In today's complex digital landscape, traditional cybersecurity models centered on perimeter defense are proving insufficient. Organizations are embracing remote work, cloud services, and distributed networks, creating environments where assets span on-premises data centers, multi-cloud environments, and remote endpoints. To address these evolving challenges, the National Institute of Standards and Technology (NIST) has released new practical guidance on implementing zero trust architecture (ZTA). This guidance, titled Implementing a Zero Trust Architecture (SP 1800-35), offers 19 example implementations of ZTAs built using commercial, off-the-shelf technologies, providing organizations with valuable starting points for building their own robust cybersecurity architectures.

Zero trust (ZT) is an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location or based on asset ownership. Instead, it requires continuous authentication, authorization, and validation of security configurations before access is granted to applications and data.

The NIST guidance is the result of a four-year project at the NIST National Cybersecurity Center of Excellence (NCCoE), which involved 24 industry collaborators, including major tech companies. The NCCoE team and its collaborators spent four years installing, configuring, and troubleshooting the example implementations around real-world situations that large organizations typically confront.

The guidance sets out several zero trust build types, upon which the 19 example implementations are based. These include: General zero trust, Enhanced Identity Governance (EIG) crawl phase, EIG run phase. The 19 example setups illustrate a range of scenarios, including hybrid cloud setups, branch offices, and even public Wi-Fi use at coffee shops. Each model comes with technical details on deployment, sample configurations and integration steps, test results, and best practices drawn from real-world experience. It also maps these setups onto NIST's broader cybersecurity framework (CSF), SP 800-53 controls, and critical software measures.

Implementing a ZTA offers numerous benefits, including enhanced cybersecurity, reduced complexity and cost, support for digital transformation, and improved user productivity. By eliminating implicit trust and enforcing contextual access, direct-to-app segmentation, and continuous monitoring, zero trust decreases the likelihood of breaches and minimizes their potential blast radii. It also cuts costs by consolidating security and networking point products into a single platform, simplifying IT infrastructure, enhancing admin efficiency, and minimizing operational overhead. Furthermore, zero trust is a modern architecture that securely enables organizations to embrace cloud computing, remote work, IoT/OT devices, and other modern technologies. Direct-to-app connectivity delivered at the edge eliminates the need to backhaul traffic to a distant data center or cloud, removing the latency associated with network hops, VPN bottlenecks, and other issues that harm user experiences.

While implementing a ZTA can be complex, the NIST guidance provides a pragmatic approach for organizations to follow. This includes identifying actors and assets, developing policies based on business processes, implementing a robust identity framework, deploying micro-segmentation, and enabling continuous monitoring and validation. It is essential to start with critical assets and gradually extend Zero Trust principles across the environment. The new NIST guidance augments NIST's 2020 publication Zero Trust Architecture (NIST SP 800-207), a high-level document that describes zero trust at the conceptual level. The new publication gives users more help addressing their own needs, which can be a substantial task when implementing ZTA.