IMPLEMENTING A ZERO TRUST ARCHITECTURE

The National Cybersecurity Center of Excellence (NCCoE) is addressing the challenge of implementing a zero
trust architecture (ZTA) through collaborative efforts with industry and the information technology (IT)
community, including cybersecurity solutions providers. This fact sheet provides an overview of the
Implementing a Zero Trust Architecture project, including background, goal, potential benefits, and project
collaborators.

BACKGROUND GOALS
The conventional security approach has focused on The goal of this NCCoE project is to demonstrate several
perimeter defenses. Once inside the network perimeter, example ZTA solutions—applied to a conventional,
users are “trusted” and often given broad access to many general- purpose enterprise IT infrastructure—that are
corporate resources. But malicious actors can come from designed and deployed according to the concepts and
inside or outside the perimeter, and several high-profile tenets documented in NIST Special Publication (SP) 800-
cyberattacks in recent years have undermined the case for 207, Zero Trust Architecture.
the perimeter- based model. Moreover, the perimeter is
becoming less relevant due to several factors, including BENEFITS
the growth of cloud computing and mobility, and changes The potential business benefits of the example solutions
in the modern workforce. include:

Zero trust is a cybersecurity strategy that focuses on • Support user access to resources regardless of user
moving perimeter-based defenses from wide, static location or user device (managed or unmanaged)
perimeters to narrow dynamic and risk-based access • Protect business assets and processes regardless of
control for enterprise resources regardless of where they their location (on-premises or cloud-based)
are located. Zero trust access control is based on a number
• Limit the insider threat (insiders—both users and non-
of attributes such as identity and endpoint health.
person entities—are not automatically trusted)
CHALLENGE • Limit breaches (reduce attackers’ ability to move
The challenges to implementing a ZTA include: laterally and escalate privilege within the
environment)
• Leveraging existing investments and balancing
priorities while making progress toward a ZTA via • Protect sensitive corporate information with data
modernization initiatives security solutions

• Integrating various types of commercially available • Improve visibility into the inventory of resources, what
technologies of varying maturities, assessing configurations and controls are implemented, all
capabilities, and identifying technology gaps to build a communications and their specific flows, and how
complete ZTA resources are accessed and protected, and then use
this understanding to formulate and enforce a useful
• Concern that ZTA might negatively impact the and complete security policy
operation of the environment or end-user experience
• Perform real-time and continuous monitoring and
• Lack of common understanding of ZTA across the logging, and policy-driven, risk-based assessment and
organization, gauging the organization’s ZTA maturity, enforcement of resource access policy
determining which ZTA approach is most suitable for
the business, and developing an implementation plan

@NISTcyber [email protected]
HIGH-LEVEL ARCHITECTURE
A ZTA is designed for secure access to enterprise resources. Shown here is a high-level, notional architecture of the core
components of a ZTA build for a typical IT enterprise and the functional components to support it. A detailed explanation of
each component can be found within the practice guide and project description at https://www.nccoe.nist.gov/zerotrust.

Policy Information Points

Supporting Components
Identity, Credential,
and Access
Management

Zero Trust Architecture Endpoint Security

Core Components
Policy Decision Security Analytics
Point

Policy Engine(s) Data Security

Policy Administrator(s)

Subjects Enterprise Resources

Cloud
On-Prem
Policy Enforcement
User Point(s)
Endpoint

TECHNOLOGY COLLABORATORS
The technology vendors participating in this project submitted their capabilities in response to an open call in the Federal
Register. Companies with relevant security capabilities were invited to sign a Cooperative Research and Development
Agreement with the National Institute of Standards and Technology (NIST), allowing them to participate in a consortium to
build this example solution.

Appgate F5 Lookout PC Matic Trellix

AWS Forescout Mandiant Ping Identity VMware
Broadcom Software Google Cloud Microsoft Radiant Logic Zimperium
Cisco IBM Okta SailPoint Zscaler
DigiCert Ivanti Palo Alto Networks Tenable

Certain commercial entities, equipment, products, or materials may be identified by name or company logo or other
insignia to acknowledge their participation in this collaboration or to describe an experimental procedure or concept
adequately. Such identification is not intended to imply special status or relationship with NIST or recommendation or
endorsement by NIST or the NCCoE; neither is it intended to imply that the entities, equipment, products, or materials
are necessarily the best available.

The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub
where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity
challenges. Through this collaboration, the NCCoE develops modular, easily adaptable example cybersecurity solutions demonstrating how to apply
standards and best practices using commercially available technology.

LEARN MORE
For more information about this project, visit:
https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture