4 key takeaways from the new NSA report on Zero Trust and identity management

A new NSA report provides more clarity on how to achieve Zero Trust maturity for user access to IT systems.

On Tuesday, March 14, the National Security Agency (NSA) released a new cybersecurity information sheet titled, “Advancing Zero Trust Maturity Throughout the User Pillar.”

The document outlines how identity, credential, and access management security controls might influence an organization’s Zero Trust architecture and how that can increase user access security specifically.

While the information is primarily intended for national security system owners and operators, any organization looking for more information on implementing a robust Zero Trust strategy will find this guidance useful. It builds on an earlier NSA report, “Embracing a Zero Trust Security Model.”

Here are four key takeaways from the report.

1. The Zero Trust “User Pillar” has five capabilities to consider

In a previous report titled “Embracing a Zero Trust Model,” the NSA provided the following definition of the Zero Trust approach to cybersecurity:

“The Zero Trust model is a security model… based on an acknowledgement that threats exist both inside and outside traditional network boundaries. [It] eliminates implicit trust in any one element… and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.”

To support this kind of security architecture, the NSA previously defined seven pillars of Zero Trust, including:

  • User
  • Devices
  • Applications and workloads
  • Data
  • Network and environment
  • Automation and orchestration
  • Visibility and analytics

These pillars are interdependent, but this report focuses on the user (also known as the identity) pillar. This pillar’s primary aim is to manage access for individual people or entities. Capabilities within the user pillar include:

  • Identity management | The assignment and use of digital identities to a person or entity
  • Credential management | The issuance, use, and maintenance of credentials for approved users
  • Access management | The policies and procedures in place used to deliver or remove system access for individuals or entities
  • Federation | How an organization can integrate its identity, credential, and access management with its partners
  • Governance | The rules and processes an organization has in place to monitor and improve its identity, credential, and access management risks

This report provides a high-level roadmap with best practices for implementing these capabilities into your overall cybersecurity approach. For example, one recommendation the report makes on credential management is to always use multifactor authentication for individual users.

2. The goal is to progress to advanced Zero Trust maturity

The report goes on to describe the Zero Trust user pillar maturity model, proceeding through four phases: preparation, basic, intermediate, and advanced.

The first phase is for inventory, the second is for assessment and refinement of your organization’s identity attributes, the third stage is for standardizing and managing those attributes, and the final stage is for optimizing risk-based responses.

Maturing your organization’s identity, credential, and access management capacities will strengthen your overall cybersecurity response posture, ushering you through each phase.

Note that while the capabilities outlined above are critical to consider when developing your approach to cybersecurity, this is only one Zero Trust maturity model. You may find another approach that better fits your organization’s specific digital identity needs.

Ultimately, adopting the right Zero Trust model translates to a more secure enterprise with fewer cybersecurity vulnerabilities, fortifying your systems from potential cyberattacks.

3. Adopting a Zero Trust strategy takes forethought and planning

As with any major organizational change, know that advancing through the phases of the Zero Trust maturity model will not necessarily be easy.

The report notes that adopting Zero Trust principles requires forethought and planning to achieve, with a well-defined implementation process defined by incremental progress. It can be a challenging process for organizations that are not well-versed in applying secure access solutions.

You’ll want to assess your organization’s current identity management practices and what assistance you may need to facilitate a Zero Trust approach. Having a digital identity management partner with a proven track record of results can remove many common obstacles in the implementation process.

4. Additional guidance is available

While this report provides actionable information on how to implement Zero Trust principles into your identity management approach, the NSA offers additional material on securing your systems. Visit NSA Cybersecurity Advisories & Guidance for a deep library of cybersecurity content.

Want to see evidence of a successful Zero Trust implementation in action? Learn more about how one energy company implemented Zero Trust strategies with a proven privileged access management (PAM) solution.