Guides: NIST Zero Trust

NIST Zero Trust: Principles, Components, and How to Get Started

What Is the NIST Zero Trust Architecture?

The NIST Zero Trust Architecture is a security framework to counteract evolving cyber threats. It operates on the principle that no user or device should be trusted by default, whether inside or outside the network perimeter. Zero trust emphasizes the need for strict identity verification and access control for all users attempting to access network resources.

By employing a set of policies and technologies, the NIST architecture helps organizations protect their critical assets from unauthorized access and misuse. Organizations adopting this model can reduce the risk of breaches and ensure better data protection through continuous verification and strict access management.

You can read the original NIST Zero Trust Architecture publication here.

In this article:

History and Adoption of Zero Trust

Introduced by John Kindervag in 2010, the concept of zero trust emerged as a response to the failure of traditional perimeter-based security. Its adoption accelerated with initiatives like Google’s BeyondCorp and Gartner’s Zero Trust Network Access (ZTNA), which emphasized secure, application-specific access through continuous verification.

By 2019, ZTNA had become a widely recognized model for mitigating threats like lateral movement and unauthorized access. Large corporations and the U.S. government, guided by NIST’s Zero Trust Architecture, have adopted ZTNA to protect critical assets as they transition to cloud and hybrid environments.

Principles of Zero Trust Architecture

Zero trust architecture (ZTA) assumes that threats could be present both inside and outside traditional network boundaries and advocates for continuous verification of user identity and access rights. It mandates that organizations treat every access attempt as potentially malicious, improving security by implementing proactive threat detection mechanisms.

Assume Breach and Verify Explicitly

Zero trust suggests preparation for potential system breaches rather than relying solely on defensive measures. This mindset shift involves recognizing the inevitability of attacks and preparing to handle incidents efficiently. By adopting this approach, organizations can implement incident response plans and reduce the time taken to identify and mitigate threats.

Explicit verification requires confirming the stated identity and access permissions of users and devices before granting network access. This involves utilizing multi-factor authentication, strong password policies, and continuous credential verification. Using stringent verification processes helps detect unauthorized access attempts and minimizes the risk of data breaches.

Enforce Least Privilege Access

Implementing least privilege access ensures that users have only the necessary permissions for their roles. This principle minimizes potential damage if an account is compromised, as the attacker cannot access sensitive areas of the network. Organizations should accurately identify users’ requirements and configure permissions accordingly to uphold this principle.

The least privilege must be applied dynamically as users’ roles and responsibilities evolve. This requires real-time monitoring and updating access privileges as needed. By doing so, organizations prevent privilege creep and help maintain a secure and efficient access control environment, significantly reducing the attack surface.

Microsegmentation of Networks

Microsegmentation divides a network into isolated segments to minimize unauthorized lateral movement. This approach creates multiple security boundaries, ensuring that even if one segment is breached, attackers cannot easily access other parts of the network. Segments are defined based on logical groupings such as departments or types of data handled.

This practice improves network defense and simplifies compliance with regulations by providing detailed logging and access control tailored to each segment. As a protective measure, microsegmentation allows a security policy to be enforced at the smallest possible level, restricting and controlling traffic flows.

These microsegmentation principles are especially important for containerized workloads, where ephemeral, distributed components require fine-grained policy enforcement; for a deeper look at protecting such environments, see our guide to container security.

Continuous Monitoring and Validation

Continuous monitoring and validation involve real-time analysis of user activity and security postures across a network. This ensures quick detection and response to anomalies or potential breaches. By employing advanced tools for behavior analytics and machine learning, organizations can identify patterns and trends indicative of a security threat.

Validating user activities involves ongoing scrutiny, providing assurance that only legitimate access is taking place. This level of vigilance supports compliance with standards like NIST, helping secure sensitive data and infrastructure. It enables adjustments to security measures based on emerging threats and user behavior patterns.

Core Components of the NIST Zero Trust Architecture

The NIST zero trust architecture includes several key components that work together to implement a zero trust model. These components are categorized into logical roles within the architecture’s dynamic access control system.

