How Microsoft and NIST are collaborating to advance the Zero Trust Implementation
Credit to Author: Mark Simos| Date: Tue, 06 Aug 2024 20:00:00 +0000
We are announcing the release of the recently published Zero Trust practice guide in collaboration between Microsoft and the National Cybersecurity Center of Excellence (NCCoE). This guide details how to implement a Zero Trust strategy, and what an end to end security approach using Zero Trust means for you and your organization.
While the Zero Trust security model is continuing to gain momentum, customers regularly ask for guidance on how to deploy this model effectively using today’s available technology. Microsoft participating in an ongoing collaboration led by the National Institute of Standards and Technology’s (NIST’s) NCCoE. Microsoft joined this effort to support this important mission and to help answer our customer’s need for references on Zero Trust implementations.
Since 2022, the NCCoE has collaborated with 24 vendors, including Microsoft, on developing a practice guide with practical steps for organizations eager to implement cybersecurity reference designs for Zero Trust. Zero Trust principles include assuming compromise (assuming breach) to drive a holistic and practical security approach, verifying trust explicitly before granting access to assets, and limiting the blast radius by granting the least privilege necessary. The Zero Trust model describes a collaborative comprehensive approach for end-to-end security that is required to keep up with continuous changes in threats, technology, and business.
“The NCCoE strives to launch initiatives that directly benefit organizations facing modern cybersecurity challenges. The lessons learned from integrating various products and services contributed by collaborators like Microsoft is an invaluable contribution toward this effort.”
—Alper Kerman of NIST
Security isn’t easy—it’s always been an extremely complex and challenging discipline and Zero Trust is now transforming how many aspects of that discipline are done. While there is much more to do, we are encouraged by seeing customers make rapid progress on Zero Trust and getting meaningful benefits from it.
NIST: Implementing a Zero Trust Architecture
This guide from NIST shares practical guidance to implement Zero Trust from the NCCoE labs.
Microsoft and the NIST NCCoE: United in prioritizing Zero Trust model
Both Microsoft and the NCCoE have been strong advocates of the Zero Trust model for years. This diagram illustrates how Microsoft technology maps to the NIST Zero Trust model:
NIST’s role in cybersecurity cannot be overstated. In addition to publishing security standards for decades, NIST’s collaborative hub, called the NCCoE, has brought clarity on how to design and implement Zero Trust by publishing how-to guides, practice guides, and business case examples.
“The NCCoE is dedicated to helping organizations strengthen their cybersecurity. A major way we do this is by translating existing security standards into example implementation guidance, so organizations know exactly what they need to do to protect their most critical assets. By simplifying the process, we can get more organizations benefiting from Zero Trust principles.”
—Alper Kerman of NIST
The Microsoft and NIST NCCoE collaboration
Microsoft has participated for decades in NIST’s open and transparent process for standards development and in particular supported NIST NCCoE ‘s mission to develop practical, interoperable cybersecurity approaches that show how the components of zero trust architectures can securely mitigate risks and meet industry sectors’ compliance requirements. Microsoft has been impressed by NIST’s role serving as a credible and clear voice in the security industry. When we found out about this latest collaboration opportunity, we knew we wanted to play a part.
In October 2020, when the NCCoE sought industry partners to support the implementation of the Zero Trust architecture project, we jumped at the opportunity. The NCCoE’s Zero Trust architecture project is its largest to date with 24 participating organizations, seventeen different builds, and a rich set of practical documentation. The goal of this NCCoE project is to demonstrate several example zero trust architecture solutions—applied to a conventional, general-purpose enterprise IT infrastructure—that are designed and deployed according to the concepts and tenets documented in NIST Special Publication (SP) 800-207, Zero Trust Architecture. The documents from this work effectively demonstrate how to practically implement Zero Trust principles using today’s technology.
The project addresses several common scenarios you may face:
- An employee seeks access to corporate resources to complete their work.
- An employee seeks access to internet resources from enterprise devices to complete tasks.
- A contractor tries to access corporate resources and internet resources.
- Servers within an enterprise are communicating with each other.
- An organization is collaborating with a business partner and wants to securely access specific resources.
- An organization wants to integrate monitoring and security information and event management (SIEM) systems with the policy engine for more precise trust scores.
As part of this effort, the NCCoE just announced the general availability of the Zero Trust Architecture 1800-35 practice guide in conjunction with the Zero Trust architecture project. The practice guide details a standards-based implementation of Zero Trust architecture. The guide offers a learning pathway to greater understanding of the Zero Trust security model, and includes practical use cases and various example implementations and associated documentation. It was developed to be simple, usable, and practical.
Collaboration brings learning and value
These resources help Microsoft customers support end-to-end integrations that lead to significant value over time. Our Zero Trust implementation with the NCCoE has already helped us evolve Microsoft technology and guidance for a successful Zero Trust product deployment and will continue to do so.
What the future of Zero Trust will bring
Both Microsoft and NIST are investigating opportunities to leverage this foundational work to support other use case scenarios that will benefit from ZT deployment model. Microsoft is excited by the government’s deep commitment to Zero Trust architecture and have been closely monitoring US Executive Order 14028 on Cybersecurity and the OMB Implementation Strategy.
Microsoft is continuously working to achieve an integrated set of offerings to enable customers to more easily and comprehensively address the security challenges they face. Microsoft is also continuously integrating lessons learned from cyberattacks on ourselves as well as on our customer into our guidance and technology. The growth of AI and its close relationship to Zero Trust make this transformation an even more critical effort—a network perimeter can’t secure your AI or your data.
Explore strategies for implementing Zero Trust
We know that adopting a Zero Trust approach is challenging as it requires a shift in mindset, strategy, and architecture as well as a lot of engineering work. We are encouraged by the positive progress and feedback from our customers on this journey, from industry analysts, and other sources. Microsoft is working to ease these challenges through NIST’s NCCoE Zero Trust Architecture consortium, with our Security Adoption Framework (SAF),and other security guidance.
Learn more
Learn more about Zero Trust.
You can follow Mark Simos on LinkedIn and explore Mark’s List of commonly shared cybersecurity resources.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
About the National Cybersecurity Center of Excellence
The NCCoE, a part of NIST, is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues. This public-private partnership enables the creation of practical cybersecurity solutions for specific industries, as well as for broad, cross-sector technology challenges. Through consortia under CRADAs, including technology partners—from Fortune 50 market leaders to smaller companies specializing in information technology and operational technology security—the NCCoE applies standards and best practices to develop modular, easily adaptable example cybersecurity solutions by using commercially available technology. The NCCoE documents these example solutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cybersecurity Framework and details the steps needed for another entity to re-create the example solution. The NCCoE was established in 2012 by NIST in partnership with the State of Maryland and Montgomery County, Maryland. Information is available at https://www.nccoe.nist.gov.
The post How Microsoft and NIST are collaborating to advance the Zero Trust Implementation appeared first on Microsoft Security Blog.