When preparing to securely work from anywhere, it is tantamount that a zero trust policy be adopted. Locations and assets are not to be inherently trusted. A system of policies and software are needed to protect from malicious intent.
In August 2020, NIST published SP 800-207, the final version of their Zero Trust Architecture.
It is available for download from:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
The tenets of zero trust are presented in section 2.1. They are listed below for review.
“…A zero trust architecture is designed and deployed with adherence to the following zero trust basic tenets:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture."