Tools:
Follow the best practice IAM / PAM architecture above and click here to see your options for:
- Policy Enforcement Points (PEPs)
- Policy Decision Points (PDPs)
- Policy Information Points (PIPs)
Click Here For Example Architecture:
Summary:
Summary of the General Zero Trust Architecture (ZTA) Model from NIST SP 1800-35B
The figure from NIST SP 1800-35B illustrates a General Zero Trust Architecture (ZTA), which emphasizes continuous verification of both user and non-person entity (NPE) identities, as well as resource access within a cybersecurity framework. This model ensures that every access request is dynamically evaluated based on multiple factors, rather than relying on static credentials or location-based trust.
- Subject (User and Endpoint): The model starts with the subject, comprising both the user (or NPE) and the endpoint device. The initial access request includes the identity and credentials of the user or NPE, which are sent to the Policy Enforcement Point (PEP). This initial interaction is crucial as it sets the stage for the Zero Trust verification process.
- Initial Access Request (I(1)): Upon receiving the initial access request, the PEP checks the identity and credentials provided by the user or NPE. This verification step ensures that the entity is who they claim to be and that the credentials are valid. This is the first layer of security in the ZTA model.
- Policy Enforcement Point (PEP): The PEP acts as a gatekeeper, enforcing access policies defined by the organization. It interacts with the Policy Decision Point (PDP) to determine whether to grant, deny, or conditionally allow access based on the policies in place. The PEP's role is critical in ensuring that only verified and authorized requests proceed further.
- Policy Decision Point (PDP): The PDP comprises two main components: the Policy Engine (PE) and the Policy Administrator (PA). The PE evaluates access requests against the organization's policies, while the PA manages these policies and provides the necessary data for decision-making. The PDP's decisions are informed by inputs from various Policy Information Points (PIPs).
- Policy Information Points (PIPs): PIPs provide essential data required for access decisions. They include systems for Identity, Credential, and Access Management (ICAM), Endpoint Detection and Response/Endpoint Protection Platforms (EDR/EPP), Security Analytics, and Data Security. These components offer a comprehensive view of the user, NPE, device, and context of the access request.
- Information Exchange (I(2), I(3), I(4)): During the verification process, information flows between the PEP, PDP, and PIPs. The PEP requests necessary information to verify the subject and endpoint (I(2)), while the PDP retrieves data to approve or deny access requests (I(3)). Once a decision is made, the PEP is informed to allow or deny access (I(4)).
- Access Requests and Evaluation (S(A)/R(A)): Beyond initial access, the ZTA model continuously evaluates ongoing access requests. The PEP checks periodically to verify that the subject, resource, and endpoints remain compliant with security policies. This ongoing verification ensures that sessions remain secure and that access can be dynamically adjusted as needed.
- Session and Resource Management (S(C), R(C)): The model includes mechanisms to continue, revoke, or limit session access (S(C)), and similarly, revoke or limit resource access (R(C)). This continuous management allows the system to adapt to changes in user or NPE behavior, device status, or policy updates, maintaining a robust security posture.
- Reauthentication and Hygiene Verification (S(D), R(D)): Periodic reauthentication challenges and endpoint hygiene verification (S(D)) are essential for maintaining the integrity of the session. Similarly, resource reauthentication challenges and hygiene verifications (R(D)) ensure that both the user or NPE and the resources they access remain secure throughout the interaction.
- Integration with Supporting Components: The model integrates various supporting components such as ICAM, EDR/EPP, Security Analytics, and Data Security. These components work together to provide comprehensive data for decision-making, enhancing the overall security and effectiveness of the Zero Trust Architecture.
Summary Conclusion
The General Zero Trust Architecture from NIST SP 1800-35B provides a robust framework for continuously verifying and managing access to resources for both users and non-person entities (NPEs) such as applications and services. By integrating dynamic policy enforcement, continuous evaluation, and comprehensive data inputs from various supporting systems, the ZTA model ensures that security is maintained at every stage of interaction. This approach significantly enhances the ability of organizations to protect sensitive information and maintain a strong cybersecurity posture in an increasingly complex threat landscape.
Sources:
CISA - Identity, Credential, and Access Management
(ICAM) Reference Architecture
NIST SP 1800-35 - Implementing a Zero Trust Architecture - Privileged Access Management