Platform requirements for Zero Trust Security

Zero Trust is a comprehensive approach to safeguarding network, application, and data resources, focusing on an identity-centric policy architecture for access management. All businesses have a set of IT and security systems in place, but Zero Trust requires that they be seen and managed holistically, with identity at the center and the ability to implement attribute — and context-sensitive policies across the board.

We propose a baseline set of platform requirements in this part, which are derived from the Zero Trust principles previously addressed. The objective is not to just reiterate the principles, but to try to emphasize key features from a platform standpoint. Some of these concepts (particularly APIs and Integration) are better described as criteria for specific IT and security roles, but we’ve defined them broadly in general:

• Encryption is required for data plane connections. Any exclusions must be planned ahead of time (for example, DNS).
• Access restrictions for all sorts of resources must be enforced by the system. Identity-centric and contextual policies must drive access control systems.
• Identity and contextual policies should be able to regulate access to data resource safeguards.
• The system and policy model must be capable of securing all users at all times and in all places. For remote and on-premises users, the policy model and controls must be consistent.
• Devices must be able to be assessed for security posture and configuration before being permitted access, as well as on a regular basis afterward.
• BYOD devices must be distinguished from corporate-managed devices, and access levels must be controlled accordingly.
• The policy must clearly permit access to any network resource.
• No user or device should have unrestricted network access by default.
• Access controls must be able to discriminate between distinct network resources and services. Access to HTTPS, for example, must be allowed separately from access to SSH.
• The business policy must be followed when granting access to specific data pieces located within applications or containers with various classifications.
• Metadata about network traffic must be logged and supplemented with identification context.
• The ability to inspect network traffic for security and data loss is required.
• Access control policies specified by on-premises systems should be applied to workloads transported to the cloud.
• Identity-centric details must be included in automation.
• To offer efficient and effective incident response, automation must contain identity-centric details.
• For effective and dynamic policy enforcement, logs must be integrated in analytics tools.

Hope this was helpful.