Policy Engine (PE)

The policy engine (PE) is the central decision-making component in a zero trust system. It determines whether a user, device, or system should be granted access to a requested resource. This decision is based on policies defined by the organization and supported by a range of inputs, such as user roles, device health, geolocation, and real-time threat intelligence.

A key function of the PE is to calculate trust scores for access requests. This calculation relies on data from internal sources, such as identity and access management (IAM) systems, and external feeds, like threat intelligence updates. For example, if a user’s credentials have been flagged in a recent data breach, the PE can factor this into its decision and deny access.

The policy engine also incorporates risk assessments into its decision-making process. It uses inputs from continuous diagnostics and mitigation (CDM) systems to assess vulnerabilities in endpoints or applications, dynamically adjusting trust levels.

Policy Administrator (PA)

The policy administrator (PA) acts as the intermediary between the Policy Engine and the enforcement mechanisms. While the PE makes the decisions, the PA implements them by configuring access permissions. This includes creating, modifying, or revoking authentication tokens and ensuring these decisions are enforced at the policy enforcement point (PEP).

The PA manages the life cycle of access sessions. For approved sessions, it issues secure credentials or tokens that grant temporary access to a resource. If the context or trust level changes during an active session—such as the detection of suspicious behavior—the PA can terminate the session immediately to prevent further risk.

In addition, the PA communicates with various other components, such as identity management systems (IDMS), to ensure policies are consistently applied across all resources and users. Its role is essential for ensuring that security policies adapt dynamically to changing conditions​​.

Policy Enforcement Point (PEP)

The policy enforcement point (PEP) is the component that directly controls user access to resources. It serves as the gatekeeper, enforcing the decisions made by the policy engine and managed by the policy administrator. The PEP operates at critical junctions in the network, such as at endpoints, gateways, or cloud service entry points.

When a user or device requests access, the PEP evaluates the request against the current access policies and trust levels. It ensures that all traffic adheres to established security rules, monitoring each connection throughout its duration. If a session is deemed suspicious or non-compliant, the PEP terminates it immediately.

In practice, the PEP may include various implementations:

  • Client-side agents: Installed on user devices to monitor activity and enforce compliance locally.
  • Network gateways: Located at resource entry points, ensuring that only approved traffic reaches sensitive systems.
  • Unified portals: Acting as a centralized control point for user access to multiple resources.

The PEP not only enforces access policies but also provides logging and monitoring capabilities, contributing to audit trails that help identify anomalies and security breaches​​.

Supporting Data Sources

To make informed and accurate decisions, the zero trust architecture depends on multiple supporting data sources. These systems provide the data and context needed to evaluate trust levels and enforce policies:

  • Identity management system (IDMS): Central to authenticating and authorizing users, the IDMS ensures that access is granted only to verified identities. It integrates with multi-factor authentication (MFA) tools to add an extra layer of security.
  • Continuous diagnostics and mitigation (CDM) system: Supplies real-time insights into the security posture of devices and applications. This includes information about vulnerabilities, compliance with security baselines, and the overall health of systems within the network.
  • Threat intelligence feeds: Offer updated information about known and emerging threats, such as malware campaigns, phishing domains, or compromised credentials. These feeds allow the policy engine to adjust trust scores dynamically based on external risk factors.
  • Security information and event management (SIEM) system: Aggregates and analyzes security-related data from across the organization. By identifying patterns and anomalies, the SIEM system helps detect potential attacks and refine access policies.

Enterprise Public Key Infrastructure (PKI)

The public key infrastructure (PKI) provides the framework for secure communications and identity verification through the use of digital certificates. These certificates are used to authenticate users, devices, and applications, ensuring that only trusted entities can communicate within the network.

In a zero trust model, PKI aids in encrypting data in transit and at rest. It also supports secure device onboarding, allowing organizations to verify the authenticity of new devices before granting them access. Additionally, the PKI integrates with other systems, such as identity management systems, to maintain a seamless and secure user experience.

By enabling end-to-end encryption and identity verification, PKI helps reduce the risk of man-in-the-middle attacks, data breaches, and other security threats. It ensures that all communications are protected against interception or tampering​​.

