The National Security Agency (NSA) wants organizations adopt zero-trust framework principles to protect their enterprise networks and is releasing guidance to help them get there.

The agency is arguing that adopting controls and functionality that includes segmenting networks and control access via strict policy regulations will reduce the potential damage a bad actor can do if they get into an enterprise’s IT infrastructure.

“Organizations need to operate with a mindset that threats exist within the boundaries of their systems,” NSA Cybersecurity Director Rob Joyce said in a statement. “This guidance is intended to arm network owners and operators with the processes they need to vigilantly resist, detect, and respond to threats that exploit weaknesses or gaps in their enterprise architecture.”

Zero-trust architectures take a much more aggressive and proactive approach than traditional network security functions, which tend to assume the safety of devices and users trying to connect to the network. Instead, a zero-trust framework starts with the premise that nothing can be let into the network until they’ve been authenticated and verified, and that threats already exist in networks and need to be addressed.

The agency is outlining steps organizations can take in its latest Cybersecurity Information Sheet (CSI), with the authors writing that “after gaining access to an organization’s network, one of the most common techniques malicious cyber actors use is lateral movement through the network, gaining access to more sensitive data and critical systems. The Zero Trust network … curtails adversarial lateral movement by employing controls and capabilities to logically and physically segment, isolate, and control access (on-premises and off-premises) through granular policy restrictions.”

Zero Trust and NDA ‘Pillars’

The CSI complements three others from the NSA concerning zero-trust architectures that view such frameworks from different “pillars,” including users and devices. This one focuses on the “network and environment pillar.”

For network administrators and security teams, the challenge now is adapting to increasingly sophisticated and complex cyberattacks and an IT environment that is increasingly distributed through such trends as the adoption of clouds and remote work.

“Traditional network security has emphasized a defense-in-depth approach; however, most networks invest primarily in perimeter defense,” according to the CSI. “Once inside the network perimeter, end users, applications, and other entities are often given broad access to multiple corporate resources.”

The same goes for cybercriminals that are able to breach the defenses and get into the network. The latest CSI includes “mapping data flows within the network and implementing network segmentation with strong access controls to inhibit lateral movement. This shift enables host isolation, network segmentation, enforcement of encryption, and enterprise visibility.”

Through this, enterprises can isolate network intrusions to a small portion of the network, the authors wrote.

A Booming Business

Zero-trust security has been a growing discussion point for several years in the cybersecurity field. The global zero-trust market, valued at $25.12 billion in 2022, is expected to reach about $118.5 billion by 2032, according to Precedence Research. The analysts pointed to the growing complexity and number of attacks, the cloud, and digital transformation as key drivers.

“As businesses move their data and applications to the cloud, it becomes crucial to secure access to these resources,” they wrote. “Zero trust security offers a framework for continuous verification and authorization, ensuring that only authenticated and authorized users can access sensitive information.”

In the latest CSI, the NSA looks at the key capabilities within the network and environment pillar, including data flow mapping for data storage and processing and software-defined networking (SDN), which the agency said includes tailored micro segmentation controls and centralized policy management. There also are macro segmentation to create areas in the network that can be isolated and micro segmentation, and micro segmentation, for users, application, and workflow isolation.

A Gradual Approach

The NSA outlines the steps for gradually maturing each of the four capabilities, guiding organizations from preparing through basic and intermediate and finally to advanced.

The CSI “provides an organization with processes for resisting, detecting, and responding to threats that exploit weaknesses or gaps in their enterprise architecture,” the agency wrote. “Those processes support an operational mindset in which it is assumed that threats already exist within the nominal boundaries of their systems. Vigilance is required to ensure that risks are continually assessed, and appropriate responses are enacted in a timely manner, with follow-up investigations and damage control as necessary.”

Brian Soby, co-founder and CTO of AppOmni, a software-as-a-service (SaaS) security firm, said the NSA’s guidance reflects a trend around increasing the granularity of policies with zero-trust systems, adding that it is a key principle of zero trust and supported by industry benchmarks like NIST’s zero-trust architecture reference.

“In their announcement, the NSA recognizes this market shift, especially the prevalence and customer adoption of products such as Secure Service Edge (SSE) and Secure Access Service Edge (SASE), which provide part of the micro-segmentation capability promoted by this new guidance,” Soby said.

He noted that the NSA looks at micro-segmentation moving closer to applications themselves though functions like continuous visibility and a security feedback loop, saying that it dovetails with the trend of “companies expanding their [zero-trust] programs to apply these secure principles end to end all the way through their applications.”

To further the granularity of micro-segmentation, enterprises need to also apply least-privilege and zero-trust security posture management to SaaS and other applications, Soby said.