Full Report
How NIST is working with Tenable and other private sector stakeholders to better enable zero trust implementation.Trust no one. Verify everything. All the time. When it comes to cybersecurity and protecting your expanding attack surface, that’s more than a catchphrase. It’s the way you must approach access to your network, systems and assets. Ultimately, this is an approach the federal government must use, expand upon and intertwine into its cybersecurity standards.When thinking about zero trust, it’s important to understand this is an evolving practice that goes beyond traditional “trust but verify” approaches to cybersecurity. According to a Tenable blog by John Kindervag, who created the Zero Trust Model of Cybersecurity when he was a principal analyst at Forrester Research, “While the zero trust model represents a significant divergence from the legacy, moat-and-castle approach to network security, it can be implemented by practitioners using commercial off-the-shelf technology. And it's built upon current cyber best practices and sound cyber hygiene, such as vulnerability management, proactive patching and continuous monitoring, already implemented in most organizations today.”It’s time to rethink the trust-but-verify model of cybersecurityThe principles of zero trust require rethinking the trust-but-verify model upon which so much IT infrastructure has been built. It calls for viewing trust as a vulnerability instead and calls for removing the notion of trust from digital systems.Zero trust is a proactive cybersecurity approach. However, with anything proactive, it’s important to remember there is a constant need for adaptation and new protocols that can withstand the changing threat landscape.On Dec. 4, NIST released the draft Guidance for Implementing Zero Trust Architecture for public comment. Tenable has been proud to work alongside the NIST National Cybersecurity Center of Excellence (NCCoE) to launch the Zero Trust Architecture Demonstration Project. This collaborative project has brought together multiple industry participants to launch end-to-end zero trust architecture implementations to help industry and government reduce the risk of cyberattacks. As part of this collaborative project, Tenable has participated in a lab demonstration of how to deploy examples of zero trust architecture in hybrid enterprise environments using commercially available technology contributions.“The [...] demonstration project, 'Implementing a Zero Trust Architecture,' stands as a critical cybersecurity initiative that showcases the resilience of ZTAs across multiple practical implementations.”—Alper Kerman, Security Engineer and Principal Lead of the NCCoE Zero Trust Project at NIST“The NCCoE ZTA demonstration project, 'Implementing a Zero Trust Architecture,' stands as a critical cybersecurity initiative that showcases the resilience of ZTAs across multiple practical implementations,” explained Alper Kerman, Security Engineer and Principal Lead of the NCCoE Zero Trust Project at NIST. “Each implementation combines a strategic mix of commercially available products and services, contributed by partner organizations such as Tenable. Their invaluable role in providing enhanced visibility and insights has been essential in strengthening our defenses, ensuring we can safeguard our networks against the ever-evolving landscape of cyberthreats.”As a main collaborator, Tenable contributed exposure management technology and capabilities for the ZTA Demonstration Protect. As a leader in cybersecurity, Tenable was able to harness its expertise to best use security analytics, building out a program that had orchestration and enforcement capabilities through scanning and assessment, endpoint monitoring, traffic inspection and network discovery.When implementing a zero trust architecture, it is a foundational imperative for organizations and enterprises to inventory, enumerate and assess every asset on the network. This allows for a better understanding of assets in context and how they are interconnected. Analyzing data from operational technology (OT), internet of things (IoT), IT, cloud and network plays a critical role in helping organizations gain visibility into how assets are interconnected, evaluate exposure based on real-world threats and context, and prioritize remediation and mitigation efforts. Ultimately, it’s important for an organization to completely understand the entire attack surface in order to evaluate which assets are most vulnerable. Zero trust architecture is a way to programmatically collect risk telemetry and make informed decisions that can help reduce exposure. By adopting zero trust architecture approaches, it is possible to make significant progress toward this objective.At Tenable, we are proud to partner with our government’s leading agencies to develop strategic ways to approach cybersecurity practices. Our technology solutions help the NCCoE develop a use case that exemplifies the ZTA motto — Trust no one. Verify everything. All the time. Organizations, enterprises and federal agencies need a security model that adapts to today’s modern network, embraces remote work and protects users, applications and data wherever they’re located. The NCCoE ZTA practice guide and reference architecture can serve as an outstanding model to help them achieve their cybersecurity objectives.Learn moreView the updated draft Guidance for Implementing a Zero Trust Architecture, released by NIST on Dec. 4Find out more about the Zero Trust Architecture demonstration projectDownload the SANS Institute white paper Navigating the Path to a State of Zero Trust in 2024
Analysis Summary
# Best Practices: Implementing Zero Trust Architecture (ZTA) Aligned with NIST Guidelines
## Overview
These practices focus on achieving a Zero Trust Architecture (ZTA) leveraging established security standards, specifically referencing **NIST** guidelines, to fundamentally shift security posture from perimeter-based defense to "never trust, always verify." The context provided heavily references Tenable's platform capabilities that support ZTA implementation through comprehensive exposure management, vulnerability assessment, and identity analysis.
## Key Recommendations
### Immediate Actions
1. **Establish Comprehensive Asset & Identity Inventory:** Immediately inventory all users, devices (IT/OT/IoT), workloads, and data assets to form the basis of trust evaluation.
2. **Deploy Continuous Vulnerability Scanning:** Implement continuous scanning capabilities (e.g., utilizing Tenable Nessus Expert or similar tools) across IT and cloud environments to identify and prioritize exploitable weaknesses.
3. **Implement Least Privilege Access for Critical Systems:** Review and reduce standing administrative privileges for the most critical resources, mandating justification for elevated access.
### Short-term Improvements (1-3 months)
1. **Establish Policy Engine and Policy Administrator Integration:** Define initial micro-segmentation policies based on asset identity, context (location, time), and risk posture, ensuring the Policy Enforcement Point (PEP) can communicate with the Policy Engine.
