NIST's Zero Trust Tenets Unpacked (Part 2): Dynamic Policies and Asset Integrity

Welcome back to our deep dive into NIST's 7 Tenets of Zero Trust Architecture! So far, we've explored the foundational concepts: treating all data sources and services as resources (Tenet 1), securing all communications regardless of network location (Tenet 2), and granting access on a per-session basis (Tenet 3).

Today, we advance our understanding by dissecting two more crucial tenets that bring intelligence and adaptability to ZTA: Tenet 4 (Dynamic Policies) and Tenet 5 (Asset Integrity Monitoring).

Tenet 4: Access to Resources is Determined by Dynamic Policy.

• The Tenet: "Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes."
  
  
• What it Means: This tenet moves access control beyond static rules. Instead of fixed permissions, access decisions are made dynamically, in real-time, based on a rich set of contextual information. The "policy engine" in a ZTA considers multiple factors:
  • Client Identity: Who or what is requesting access (user, service, application)? Is their identity verified?
  • Application/Service: What specific resource are they trying to access?
  • Requesting Asset State: What is the security posture of the device or system making the request (e.g., patch level, presence of malware, configuration compliance)?
  • Behavioral Attributes: Is the request typical for this user/service, or does it deviate from normal patterns (e.g., unusual time, location, data volume)?
  • Environmental Attributes: Other factors like network location (though not trusted, it's still a data point), time of day, threat intelligence feeds, etc.
    
    
• Why it's Critical: Static policies can't keep up with the dynamic nature of modern threats and IT environments. Dynamic policies allow for more granular, context-aware, and adaptive security. If a user's device becomes compromised, a dynamic policy can automatically restrict or block access, even if their credentials are valid.
  
  
• Practical Application: Implementing a Policy Decision Point (PDP) and Policy Enforcement Points (PEPs) that can consume diverse data feeds. This involves integrating identity management systems, endpoint detection and response (EDR) tools, security information and event management (SIEM) systems, and threat intelligence platforms.
  
  
• Challenge: Building and managing sophisticated dynamic policies requires significant effort in terms of data integration, correlation, and rule definition. Ensuring the accuracy and timeliness of the input data is also crucial.
  
  

Tenet 5: The Enterprise Monitors and Measures the Integrity and Security Posture of All Owned and Associated Assets.

• The Tenet: "The enterprise monitors and measures the integrity and security posture of all owned and associated assets."
  
  
• What it Means: You can't enforce dynamic policies based on asset state if you don't know that state. This tenet mandates continuous monitoring and measurement of all enterprise assets (endpoints, servers, IoT devices, applications, etc.). This includes:
  • Integrity: Ensuring assets have not been tampered with or compromised.
  • Security Posture: Assessing factors like patch levels, known vulnerabilities, security configurations, running processes, and network connections.
    
    
• Why it's Critical: Continuous monitoring provides the necessary visibility to detect threats, vulnerabilities, and deviations from security baselines. This information is a vital input for the dynamic policies described in Tenet 4. It also enables rapid incident response and helps maintain overall cyber hygiene.
  
  
• Practical Application: Deploying endpoint security agents, vulnerability scanners, configuration management tools, and logging mechanisms. Regularly assessing assets against security benchmarks and policies. TRaViS EASM plays a key role here by continuously monitoring the external attack surface, identifying new or changed assets, and assessing their exposure.
  
  
• Challenge: The sheer number and diversity of assets can make comprehensive monitoring a daunting task. Collecting, storing, and analyzing the vast amounts of monitoring data also requires robust infrastructure and analytics capabilities.
  
  

The Synergy of Dynamic Policies and Asset Monitoring

Tenets 4 and 5 are deeply interconnected:

• Tenet 5 provides the data: Continuous monitoring of asset integrity and security posture generates the critical information about the state of requesting assets.
• Tenet 4 consumes the data: The dynamic policy engine uses this asset state information (along with identity, application context, etc.) to make informed, real-time access decisions.

For example, if Tenet 5 detects that an employee's laptop is missing critical security patches or shows signs of malware infection, Tenet 4 can dynamically downgrade that device's trust level and restrict its access to sensitive resources, regardless of the user's credentials.

TRaViS: Empowering Tenets 4 & 5

TRaViS EASM directly supports these tenets by:

• Continuously discovering and inventorying external assets (supporting Tenet 5's monitoring requirement for a segment of your resources).
• Assessing the security posture of these external assets, identifying vulnerabilities and misconfigurations (feeding data into Tenet 5).
• Providing crucial intelligence that can inform dynamic access policies (Tenet 4) regarding how external-facing systems and the services they host should be accessed.
  
  

Next Steps in Our NIST ZTA Exploration

With dynamic policies and robust asset monitoring in place, we're building a truly adaptive Zero Trust Architecture. But there's more to cover! Join us in our next post as we conclude our exploration of NIST's 7 Tenets, focusing on dynamic authentication/authorization and the continuous improvement of your security posture.

How does your organization currently leverage asset security posture in its access control decisions? 

Discover how TRaViS provides the asset intelligence you need for effective ZTA. Request a demo today!