NSA, Microsoft promote a Zero Trust approach to cybersecurity

The National Security Agency (NSA) and Microsoft are advocating for the Zero Trust security model as a more efficient way for enterprises to defend against today’s increasingly sophisticated threats.

The concept has been around for a while and centers on the assumption that an intruder may already be on the network, so local devices and connections should never be trusted implicitly and verification is always necessary.

Cybersecurity companies have pushed the zero-trust network model for years, as a transition from the traditional security design that considered only external threats.

The model was created in 2010 by John Kindervag, who also coined the term "zero trust," principal analyst at Forrester Research at the time but talks about it had started in early 2000s. Google implemented zero-trust security concepts following Operation Aurora in 2009 for an internal project that became BeyondCorp.

Zero Trust defense for critical networks

The recent SolarWinds supply-chain attack, also attributed to a nation-state actor, renewed the discussion on the benefits of the zero trust security architecture for sensitive networks.

Microsoft President Brad Smith advocated for the zero-trust model in his U.S. Senate testimony regarding the SolarWinds cyberattack, saying that this concept is the best approach for an organization or agency to ensure the security of identity in their networks.

Talking about the security of U.S. government networks targeted by the attack, Smith said:

Now, both the NSA and Microsoft are recommending the zero-trust security model for critical networks (National Security Systems, Department of Defense, Defense Industrial Base) and large enterprises.

Zero Trust is a long-term project

The guiding principles for this concept are constant verification of user authentication or authorization, the least privileged access, and segmented access based on network, user, device, and app.

The above diagram from Microsoft shows how Zero Trust security with a security policy enforcement engine can assess in real-time. The model grants access to data, apps, infrastructure, and networks after verifying and authenticating identities and checking that the devices are safe.

Understanding and controlling how users, processes, and devices engage with the data is the fundamental purpose of Zero Trust, the NSA explains.

Multiple data points are required to paint an accurate picture of the activity on the network, evaluate its legitimacy, and prevent a threat actor’s lateral movement.

Combining user and device data with security-relevant information such as location, time, logged behavior, can be used by the system to allow or deny access to specific assets, and the decision is logged for use in future suspicious activity analytics. This process applies to every individual access request to a sensitive resource.

Building a mature zero-trust environment, though, is not a task done overnight but a gradual transition that often requires additional capabilities as it does not address new adversary tools, tactics, or techniques.

The good news is that the transition can be incremental and reduces risk at each step, drastically improving visibility and automated responses over time.

Zero Trust network benefits

To show the benefits of a Zero Trust network, the NSA gives three examples based on real cybersecurity incidents where the threat actor would have been unsuccessful if the concept had been implemented.

In the first one, the actor accessed a victim organization’s network from an unauthorized device using legitimate credentials stolen from an employee - a level of authentication that is sufficient in a traditional security environment.

The second example features a malicious party that is either an insider threat or an actor that compromised “a user’s device through an Internet-based mobile code exploit.”

In a typical environment, the actor can enumerate the network, escalate privileges, and move laterally on the network to achieve persistence or find valuable data and systems.

The third example from the NSA is that of a supply-chain attack, where the actor adds malicious code to “a popular enterprise network device or application” that the victim organization maintains and updates regularly following best practices.

Under a Zero Trust architecture, the compromised device or app would not be able to communicate with the threat actor because it would not be trusted by default.

The agency recognizes that besides the technical challenges arising from re-engineering an existing information system based on the Zero Trust model, resistance throughout the organization may be another hurdle that reduces the effectiveness of the system.

Users, administrators, and top management should all embrace the same mindset for Zero Trust to work. That is, leaders should spend the resources to build and maintain it, network admins and defenders should have the necessary expertise, and users should not be able to circumvent policies.

“Once even basic or intermediate Zero Trust capabilities are integrated into a network, follow-through is necessary to mature the implementation and achieve full benefits,” the NSA says.

The agency is now working with DoD customers in setting up Zero Trust systems and coordinating activities with current NSS and DoD programs.

Additional guidance is being prepared to make Zero Trust principles easier to incorporate into enterprise networks. Organizations looking to adopt the concept can also find documentation and methodology from NIST as well as from several cybersecurity companies, some of them offering solutions for easier implementation.