Having a “Zero Trust Strategy” is a lot like having a “Cloud Strategy”; it’s pretty meaningless without the context of what you’re trying to achieve and where you are today. Even the name can be misleading since you have to trust something. A basic definition of Zero Trust would be “don’t trust a user or device based on network location,” but if it were that simple, we would all be done implementing it already. As a global solution architect at F5, I have the opportunity to look at a lot of access architectures and while many are aspiring, few have achieved their Zero Trust goals.
A better definition would seem to be found in rescoping the trust boundary to include identity, device, and the application, instead of a network perimeter. This certainly isn’t a new idea and I’ve seen many customers make strides in this direction, but it’s gaining more traction now as vendors address the core challenges in making it really work for environments without their own developer army to build a custom solution. Adding to the confusion is that there are a variety of models to choose from like proxies, micro-tunnels, micro-segmentation, proxyless, as well competing terms and related concepts like micro-segmentation and Software Defined Perimeter (SDP). How do you define success on something so vague with so many options, and where do you begin evaluating solutions? You need to know what your goals and requirements are first. So, I’d start with some questions like these...
Proxies tend to be good at handling web applications, providing SSO capabilities, good user experience, and relatively easy deployment and management. Are you looking to provide zero trust for server access as well? Some solutions offer SSH and RDP proxies. For all three of these protocols, there are also proxyless solutions that integrate directly into the application code or server authentication modules available but be mindful that this means you can’t stop the traffic before it reaches the server/application so you’re assuming more risk.
If your application targets include more than these, it’s likely you’ll need to extend into a tunnel-based solution. Not all tunnel solutions are created equal. Some leverage traditional VPNs, which limit your connectivity to a single gateway. Micro-tunnels tend to be a better approach, allowing you to establish many tunnels to different endpoints to help you address access requirements wherever your apps may live.
This is a great opportunity to make sure you’ve got multifactor in front of every application, some form of credential stuffing and brute force protection, bot protection, traffic visibility with integration of security services like Data Loss Prevention and Intrusion Prevention Systems, and a Web App Firewall for your web apps. By implementing a consistent model of access, you’re also creating a consistent place to insert all of these services. Watch out for the end-to-end confidentiality solutions. It sounds attractive until you realize it means you have to bypass all of your security services. Zero Trust should never reduce your security posture. Terminating tunnels at a gateway, then routing traffic through visibility and security appliances is a good strategy.
Tunnel solutions aren’t typically able to deliver the identity to the application and sometimes rely on the environment having other seamless authentication in place. You may need proxies or direct code integration to provide the SSO you’re looking for. Delivering on this is likely a key to success with many of your stakeholders. The right solution deployed well can enhance user experience at the same time as security.
You should have high expectations here. When deploying a consistent policy framework for access across the organization, a key benefit should be understanding who accesses what resource from what device, from where, and when. This data collection should be put to use and analyzed along with data from your other security tools to identify and mitigate threats. This is an opportunity to address risk within the organization by enhancing your killchain at every step including visibility, threat identification, and mitigation. Vendors in this space aren’t yet delivering the complete package, so be sure to look for ways you can integrate analytics from third parties into the solution to enhance it. Looking for vendors who focus on partner integrations in addition to their own solution (rather than trying to deliver everything in a single platform) is a good tactic here.
Proxies tend to provide a superior user experience for web applications because they don’t require any changes to the user’s behavior in their browser and less components are needed on the client side as well. However, other solutions may require tunnel clients. It’s reasonable to expect that an end-user is entirely or almost entirely unaware of the tunnels. Traditional VPNs tend to have a negative user experience compared with micro-tunnels and have other limitations as discussed above.
Some solutions offer an excellent platform for desktops, but not mobile devices. Be sure to evaluate the solution and determine whether it can meet the needs of users on major desktop OSes, mobile devices, and native mobile apps as needed and that there is a consistent user experience and capability set.
Define your goals, which should probably include improved user experience, improved integration of security services, multifactor in front of everything, and an analytics integration strategy for a start. This will help to determine which vendors and architectures are worth spending your time with for deeper evaluation. Next, focus on the vendors with good partnership strategies. No single vendor is going to offer everything you should expect from this architecture and you want a platform you can build on. You’ll be happier in the long run, trust me!