2024 Jul
This standard defines a framework and requirements addressing Identity and Authentication of the different Actors plus Policy-Based Access Control providing enforcement at Policy End Points.
The increased usage of cloud services, mobile devices, work from home employees, shadow IT, and the Internet of Things(IoT) hasdissolved traditional network perimeters. Services must evolve to provide secure User, Device and Application accessto the Subscriber’s networked resources (referred to as Target Actors in this document) from any location including interactions with third-party organizations, e.g., business partners, and contractors.
A Zero Trust cybersecurity approach removes the assumption of trust from these Users, Applications, and Devices (referred to as Actors in this document).Itfocuses on accessing Target Actors in a secure and authorized manner enforcing rigorous access controls and continually inspecting, monitoring, and logging network activity from the different Actors. This requires data-level protections, a robust identity architecture, and strategic micro-segmentation to create granular trust zones around a Subscriber’s digital resources.
Zero Trust evaluates access requests and network traffic behaviors in real time over the length of active Sessions while continually and consistently recalibrating Subject Actor access to Target Actors and associated Policy Actions.
In summary, this document defines a Zero Trust Framework and associated requirements addressing Identity and Authentication of the different Actors plus Policy-Based Access Control providing enforcement at Policy End Points. The goal of this Zero Trust Framework is for associated Identity, Authentication, Policy Management and Access Control processes to be continuously and properly constituted, protected, and free from vulnerabilities when implemented and deployed. This Zero Trust Framework also defines Service Attributes, which are agreed between Subscriber and Service Provider to enable Service Providers to implement and deliver a broad range of services that comply with Zero Trust principles. This Zero Trust Framework is not intended as a stand-alone, implementable entity, a Zero Trust service, or Zero Trust product.
This document supersedes and replaces MEF 118 [15].
Standards published by MEF are intended for general distribution to the public and may be downloaded from this site and reproduced without charge. Any reproduction of MEF documents shall contain the following statement: “Reproduced with permission of MEF Forum.” All rights granted to MEF under applicable copyright laws are expressly reserved. No permission is granted to any recipient or user of MEF publications to modify any of the information contained therein and MEF disclaims all responsibility and liability for such modifications.