The US National Security Agency (NSA) has published its latest guidance on zero trust to secure US federal government IT networks and systems. This is the first of two guidance documents coming out of the NSA, providing “practical and actionable” recommendations that can be applied as best practice to secure corporate IT environments both in the public and private sectors.
In the Zero trust primer document, the NSA defines a “zero-trust mindset”, which means assuming IT environment traffic, users, devices and infrastructure may be compromised. To achieve this, the guidance urges IT security teams to establish a rigorous authentication and authorisation process for all access requests.
In the context of securing the integrity of government IT systems, it said that such a strategy enhances the security posture of networks by rigorously validating every access request, which prevents unauthorised changes, reduces risk of malicious code insertion, and ensures the integrity of software and supply chains
The main takeaway from the NSA regarding zero trust is to never trust users or devices that request network connectivity or access to internal resources. The NSA guidance calls for verification without exception, where dynamic authentication and explicit approval is used across all activities on the network, adhering to the principle of least privilege.
Specifically, the NSA’s latest guidance suggests that IT security teams should assume they are working in an IT environment where there is a breach, which means operating and defending resources under the assumption that an adversary already has a presence in the environment.
The NSA said IT security teams should plan for deny-by-default and heavily scrutinise all users, devices, data flows and requests. This means that IT security teams need to log, inspect and monitor all configuration changes, resource accesses and environment traffic for suspicious activity continuously.
The guidance also recommends explicit verification. This implies that access to all resources is consistently verified, using both dynamic and static mechanisms, which is used to derive what the NSA calls “confidence levels for contextual access decisions”.
Commenting on the guidelines, zero-trust expert Brian Soby, CTO and co-founder of AppOmni, said: “Across the guidance, the emphasis is on continuous logging, inspection and monitoring of resource access and configuration change, plus comprehensive visibility across layers.
“Read plainly, the NSA is suggesting that many programs are built around coarse checkpoints and limited signals, while the real risk lives inside enterprise applications, especially SaaS, where sensitive data and business workflows reside.”
Soby’s understanding of the new guidelines is that effective zero trust requires a thorough understanding of what users can and cannot do, instead of simply relying on their ability to authenticate through network directory services and the authorisation that successful authentication gives them.
“Many security programs still substitute directory groups and simplistic roles for true entitlement materiality, even though effective access in modern SaaS is shaped by application-native permissions, sharing rules, delegated administration, conditional controls and third-party OAuth grants.”
He noted that the NSA’s emphasis on monitoring resource access and configuration change implies that relying on coarse identity abstractions leaves IT security teams blind to the actions and permission shifts that create exposure and enable misuse.
“This gap also lines up uncomfortably well with the breaches and campaigns we are seeing now,” he added.
As an example, Soby said that recent intrusions tied to groups tracked as UNC6040 and UNC6395 have highlighted how attackers can bypass traditional, frontdoor-centred controls by abusing SaaS identities and integrations, including compromised OAuth tokens and third-party application access, to reach and extract data from SaaS environments.
“In that light, the NSA’s guidance supports a sharper conclusion: identity security programs that cannot truly understand user activities, behaviours and the materiality of entitlements inside applications do not match the principles of zero trust,” said Soby. “These often become more performative than effective, leaving security operations centre teams stuck with generic signals like logins when the meaningful attacker activity is happening inside the app.”