2. **Integrate Identity and Access Management (IAM) with Conditional Access:** Mandate Multi-Factor Authentication (MFA) for all users across all resources and enforce conditional access based on device health and identity context.
3. **Begin Attack Path Analysis:** Utilize tools capable of visualizing potential attack paths across the environment to prioritize remediation efforts that break the most critical chains.
### Long-term Strategy (3+ months)
1. **Phased Implementation of Micro-segmentation:** Systematically implement micro-segmentation across the network, moving away from flat networks to restrict east-west traffic based on the Zero Trust principle.
2. **Integrate Cloud Security Posture Management (CSPM/CNAPP):** Fully integrate cloud workload and entitlement management (CIEM) into the ZTA framework to continuously assess and enforce least privilege in dynamic cloud environments.
3. **Automate Compliance Reporting and Risk Communication:** Establish formal processes to use security metrics (e.g., exposure metrics) to accurately communicate cyber risk posture to business leadership, aligning with governance requirements (e.g., SLCGP).
## Implementation Guidance
### For Small Organizations
- **Focus on Identity and Endpoint Hygiene:** Prioritize MFA deployment for all cloud services and deploy endpoint detection and response (EDR) solutions to establish a basic level of device trust assessment.
- **Utilize SaaS-based Tools:** Leverage free tiers or trials of vulnerability management tools (like Nessus Expert) to rapidly gain visibility over the limited attack surface.
- **Adopt Foundational NIST SP 800-207 Principles:** Focus initially on the "Control Plane" aspects—identity verification and access request authorization—before tackling complex environment segmentation.
### For Medium Organizations
- **Implement Centralized Policy Management:** Deploy a centralized platform (like Tenable Security Center) to aggregate vulnerability, compliance, and exposure data to drive data-centric policy decisions.
- **Pilot Micro-segmentation:** Identify a non-critical application segment to pilot micro-segmentation projects, testing policy definitions and enforcement mechanisms before expanding organization-wide.
- **Develop Robust Patch Management Integration:** Formalize the process between vulnerability scanning alerts and patch management systems to reduce the time assets remain vulnerable.
### For Large Enterprises
- **Deploy Comprehensive Exposure Management Platform:** Roll out a holistic platform capable of covering IT, cloud, OT, and identity exposure to feed the ZTA Policy Engine with comprehensive risk signals.
- **Establish Zero Trust Governance Board:** Create a cross-functional team responsible for defining, enforcing, and auditing ZTA policies across heterogeneous environments (on-prem, multi-cloud).
- **Automate Entitlement Review:** Use Cloud Infrastructure Entitlement Management (CIEM) tools to continuously monitor and revoke excessive or unused identity permissions, especially in IaaS/PaaS environments.
## Configuration Examples
*(Note: The source article heavily emphasizes platform features rather than specific command-line configurations. The following refers to organizational capability configuration based on the tools mentioned.)*
| Capability Area | Configuration Goal | Recommended Action (Tool Agnostic/Tenable Context) |
| :--- | :--- | :--- |
| **Vulnerability Management** | Achieve high coverage of critical & high vulnerabilities | Configure **Tenable Vulnerability Management** scanners to run continuous, credentialed scans across all IP ranges, with remediation SLAs directly tied to the asset's criticality score. |
| **Cloud Security** | Enforce least privilege for cloud roles | Configure **Cloud Infrastructure Entitlement Management (CIEM)** to perform automated entitlement review and recommend/apply Just-in-Time (JIT) access only for required permissions. |
| **Access Control** | Ensure secure resource access | Set up **Policy Enforcement Points (PEPs)** governed by the central Policy Engine to deny all connectivity unless explicit, contextual authorization is granted (the core 'Never Trust' rule). |
| **Attack Path Management** | Prioritize remediation based on path potential | Configure **Attack Path Analysis** to simulate lateral movement based on current vulnerabilities and misconfigurations, focusing remediation on nodes common to the highest-risk paths. |
## Compliance Alignment
- **NIST SP 800-207:** Zero Trust Architecture foundational standard. Implementation must map directly to the Control Plane, Data Plane, and Policy Administration functions defined by NIST.
- **SLCGP (State Local Government Cybersecurity Plan):** Specific Tenable solution features mentioned aiding in fulfilling requirements related to asset visibility, vulnerability management, and risk communication.
- **ISO/IEC 27001:** Underlying principles of access control, asset management, and continuous monitoring support ISO certification goals.
## Common Pitfalls to Avoid
- **Treating ZTA as a Technology Purchase:** Avoid the mistake of believing deploying a single "Zero Trust Platform" solves the problem; ZTA is a strategy requiring process and governance changes.
- **Ignoring Identity Posture:** Failing to continuously verify the health and context of the *user* and *device* before granting access; relying only on static credentials undermines ZTA.
- **Inadequate Coverage:** Deploying scanners only on traditional IT assets while ignoring operational technology (OT) or cloud-native workloads can create unmanaged trust zones. Ensure **OT/IoT Exposure** is included.
- **"Big Bang" Segmentation:** Attempting to implement full micro-segmentation across the entire infrastructure at once, leading to massive service disruption and organizational pushback. Use a phased, pilot approach.
## Resources
- **NIST Special Publication 800-207:** Guide for Zero Trust Architecture.
- **Tenable One Exposure Management Platform:** Centralized system for visibility and risk scoring to inform policy decisions.
- **Tenable Cloud Security (CNAPP) & CIEM:** Tools for securing cloud environments and identity entitlements.
- **Tenable Nessus Expert:** Tool for continuous vulnerability assessment across the modern attack surface.
- **SLCGP Documentation:** For specific state/local compliance mapping requirements.