Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

NSA’s Zero Trust Guidance for Securing Networks

Executive Summary

The National Security Agency (NSA) keeps supporting the Zero Trust security model, publishing clear instructions to improve defenses against advanced threats.

The recent Cybersecurity Information Sheet (CSI), NSA published early March, stresses the importance of network and environmental controls. These are crucial in preventing unauthorized data access and transfer within networks. This guide further develops the NSA’s previously released CSIs, as listed below:

This effort is a key part of the agency’s overall plan to safeguard national security systems from growing cyber-attacks.

What Is Zero Trust?

Zero Trust is a comprehensive cybersecurity framework that redefines the concept of network security in the modern digital landscape. Traditional security models operate on the principle of a trusted internal network perimeter. On the other hand, Zero Trust assumes that threats can exist both inside and outside the network. This model encapsulates a shift from the conventional “trust but verify” approach to “never trust, always verify,” approach. As a result, it requires continuous verification of every entity attempting to access any network resource.

This model is built around seven key pillars:

  • User,
  • Device,
  • Network & Environment,
  • Data,
  • Application & Workload,
  • Automation & Orchestration,
  • Visibility & Analytics.

These pillars work in tandem to create a holistic approach to securing an organization’s assets by continually adapting to the threat landscape based on real-time risk assessments.

Zero Trust Pillars in NSA’s CSI

The Zero Trust model is built upon several core principles that guide its implementation and operational strategies:

  • Eliminate Implicit Trust: Assume no entity can be trusted, whether inside or outside the network boundary. All access attempts are verified rigorously.
  • Enforce Least Privilege: Grant minimal access necessary for users and systems, minimizing breach impact and unauthorized movement within the network.
  • Implement Segmentation: Use network segmentation to enforce strict access controls and reduce attack surfaces, protecting sensitive data more effectively.
  • Continuous Monitoring: Maintain ongoing vigilance over network activities to detect and respond to threats promptly.
  • Use Multi-factor Authentication (MFA): Enhance identity verification through MFA, significantly decreasing unauthorized access risks.
Implementation Guidance for Network Security

To effectively implement the Zero Trust model, particularly focusing on network security, organizations are advised to concentrate on the following key areas:

  • Data Flow Mapping: This is about finding out how data moves in an organization. Data flow mapping allows us to track where data is stored or processed, and how it evolves as it transitions from one location to another. This map is crucial for identifying potential data misuse and helps establish effective methods for data segmentation and anomaly detection.
  • Macro Segmentation: This refers to dividing the network into large segments or zones, each with distinct security controls. Macro segmentation helps manage large-scale network traffic. It creates barriers to separate different parts of the organization. Accordingly, it reduces the overall risk of attacks and stops unauthorized access to sensitive areas.
  • Micro Segmentation: Micro segmentation further divides the network into smaller segments at a granular level. It focuses on protecting important systems and data, making it harder for an attacker to move around inside the network. This method is crucial for keeping safe areas of the network, even if breaches happen in other places.
  • Software Defined Networking (SDN): SDN offers a way to dynamically apply security policies across the network, centralizing its control. This approach facilitates quick deployment of network changes, improved visibility into network traffic, and more flexible application of segmentation rules. Such adaptability is essential for addressing emerging threats and managing complex network environments.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.