19 ways to build zero trust: NIST offers practical implementation guide
The National Institute of Standards and Technology (NIST) has released a new guide that offers practical help for building zero trust architectures (ZTA). The guidance, titled Implementing a Zero Trust Architecture (SP 1800‑35), includes 19 example setups using off‑the‑shelf commercial tools.
The new guidance is the result of work by NIST’s National Cybersecurity Center of Excellence (NCCoE). Over four years, 24 industry partners including major tech companies helped build, install, test, and document 19 ZTA models. These illustrate a range of scenarios: hybrid cloud setups, branch offices, and even public Wi‑Fi use at coffee shops.
Each model comes with:
- Technical details on deployment
- Sample configurations and integration steps
- Test results
- Best practices, drawn from real-world experience
It also maps these setups onto NIST’s broader cybersecurity framework (CSF), SP 800‑53 controls, and critical software measures.
This guidance builds on NIST’s earlier zero trust framework, SP 800‑207, with more hands‑on implementation advice.
“One of the challenges with real world zero trust implementations has always been the existence of multiple policy decision and policy enforcement points,” Brian Soby, CTO at AppOmni, told Help Net Security. “For example, the SaaS applications used by an organization are configured with their own logic about who may access which resources and enforce that configuration natively in the applications.”
These separate control points, often left out of many zero trust plans, can leave doors open for attackers. “The omission of these independent PDP/PEPs from the zero trust architecture has led to numerous real world data breaches where attackers simply bypass incomplete zero trust implementations and go directly to applications to exploit insecure configuration or identities,” he said.
“This new guidance goes further to recognize the reality of multiple PDP/PEPs existing inside of the architecture,” he said. “It also goes further to operationalize the concept of Policy Information Points, providing additional context to decision making engines within the architecture.”
He added that making good security decisions means understanding what’s happening in and around the system, not just applying fixed rules. “Security decisions can’t be made in a bubble and the essence of zero trust has always been an architecture that can adapt to changing context and user behaviors.”
Learn more:
- OpenNHP: Cryptography-driven zero trust protocol
- How AI and zero trust are transforming resilience strategies
- Laying the groundwork for zero trust in the military