By Faraz Siddiqui and Andrew Terranova
This is Part 4 of a 5 part blog series.
In the first part of this blog series, we covered an overview of zero trust security architecture concepts. The main concept is that trust should never be assumed based on where a user is in a network. The concept of a user or device being trusted because it is inside goes away. Instead, every request to access a network resource must be authenticated and authorized. For more information, please read the Part 1 Introduction post.
This post will focus on an approach to zero trust known as Identity Aware Proxy (IAP). This model focuses on identity and access at the application layer, rather than at the network layer, and is typically implemented in the cloud.
Identity Aware Proxy
An IAP architecture provides access to applications through a cloud-based proxy. Identity and authorization occur centrally in the cloud and are based on "need to know" least access principles similar to SDP, but applications are then accessed using standard HTTPS protocols at the application layer (Layer 7). Unlike SDP, which uses a direct tunnel, this architecture provides authenticated and authorized secure access to specific applications using a proxy layer. As mentioned previously, Google solved their access challenge using IAP for BeyondCorp and Akamai's zero trust model uses IAP as well.
With the proxy approach, not only are users verified, but the application requests can be terminated, examined, and authorized as well. IAP also relies on application level access controls, not firewall rules; so configured policies can reflect user and application intent, not just ports and IPs. Like SDP, the approach can cloak the applications and other assets in the cloud or behind the firewall and is completely clientless for web applications.
A key component of an IAP is a trusted identity source that is used to verify who users and devices are (authentication) and what they are allowed to access (authorization). This identity source may be based on corporate directories or cloud based Identity Providers (IdPs). Even before users are identified, posture checking can be done to ensure the device attempting access meets certain criteria like having a certificate, the latest OS, is password protected, and has proper antivirus installed.
Identity Aware Proxy Architecture
In addition, as enterprises embrace more cloud adoption, the challenge of migrating apps to the cloud is now being acknowledged as a non-trivial effort. Many organizations are struggling to leverage the cloud for both cloud native applications and traditional applications that were never imagined to run in the cloud. Not only can IAP be used to authenticate users for native SaaS applications, but can also be used to essentially 'SaaSify' legacy applications in the datacenter. Taking the proxy approach facilitates cloud migration and app modernization without needing to resort to a full rip-and-replace strategy. Enterprises can take a more methodical, step-by-step approach toward zero trust and reduce the technical debt associated with legacy perimeter-based controls and VPN.
As with most security architectures, there are plenty of choices and options available when designing a zero trust network; these options do not need to be mutually exclusive. A strategy around defense-in-depth along with a layered security approach are keys to architecting scalable and secure networks built around zero trust.
An overview of each of these three architectures will be instructive to any organization working to map out their security roadmap. In this post we described the IAP approach. The following links will take you to a post explaining two other architectures.