UK Government’s ‘National Cyber Security Center’ Launches Guidance on Adoption of Zero Trust Architecture

The UK’s NCSC, a joint-venture between the leading cyber (GCHQ and CERT-UK) and critical infrastructure protection (CPNI) organizations within the UK government, has released a practical and pragmatic set of recommendations to assist organizations in the adoption of Zero Trust Architectures (ZTA). Similar to the NIST special publication on ZTA (SP 800-207), the NCSC recognizes Zero Trust as an architecture, a set of principles, and a transformational journey. 

As cyber leadership around the world understand the benefits and implications of Zero Trust Architectures (ZTAs), we are now seeing a consensus developing around the prerequisites for successful adoption. These principles form the bedrock of Application Relationship Management, a set of techniques implemented by vArmour, enabling organizations to create and deploy Zero Trust Architectures across their existing and future computing and cloud environments:

1. Know your architecture. The Zero Trust journey begins with discovery, mapping and inventory improvement, and scoping of functions. Without an accurate representation of your environment, Zero Trust policies will be inaccurate and brittle. This recommendation aligns with the first step in vArmour’s workflow, where visualization, data refinement and validation create the foundations for a zero trust architecture.
2. Know your identities. An enterprise environment consists of elements of many types (users, data, services, processes, accounts) and each has their own unique identity. Those identities must be lent actionable context by aligning them with organizational units, business functions, and regulatory obligations. By establishing a flexible identity model it becomes possible to authoritatively establish relationships between different classes of entity (for example, user departments to the business services they consume) and to design robust Zero Trust policies relating to their context. 
3. Assess behaviour, health and other contextual information / metadata. The most challenging step on the Zero Trust journey is the establishment of policies that reflect business and technical requirements. vArmour provides a structured analysis of relationships and behaviours enriched with contextual information such as health and business function, and computes candidate policies based upon observed behaviour and assessed risk. 
4. Use Policies. At vArmour we have partnered with our customers, the early adopters of Zero Trust, to deliver a data-driven approach to policy; utilising observed behaviours to suggest candidate policies, utilising that dataset to test the likely efficacy of policies before deployment, and enabling application and security teams to curate and review likely policy outcomes from a business and risk perspective (where raw identity information is enriched with business context). Policies need to relate to required outcomes and also be validated against data associated with the identities subject to those policies. 
5. Take a flexible / phased approach. Zero Trust is not ‘all or nothing’ and neither is it a siloed approach relating to only user access, application communications, or network access. Zero Trust is a method which can be used to protect critical business functions which consist of user and network access requirements, and which can be ‘dialled up’ to provide broader reduction of enterprise attack surface over time. Vendors suggesting that a single enforcement product represents a Zero Trust solution are missing the point. The NCSC correctly identifies the need to harmonize protection across legacy controls and the emerging multi cloud enforcement options (including Security Groups within the cloud, IAM permissions, network policies within Container environments) to fully realize security benefits. By working though these principles, organizations take the first steps on their zero trust journey’.

Over the next few months, the National Cyber Security Center will be publishing more granular recommendations detailing each of the principles of Zero Trust Architecture. We will follow those recommendations in this blog, providing concrete examples of how Application Relationships Management takes organizations on a frictionless, incremental journey to Zero Trust.