The National Cyber Security Centre (NCSC) has published a set of ‘zero trust’ principles for network architecture.
It said the concept of zero trust – in which there is increasing interest as a foundation for cyber security in the public sector – is designed to cope with changes in network architecture that have seen a widespread to move to cloud and continued growth in the use of software-as-a-service.
A senior security architect from NCSC, named as Peter R, said there will be differences in how organisations achieve zero trust and the principles represent building blocks and architectural considerations to make it possible.
There are eight in all:
- Know your architecture, including users, devices, services and data.
- Know your user, service and device identities.
- Assess your user behaviour, device and service health.
- Use policies to authorise requests.
- Authenticate and authorise everywhere.
- Focus your monitoring on users, devices and services.
- Don't trust any network, including your own.
- Choose services designed for zero trust.
Peter R said any organisation making the transition should leave traditional security controls in place before the zero trust components are fully implemented and tested. For example, a virtual private network connection should be left in place until it is clear the zero trust architecture is mitigating all the threats the VPN was covering.
He added that a more complex environment will demand more challenges and that it could be the case that not all the principles can be achieved in one. Also, if the technology to support a use case is not yet sufficiently mature, zero trust can still be a strategic goal.
Image from iStock, Olivier Le Moal