This article describes different terms associated with Next Generation Access and Network Architecture solutions, referencing the origins of each term and summarizing its approach.
Zero Trust Network
Zero Trust Network concept was pioneered by John Kindervag, during his time as an analyst working for Forrester research.
Unlike traditional enterprise IT networks, where access control is applied at the networking level, resulting in devices located in "trusted" networks being able to access various corporate services, Zero Trust stipulates access control based on a strongly verified identity of the accessing party paired with least privilege principle, providing access only to specific services and capabilities, rather than to networks hosting the services.
Zero Trust approach suggests to treat all network traffic as "untrusted", unless proven otherwise.
Kindervag's approach has developed into a number of applied directions in IT Networks Security, including micro-segmentation, Software-Defined Perimeter, Zero Trust eXtended and more.
While subject to multiple interpretations, generic principles of a high-level Zero Trust Network are:
- All resources are cloaked from unauthorized parties. There is no mechanism that would allow discovering and attempting a connection to a resource prior to authentication and authorization. This assumes no public IP addresses or open ports willing to accept connections.
- All accessing parties must undergo Authentication and Authorization prior to connection. This means that IT resources will not accept network connections (and then try to authenticate the connecting parties) as in a traditional network setup. Instead, an only relevant connections will be able to reach the protected resources.
- Security Posture of the device used by the accessing party should be assessed as a part of a decision making on whether to provide the access or not.
- Network Connectivity should never be provided, instead, accessing parties will only obtain Application-level Connectivity, allowing them to use the required functionality, but not to leverage anything on the network level.
- Even after providing the application-level access to relevant resources for authenticated and authorized parties from devices compliant with the corporate policy, the connections should not be considered as trusted, meaning that every action performed by the accessing party should be analyzed, audited, and, if it is being considered as risky or dangerous, it should be subjected to a granular contextual security policy.
Zero Trust eXtended (ZTX)
Zero Trust eXtended (ZTX) is a framework for Enterprise IT Security, developed and promoted by Dr. Chase Cunningham, analyst at Forrester. ZTX aims at being application of the Zero Trust framework to the enterprise; it is a data-focused version of Zero Trust that more easily enables direct mapping of technology purchases and strategic decisions to the execution of a Zero Trust strategy. The ZTX framework maps technologies and solutions to various framework pillars:
ZTX Framework Diagram; Source: Forrester Blogs
Google BeyondCorp is an internal project initiated and managed by Google IT department aimed at transferring the corporate IT network of Google into a Zero Trust network. The project, being a particular implementation of Zero Trust principles, is widely popularized in series of whitepapers and blogs published by Google.
Google BeyondCorp architecture; Source: Google
Software-Defined Perimeter (SDP)
Software-Defined Perimeter is a term that can have somewhat different meaning, depending on its context. Most prominently, Software-Defined Perimeter may refer to the following:
- Methodology for reducing risks in providing access to corporate applications and services in modern interconnected enterprises, suggested by Gartner analysts Neil MacDonald, Steve Riley and Greg Young in their 2016 research paper titled "It's time to isolate your services from the internet cesspool"
- Particular model of implementation of secure access to corporate resources, as defined by the Software-Defined Perimeter working group at the Cloud Security Alliance
Security principles of Software-Defined Perimeter are:
1) Information Hiding
No DNS information or visible ports of protected application infrastructure. SDP protected assets are considered “dark” as it is impossible to port scan for their presence.
Device identity (of the requesting host) is verified before connectivity is granted. Device identity is determined via a MFA token that is embedded in the TCP or TLS set up.
Users are provisioned access only to application servers that are appropriate for their role. The identity system utilizes a SAML assertion to inform the SDP Controller of the hosts’ privileges.
4) Application Layer Access
Users are only granted access at an application layer (not network). Additionally SDP typically whitelists the applications on the user’s device – thus provisioned connections are app-to-app.
SDP is built on proven, standards-based components such as mutual TLS, SAML and X.509 Certificates. Standards based technology ensures that SDP can be integrated with other security systems such as data encryption or remote attestation systems.
SDP architecture; Source: Cloud Secure Alliance
The draft Software-Defined Perimeter Architecture Guide v2 narrows the terminology down to a set of architectural solutions that use a technique called Single Packet Authorization as compliant with this specification.
Continuous Adaptive Risk and Trust Management (CARTA)
CARTA model is a strategic approach to risk and security management in corporate networks, evangelized and promoted by Gartner research, targeting risks of modern digital businesses and managing advanced threats in digital environments.
CARTA model; Source: Gartner Blogs.