Related content: Read our guide to zero trust policy

Implementing Zero Trust Based on NIST Guidelines

Here are some of the ways that organizations can ensure a zero trust architecture based on the NIST guidelines.

1. Conduct a Comprehensive Asset and Workflow Inventory

The first step in implementing zero trust is a thorough assessment of the organization’s existing assets and workflows. This inventory should include both physical and virtual resources, such as devices, applications, servers, databases, and cloud infrastructure. It’s also essential to map out user roles and privileges, helping identify which individuals or systems interact with resources.

Additionally, workflows—how data moves through the organization—should be clearly documented. This analysis helps determine critical assets and dependencies, enabling organizations to prioritize the most vulnerable areas. A well-maintained inventory ensures that future security updates and system adjustments are simpler and accurate.

2. Adopt Secure Engineering Practices

Secure engineering practices include designing systems that align with zero trust principles, such as employing micro-perimeters to segment the network into small, secure zones. Each micro-perimeter is equipped with access controls that restrict movement between zones unless specified conditions are met.

Additionally, organizations should use risk-based assessments for resource access, ensuring that decisions are made dynamically based on the current state of users and devices. For example, a device accessing sensitive data must meet stringent security baselines, such as being free from malware or up-to-date with patches.

3. Develop and Enforce Contextual Policies

Access policies should not be static but instead dynamically adapt to the context of each access request. This includes assessing multiple factors, such as user identity, device health, geolocation, and the sensitivity of the resource being accessed.

For example, an employee accessing a sensitive financial system from a company device during working hours may be granted access. However, if the same request originates from an unknown device in a foreign country, access could be denied or require additional verification steps, such as multi-factor authentication.

Organizations should also use behavioral analytics to refine policies continually. By monitoring patterns in user activity, systems can detect unusual behavior and adjust access rights proactively. This improves security and ensures compliance with regulations that mandate access controls for sensitive information​​.

4. Pilot Programs for Workflow Migration

Implementing zero trust across an entire enterprise at once is impractical. Instead, organizations should pilot their zero trust strategy on a limited set of workflows or business processes. This pilot phase allows teams to test the effectiveness of their zero trust policies, identify potential gaps, and adjust technologies before scaling up.

For example, the pilot program could target a single department or workflow involving sensitive data, such as finance or research and development. By evaluating the performance of zero trust principles in these scenarios, organizations can fine-tune their policy engines, improve enforcement mechanisms, and gather feedback from end-users.

5. Continuous Monitoring and Feedback

Zero trust requires continuous monitoring and feedback to remain effective. Real-time diagnostics and monitoring tools should be deployed to analyze user and device activity, ensuring deviations from normal behavior are quickly identified. For example, if a user suddenly attempts to access resources they don’t normally interact with, this could trigger an alert or temporarily revoke access.

Monitoring also involves validating the health of devices interacting with the network. Systems should check for compliance with security baselines, such as operating system patches, antivirus updates, and encryption protocols. Advanced analytics tools, including machine learning algorithms, can help identify patterns that suggest potential breaches.

The feedback loop is equally important. Data collected from monitoring tools should be used to update access policies and refine trust models continuously. If a new threat is identified through threat intelligence feeds, the organization can promptly adjust its policies to mitigate the risk.

Zero Trust Security with Calico

Calico Enterprise and Calico Cloud enable a zero trust environment built on three core capabilities: encryption, least privilege access controls, and identity-aware microsegmentation.

  • Encryption – Calico utilizes WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Calico supports WireGuard for self-managed environments such as AWS, Azure, and Openshift, and managed services such as EKS and AKS.
  • Least privilege access controls – Calico implements least privilege access controls by denying all network traffic by default and only allowing connections that have been authorized. This applies to traffic between microservices as well as ingress and egress outside the cluster. Calico also integrates with native Kubernetes RBAC to provide authorization and authentication for various users and teams.
  • Identity-aware microsegmentation – Calico leverages its cloud-native model to divide workloads into smaller security segments and then applies security policies for these segments. This prevents lateral movement of threats by reducing and minimizing the attack surface.

Next steps:

X