In a simpler time, securing organizational infrastructure was relatively easy: Most if not all applications, services, and resources necessary for a user – usually an employee – to be productive were available on the network. With the right credentials, usually a username and password, users were considered authorized and trusted and could access the network and use any application, service, and resource to which they were authorized, plus see most of the other applications, services, and resources on the network. Organizations built up their perimeter security and they felt safe and secure from attacks and threats, because everything was safe behind the fortified walls of the network “castle.”
Over time, though, securing an organization’s applications, services, and resources became exceedingly complex and difficult. Today, the network perimeter is not easily defined or identifiable, particularly with the ever-increasing use of clouds, the work-from-anywhere movement, mobile device use, and explosion of Internet of Things (IoT). Staff may be comprised of employees, contractors, consultants, supply chain vendors, and more. The sheer complexity of today’s organizational infrastructure has quickly outstripped what perimeter-based network security is able to handle.
Enter Zero Trust. Zero Trust is not a new idea, however it’s a security concept that’s more relevant and important today than ever. A Zero Trust Architecture eliminates the model of a trusted network inside a defined perimeter. Zero Trust assumes that an attacker is already present in an environment. It also presumes that an organization-owned environment is no different—and no more trustworthy—than any environment that is not owned by an organization. Also, an organization must never assume implicit trust. The Zero Trust maxim is “Never Trust, Always Verify.”
As the concept and desire to adopt a Zero Trust Architecture grew, so too did confusion about what exactly was a Zero Trust Architecture.
In an effort to aid understanding of Zero Trust Architecture, the National Institute of Standards and Technology (NIST) developed NIST Special Publication (SP) 800-207, Zero Trust Architecture. While not a deployment guide or plan, SP 800-207 describes Zero Trust for security architects and delivers a road map for the migration and deployment of the security requirements for a Zero Trust Architecture.
F5 has been named as one of 18 vendors to collaborate with NIST’s NCCoE on the “Implementing a Zero Trust Architecture Project” to develop practical, interoperable approaches to designing and building Zero Trust Architectures that align with the tenets and principles documented in NIST SP 800-207, Zero Trust Architecture. The proposed example solutions will integrate commercial and open-source products together that leverage cybersecurity standards and recommended practices to showcase the robust security features of a Zero Trust Architecture applied to several common enterprise IT use cases. (Please note that NIST does not evaluate commercial products under this consortium and does not endorse any product or service used.)
Additional information on this consortium can be found at https://www.nccoe.nist.gov/zerotrust.
“F5 is honored and excited to announce our collaboration with National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) on their “Implementing a Zero Trust Architecture Project,” states Peter Kersten, Vice President, Sales - Federal. “We look forward to a strong collaborative effort with our partners and other leading security stalwarts that culminates in reference architectures and demonstrations of a variety of interactive, integrated design approaches for a Zero Trust Architecture that maintain the principles and tenets published in the NIST SP 800-207, Zero Trust Architecture.”
F5 is joined on this project by collaborators Amazon Web Services (AWS), AppGate, Cisco, FireEye, Forescout, IBM, Ivanti, McAfee, Microsoft, Okta, Palo Alto Networks, PC Matic, Radiant Logic, SailPoint Technologies, Symantec (Broadcom), Tenable and Zscaler.
The result of this project will be a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps necessary to implement cybersecurity reference designs for a Zero Trust Architecture.