Are there significant gaps between the sets of practices that this guide should address?
    2. How do you expect this guide to influence your future practices and processes?
    3. How do you envision using this guide? What changes would you like to see to increase/improve that use?
    4. What suggestions do you have on changing the format of the provided information?


    ------------------------------
    Erik Johnson CCSK, CCSP, CISSP, PMP
    Senior Research Analyst
    Cloud Security Alliance
    [email protected]
    ------------------------------



  • 3.  RE: NIST SP 1800-35 Implementing a Zero Trust Architecture: High-level Overview 4th Preliminary Draft for comment

    Posted Aug 13, 2024 08:27:00 AM

    Related article and interesting diagram from Microsoft outlining their collaboration with NIST on this guidance.

    How Microsoft and NIST are collaborating to advance the Zero Trust Implementation



    ------------------------------
    Erik Johnson CCSK, CCSP, CISSP, PMP
    Senior Research Analyst
    Cloud Security Alliance
    [email protected]
    ------------------------------



  • 4.  RE: NIST SP 1800-35 Implementing a Zero Trust Architecture: High-level Overview 4th Preliminary Draft for comment

    Posted Aug 07, 2024 08:48:00 AM

    From Section 8 Zero Trust Journey Takeaways...

    ...As of this writing, 17 ZTA builds have been completed and are documented. We are currently developing
    two additional builds, with a continued focus on the use of micro-segmentation, SDP, and SASE. Lessons
    learned from the additional builds may necessitate minor updates to the takeaways.

    Does anyone have access or a link to the 17 ZTA build documentation?



    ------------------------------
    Joe Dietz, Jr.
    Cybersecurity Architect
    Deloitte
    ------------------------------