Zero trust adoption challenges many organizations. It isn’t a specific technology to adopt, but a security initiative that an enterprise must understand, interpret, and implement. Enterprise security initiatives are never simple, and their goal to improve cybersecurity posture requires the alignment of multiple stakeholders, systems, acquisitions, and exponentially changing technology. This alignment is always a complex undertaking and requires cybersecurity strategy and engineering to succeed.
In this and a series of future posts, we provide an overview of zero trust and management of its risk with SEI’s cybersecurity engineering assessment framework. This adaptive framework incorporates multiple assessment methods that address lifecycle challenges that organizations face on a zero-trust journey.
Zero Trust Tenets
An organization’s zero trust journey begins with understanding what zero trust offers. Zero trust is a decade-old security model developed at Forrester that strives to reduce risk inherent in perimeter-based security architectures. Conceptually, zero trust accomplishes this by removing implied trust and explicitly authenticating and authorizing subjects, assets, and workflows through adherence to seven tenets outlined in NIST SP 800-207:
All data sources and computing services are considered resources.All communication is secured regardless of network location.Access to individual enterprise resources is granted on a per-session basis.Access to resources is determined by dynamic policy–including the observable state of client identity, application/service, and the requesting asset–and may include other behavioral and environmental attributes.The enterprise monitors and measures the integrity and security posture of all owned and associated assets.All resource authentication and authorization are dynamic and strictly enforced before access is allowed.The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications, and uses it to improve its security posture.
Industry is adopting these tenets through various projects, products, and publications. For example, NIST Special Publication 800-207: Zero Trust Architecture documents zero trust architecture principles, deployment models, and use cases. The NCCoE Implementing a Zero Trust Architecture Project builds on NIST by demonstrating zero trust principles through development
This article is purposely trimmed, please visit the source to read the full article.
The post Zero Trust Adoption: Managing Risk with Cybersecurity Engineering and Adaptive Risk Assessment appeared first on Carnegie Mellon University's Software Engineering Institute Blog.