George WilkesFebruary 18, 2021
Control Access with Identity-Centric Micro-Perimeters
Just One Reason to Deploy Appgate SDP
Physical and static perimeter defenses are outdated, but I’m not going to get into why that is the case as part of this blog. Instead, we’re going to look at the future state of network security led by the Software-Defined Perimeter, also known as Zero Trust Network Access or ZTNA.
Today, your perimeter is anywhere your workloads reside—multi-cloud or on-prem, micro-services or legacy apps—and everywhere people and devices are connecting to your network—remote or in-office, full-time or 3rd party.
Appgate SDP is architected to enforce the principles of Zero Trust and aligns with the NIST Zero Trust Architecture special publication 800-207. It is designed to help security professionals control access by delivering identity-centric micro-perimeters. Well...what does that mean?
A critical aspect of Zero Trust security is the abolishment of the old rule to “trust, then verify” and replace it with “verify, then trust.” True Zero Trust Network Access solutions take this one step further and require an extensive verification of identity rather than a network-centric IP address. Legacy network-centric security tools like VPN, Firewall and NAC are not architected to “verify, then trust” and do not take into account the identity as a central criterion for granting access permissions.
Appgate SDP provisions conditional trusted access by verifying identity using three key evaluation criteria:
- Role Variables: By integrating with all Identity Management Systems (IdP, IAM, IGA) and/or Directory Services (LDAP), Appgate SDP seamlessly aligns with your corporate identity management strategy.
- Environmental Variables: Things like date, time and geo-location are used as additional attributes and real-time contextual data in the evaluation to grant access entitlements. These additional attributes can be used to prompt for additional authentication such as MFA and/or restrict access based on contextual risk.
- Device Variables: Appgate SDP evaluates the risk of the device by conducting an extensive 25+ variable out-of-the-box posture check. It works even stronger when integrated with enterprise endpoint protection tools. Access is now conditional based on whether the device is deemed trusted or not.
All of these attributes are compiled into a multi-dimensional identity profile. This 360-degree identity profile is used to evaluate and grant conditional entitlements not just at the time of initial access request but is continuously re-evaluated for attribute changes.
Micro-Perimeters for Segmented Access
Another critical aspect of Zero Trust Network Access is the ability to limit what trusted users are authorized to access. This is similar to what NACs have been able to do for us, but only on-premises and without identity as a criterion for access. For true ZTNA, access controls must extend beyond on-premises, to include all locations in hybrid complex environments. It is essential that access must be identity-centric, continuously evaluated and dynamically adjust based on conditions and risk.
Appgate SDP delivers a “Segment of One” between the user and their assigned resources. This “Segment of One” is a micro-perimeter—specific to each user, their identity and the aforementioned conditional entitlements assigned to them. A trusted user, whose identity is continuously evaluated is provisioned access only to the resources they require to fulfill their job. These micro-perimeters are established using per-user session-based micro-firewalls. These are created (modified, or removed) just-in-time and only allow access to specifically granted resources, meaning no unsanctioned lateral movement.
User A was granted access to HTTPS on Server A and B, but not access to HTTP or SSH on Server A or RDP on Server B. The “Segment of One” is built for each specific access granted. User A cannot access the other resources on Server A and cannot even see them. Not only can this reduce the risk of insider threats, but also thwarts the spread of malware across your network and even stops an adversary from reaching critical applications if they’ve been able to breach a point-of-entry.
At the onset of a new session, and most importantly during an established session, the identity criteria outlined above are continuously monitored, which results in a dynamic access policy, or a refreshed “Segment of One,” that will automatically adapt entitlements based on contextual risk. This means that as contextual risk or conditions for the user change, such as location, device posture or employment status—the policies dynamically update, which could result in further limitations of access permissions or even completely revoking network access altogether.
Controlling access with identity-centric micro-perimeters is just one reason our customers decide to deploy Appgate SDP. If you’d like to learn more, feel free to explore the following: