Zero Trust – From buzzword to regulatory reality

Zero Trust Architecture is on everyone's lips and is slowly playing a role in regulatory requirements - in the USA, at EU level and also in Germany. Reason enough to take a closer look at Zero Trust. What does Zero Trust mean? What are the legislators planning in Washington, Brussels and Berlin? But above all, what can companies and authorities expect?

What does Zero Trust mean?

Zero Trust is a security concept where the basic principle is that every network user, whether inside or outside the corporate network, is considered untrustworthy by default. Unlike traditional security approaches that rely on a trust-based assumption that threats are within the network, Zero Trust assumes that the network may already be compromised.

Zero Trust imposes strict identity and access management on any user, device, or network resource. Extensive authentication, authorization, and encryption mechanisms are used to ensure that only authorized users gain access to specific resources based on factors such as identity, device health, location, and other contextual information.

Zero Trust takes a risk-based approach based on continuous monitoring, verification, and dynamic adaptation. This increases the level of security by dividing the network into smaller, segmented areas and carefully monitoring the traffic between them. By implementing Zero Trust, organizations can better protect their networks against threats and minimize the impact of security breaches.

Zero Trust in the USA

As with many topics, the US is one step ahead of us when it comes to Zero Trust: In August 2020, the US cyber authority National Institute of Standards and Technology (NIST) presented the "Zero Trust Architecture" by providing the first basis for defining and implementing Zero Trust. NIST relies on seven pillars for the implementation and the proposed ZT architecture:

  1. Resources shall include all data sources and computing services, including IoT, SaaS applications, printers and other connected devices and services.
  2. The security of all communication is ensured regardless of network location. Both internal transaction requests within the network and external requests must meet the same security requirements.
  3. Access to company resources is only granted for one session at a time and only if it is required to perform the task.
  4. Access to resources is based on dynamic policies that can take into account behavioral and environmental factors.
  5. The company continuously monitors and assesses the integrity and security of all assets.
  6. All resource authentications and authorizations are dynamic and strictly enforced, with ongoing reassessment of trust.
  7. The company gathers extensive information on the current state of assets, network infrastructure, and communications to improve its security posture.

And the US is also serious about regulation: Federal authorities must develop and implement zero trust architectures for their IT systems by the end of 2024. The US Federal Agency for Cybersecurity and Infrastructure Security (CISA) released an update to the Zero Trust Maturity Model (ZTMM) in April this year. The ZTMM represents a step-by-step implementation across five different pillars of ZTA, in which optimizations can be made over time. The pillars include identity, devices, networks, applications and workloads, and data. Each pillar includes general details on the following overarching functions: Visibility and analytics, automation & orchestration, and governance. The ZTMM provides authorities with a roadmap to support the transition to the Zero Trust architecture and replaces the original version released in September 2021. The ZTMM comprises five different pillars that allow for gradual implementation and allow federal agencies to gradually optimize their implementation over time. The White House also issued a memorandum in January 2022, which provided the ZTMM guidelines with specific calls to action to US federal authorities:

“In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data.”

Authorities must comply with the requirements of the Memorandum by the end of 2024. However, just as in Germany, the federal authorities of the USA only make up a small part of the public service: While around 2.85 million worked for federal agencies under the White House in 2021, the 18.83 million employees of the states and municipalities make up the lion's share. Nevertheless, this announced implementation obligation is an important step that could be copied in other authorities and the economy.

Zero Trust in the European Union

The European Union also deals with the topic of Zero Trust and incorporates it into important strategy papers for cyber and digital strategy. The new Directive on measures for a high common level of cybersecurity in the Union (NIS2 Directive) stresses the importance of Zero Trust for the security of critical infrastructure assets:

The essential and important facilities should apply a wide range of basic cyber hygiene practices, such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management or user awareness, organize training for their employees, and raise awareness of cyber threats, phishing, or social engineering techniques” (p.89).

In the digital strategy “Next Generation Digital Commission”, the EU Commission also sets itself the goal of introducing Zero Trust. The EU Commission plans to take measures in view of the increasing number of complex cyber attacks and the transition to flexible working models. This includes adopting a Zero Trust architecture, implementing built-in security, conducting stricter cybersecurity audits, and providing enhanced security services, especially for their sensitive and classified activities. In contrast to the already very concrete plans in the USA, however, it does not go beyond vague announcements, a deadline or concrete implementation plans do not yet exist.

Zero Trust in Germany

According to the head of the Cyber and IT Security Department at the Federal Ministry of the Interior, Andreas Könen, a gradual switch to Zero Trust architectures is planned for the federal administration: In particular, the state must manage the federal networks in such a way that "we are gradually moving towards a zero-trust architecture," Könen explained at a conference of the TeleTrust Association in June 2022.

The Federal Office for Information Security (BSI) is also concerned with the advantages and possible implementation of zero-trust architectures both at the federal level and in the recommendations and standards issued by the BSI. In the BSI basic protection, for example, there are some measures that are or can be components of a ZTA. For example, the DER module: Detection and response. The BSI is currently working on a rough concept and a position paper on the subject of zero-trust implementation in the federal government. The BSI’s work is roughly based on the existing concept of the US authority NIST (National Institute of Standards and Technology), whereby the special requirements of the German federal authorities are addressed. This is not a comprehensive plan, but rather a description and discussion of challenges arising in connection with the IT infrastructure of the German federal government. A particular focus is on the implications of ZTA for VSA-relevant systems (Classified Information Instruction (General Administrative Instruction on Material Confidentiality – VSA)). However, the BSI is not responsible for adopting applicable and binding standards, but rather the Federal Government Commissioner for Information Technology (CIO-Bund, Dr. Markus Richter).

Overall, however, a (full) implementation of ZTA at the federal level is viewed critically by the BSI. This is mainly due to the fact that the effort is considered to be potentially too high compared to the benefit. One reason for this is the heterogeneity of the IT systems of the different federal authorities. For the implementation of ZTA components such as dynamic policys, cross-governmental standards would therefore have to apply in order to retrieve the mutually necessary information for the authorization of access. The Federal Ministry of Defense (BMVg) is also working on an instruction to the Bundeswehr by announcing or planning the introduction of Zero Trust architecture.

Beyond Könen’s statement, the statements of the BSI and the plans of the BMVg, there are still no specific plans or roadmaps from which a realistic implementation of ZTA in the federal administration could be derived.

At national level, no major leaps have yet been made towards Zero Trust: The only pioneer here is Bavaria. Since 2017, Bavaria has been the first federal state to have an independent IT security authority LSI as a counterpart to the BSI. Reiner Schmidt, Head of Security Consulting for Municipalities at LSI, spoke at a Digital State event in 2021 on the topic of "Rethinking IT Security – Paradigm Shifting Based on Zero Trust".

What's next?

Zero Trust is more than just a buzzword and is becoming increasingly important, both at the regulatory level and in corporate practice. The security concept enables better protection of networks against threats and minimizes the impact of security breaches. In the USA, zero trust is already advanced and federal authorities must implement zero trust architectures by the end of 2024. Zero Trust is also recognized as an important approach in the European Union. The new NIS2 Directive stresses the importance of Zero Trust for the security of critical infrastructures, while the EU Commission is planning measures to introduce a Zero Trust architecture. In Germany, zero trust is discussed both at the federal and state level. However, there are no concrete implementation plans or roadmaps yet. Overall, it is clear that Zero Trust is becoming increasingly important to meet the changing threats in the field of cyber attacks and the requirements for flexible working models. Governments and companies worldwide recognize the importance of this security concept and are working to implement appropriate measures. For us at NCP, however, Zero Trust is nothing new: We have been working with solutions based on this concept for years and can implement Zero Trust with and for our customers through a combination of IT security measures. Even if the regulatory mills grind slowly: The perimeter-based approach will no longer remain the ultimate way in the long term.


Subscribe to blog

CAPTCHA image for SPAM prevention If you can't read the word, click here.