Skip to the content

Follow us @UKAuthority

NCSC publishes zero trust architecture principles

21/11/19

Mark Say Managing Editor

The National Cyber Security Centre (NCSC) has published its new zero trust architecture (ZTA) design principles.

Locak and chain over screen

They are based on the idea of removing inherent trust in users of a network, meaning that anyone connected to it should not be able to access everything that sits on it.

This reflects the fact that cyber attackers are often able to move around a network once they have access to one element of it.

NCSC has placed the 10 principles on GitHub as an alpha release and called for feedback on their further development, with a deadline of 31 January 2020.

Stuart H, senior security architect for the project, said they should benefit from being developed in the open with input from developers and cyber security professionals.

The principles are as follows:

Know your architecture including users, devices and services.

  1. Create a single strong user identity.

  2. Create a strong device identity.

  3. Authenticate everywhere.

  4. Know the health of your devices and services.

  5. Focus your monitoring on devices and services.

  6. Set policies according to value of the service or data.

  7. Control access to your services and data.

  8. Don’t trust the network, including the local network.

  9. Choose the services designed for zero trust.

Stuart H commented: “The journey to a zero trust architecture can seem like climbing a mountain at times. Determining which approach you should take, looking for a solution which is safe and efficient.

“When you set off it can be tough going. I'm hoping these principles will make it easier to understand what is needed when planning your transition to a zero trust architecture.”

Image by Blue Coat Photos, CC BY 2.0 through flickr

Register: Library & Alerts

Keep informed - Get the latest news about the use of technology, digital & data for the public good in your inbox from UKAuthority.