What security teams need to know about the NSA's new zero trust guidelines

The US National Security Agency (NSA) has released Phase One and Phase Two of its Zero Trust Implementation Guidelines.

The guidelines cover what's needed to achieve the Department of War's (DoW) targets for zero trust maturity.

Phase One and Phase Two aim to move an organization from discovery to target-level implementation by mapping out the activities, requirements, precursors and successors that are needed.

According to the NSA, the phased design of the guidelines means they're modular and highly customizable, allowing the implementation of both foundational and advanced activities, as well as the ability to tailor them to align with individual goals and constraints.

They build on the NSA's Primer and Discovery Phases, released earlier this month, and are aligned with existing federal frameworks, including the DoW CIO’s Zero Trust Framework.

What the zero trust guidelines get right

Brian Soby, CTO and co-founder of AppOmni, said there's a lot that the guidelines get right, adding that the move represents a positive step in helping organizations shore up identity security.

"The guidance pushes maturity beyond 'authenticate, then trust', toward ongoing decisions driven by what the user is doing, what privileges are being requested, and what resources are being touched," he said.

"That matters because the attacks that are winning right now are post-auth. Device posture and login checks are necessary, but against modern SaaS compromise they can be largely performative if you cannot detect abuse happening inside the session, inside the application."

Soby also praised the way that zero trust is presented as an operating model, not a product.

Policies are required to be centrally defined, consistently applied, continuously assessed, and enforced through co-ordinated policy decision points and policy enforcement points.

This includes requirements for real-time monitoring and automation to adapt as conditions change.

When it comes to User and Entity Behavior Analytics (UEBA), Soby noted the guidance takes the right approach, focusing on behavior baselining, analytics, and context enrichment so that anomalies are detected based on behavioral patterns and resource access, not just simplistic indicators like login location.

"That's the right direction. ‘We saw a new IP’ is a weak signal,” he commented. “The higher-signal story is what happened in the application: Privilege use, data access, configuration changes, creation of integrations, unusual exports, and lateral movement across SaaS capabilities.

"The higher-signal story is what happened in the application: Privilege use, data access, configuration changes, creation of integrations, unusual exports, and lateral movement across SaaS capabilities."

Why some zero trust efforts fall flat

Soby warned that most zero trust implementation projects are missing the core points. A key factor here is that they focus too heavily on zero trust network access (ZTNA) considerations, and ZTNA-only architectures are often easier to bypass.

Meanwhile, organizations fail to recognize that each application is its own policy decision point and policy enforcement point.

“This is the core point that gets ignored. The guidance treats policy decision points and policy enforcement points as essential building blocks that must be coordinated. The problem is that many organizations pretend the only real decision and enforcement happens at the identity provider or a proxy," he said.

"In reality, every application, SaaS or otherwise, is itself a policy decision point and policy enforcement point. The application decides what a user, integration, service account, or agent can do, and it enforces that decision.”

Soby noted this is “especially true” in cases where identities don’t “traverse the enterprise front door” - for example, with customers, partners, and external collaborators.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.