NIST's Zero Trust Tenets Unpacked (Part 1): Resources, Secure Communication, and Per-Session Access

In the last article, we introduced the foundational seven tenets of Zero Trust Architecture (ZTA) as outlined in NIST Special Publication 800-207. These tenets provide a guiding light for organizations aiming to build a more resilient and adaptive security model. Today, we begin to unpack these principles in more detail, starting with the first three critical tenets.

Understanding these core ideas is essential not just for cybersecurity professionals, but for anyone involved in managing or using digital assets in an organization. Let's dive in!

Tenet 1: All Data Sources and Computing Services are Considered Resources.

• The Tenet: "All data sources and computing services are considered resources."
  
  
• What it Means: This tenet fundamentally expands the definition of what needs protection. It's not just about servers in a data center or employee laptops anymore. In a Zero Trust model, every single element that stores or processes data, or provides a computing service, is classified as a resource. This includes:
  • Databases (on-premises, cloud-based)
  • Applications (SaaS, PaaS, IaaS, custom-developed)
  • IoT and IIoT devices
  • Mobile devices (corporate and BYOD)
  • Cloud storage services
  • APIs
  • Even individual data files or functions within a microservice.
    
    
• Why it's Critical: By broadening the definition of a resource, organizations are forced to think more granularly about asset inventory, access control, and security monitoring. If it's a resource, it needs to be identified, cataloged, and secured.
  
  
• Practical Application: Implementing a comprehensive asset discovery and management system. Solutions like TRaViS External Attack Surface Management (EASM) are invaluable here, helping to identify all internet-facing assets that could be considered resources.
  
  
• Challenge: The sheer volume and diversity of resources in modern enterprises can make comprehensive identification and management a significant undertaking.
  
  

Tenet 2: All Communication is Secured Regardless of Network Location.

• The Tenet: "All communication is secured regardless of network location."
  
  
• What it Means: This tenet shatters the old paradigm of a trusted internal network versus an untrusted external network. In ZTA, all networks are considered potentially hostile. Therefore, all communication, whether it's between a user and an application, an application and a database, or two microservices, must be secured. This typically means encryption (e.g., TLS for data in transit) and strong authentication mechanisms for all communicating parties.
  
  
• Why it's Critical: Attackers often exploit weak internal network security once they breach the perimeter. By securing all communications, ZTA limits an attacker's ability to move laterally, eavesdrop on sensitive data, or hijack sessions within the network.
  
  
• Practical Application: Enforcing HTTPS for all web traffic, using VPNs for specific access scenarios (though ZTA aims to reduce reliance on traditional VPNs), implementing mutual TLS (mTLS) for service-to-service communication, and ensuring data is encrypted at rest and in transit.
  
  
• Challenge: Implementing end-to-end encryption for all communications can be complex, especially with legacy systems or diverse environments. Performance overhead of encryption also needs to be considered.

Tenet 3: Access to Individual Enterprise Resources is Granted on a Per-Session Basis.

• The Tenet: "Access to individual enterprise resources is granted on a per-session basis."
  
  
• What it Means: Trust is not a one-time event; it's ephemeral and context-dependent. When a user or service requests access to a resource, that access is evaluated and granted only for the duration of that specific session. Once the session concludes (e.g., user logs out, task is completed), the access rights are revoked. Crucially, access to one resource does not automatically grant access to another.
  
  
• Why it's Critical: This principle directly implements the concept of "least privilege" in a dynamic way. It minimizes the window of opportunity for an attacker who might compromise an active session or stolen credentials. If access is re-evaluated for each new session and resource request, the potential damage is significantly contained.
  
  
• Practical Application: Implementing strong session management, using short-lived access tokens, and re-authenticating/re-authorizing users or services when they attempt to access different resources or after a certain period of inactivity.
  
  
• Challenge: Balancing security with user experience. Overly aggressive session timeouts or frequent re-authentication prompts can lead to user frustration. Finding the right balance is key.
  
  

Stronger Together: The Impact of the First Three Tenets

These first three tenets work in concert to build a strong foundation for Zero Trust:

1. Know your assets: Identify everything that needs protection (Tenet 1).
2. Protect the pathways: Secure all communication to and between these assets (Tenet 2).
3. Control the gates: Grant temporary, specific access to these assets for each interaction (Tenet 3).

By adopting these principles, organizations can significantly reduce their attack surface and improve their ability to withstand and respond to cyber threats.

What's Next?

We've only just begun to explore the depth of NIST's ZTA framework. Join us tomorrow as we continue our deep dive into the remaining tenets, focusing on dynamic policies, asset integrity, and continuous improvement.

How is your organization approaching the identification of all resources or securing all communications?