Fast track bck post

George WilkesJanuary 13, 2021

Enforce Zero Trust Access

Step 3 of 4 in your Fast Track to Superior, Secure Remote Access


Your Zero Trust strategy must start with secure access. Ensuring that only the right people access the right applications at the right time is foundational to Zero Trust. Here’s a straightforward definition of what we mean by Zero Trust access:

“Zero Trust takes a different approach from traditional security — it never grants any type of access, either at a network or application layer — based on assumed trust. It requires that trust be earned through proactive device introspection, identity validation, and contextual analysis that is continuously evaluated using a risk-based approach. Once identity has been verified, conditional and trusted access is limited to only authorized applications and nothing else.” – Jason Garbis, SVP of Product at Appgate and Co-Chair of the Cloud Security Alliance Software-Defined Perimeter working group.

Legacy network access solutions like VPNs and Firewalls don’t support the principles of Zero Trust. The emergence of Zero Trust Network Access (ZTNA) solutions, a term coined by Gartner, is increasingly augmenting or replacing these outdated perimeter-based solutions. You can read more about Gartner’s take on this technology in the latest ZTNA Market Guide here.

Achieving Zero Trust Access with SDP

The Software-Defined Perimeter, a ZTNA technology, is purpose-built not only for achieving Zero Trust access, but also for protecting distributed, hybrid and agile IT operations. The formal SDP framework was released in 2013 by the Cloud Security Alliance and it aligned to standards put forth by the National Institute of Standards and Technology (NIST). NIST has since released their own Special Publication 800-207 Zero Trust Architecture in 2020, which further reinforces how an SDP architecture provides Zero Trust access.

The way we see it, there are three core Zero Trust features critical to the success of any SDP/ZTNA solution:

  1. Single Packet Authorization (SPA): At the pre-authentication stage SPA renders the infrastructure undetectable from network reconnaissance by only looking for a meticulously formed and cryptographically hashed packet that contains pre-arranged details. This supports the premise that you cannot attack what you cannot see. Most organizations have a large attack surface with hundreds or thousands of exposed ports that will respond to inbound connections. This is what adversaries find during their reconnaissance phase, as a way to define their target. With Single Packet Authorization your attack surface is greatly reduced, making resources invisible prior to authentication and authorization.
  2. Identity-Centric Access: Legacy access solutions use IP addresses, passwords and sometimes Multi-factor Authentication to determine a low degree of trust; all of which can be manipulated, bypassed or intercepted by adversaries. SDP on the other hand evaluates a multi-dimensional identity profile to truly determine who is behind the access request and what conditions should be met prior to granting trusted access. At the user level it goes beyond IP-address and looks at contextual/environmental factors such as the user’s role, time of request and location. It then goes a step deeper and evaluates device risk posture as criteria for access, such as whether malware is detected or if an endpoint protection tool is installed.
  3. Fine-Grained Micro-Segmentation: The SDP architecture enforces the Principle of Least Privilege, which mandates users only gain access to resources they are permitted. This prevents lateral movement, the spread of malware or ransomware, and simplifies compliance auditing. Using the identity profile and contextual variables, SDP allows you to provide surgical access to resources dynamically based on pre-defined conditions.

Appgate SDP — A Leading Zero Trust Solution

Not all Zero Trust access solutions are the same and for security buyers, it can feel like a daunting task to evaluate the right solutions. If you’re interested in Appgate SDP then don’t take our word for it, check out our third-party validation:

Zero Trust is a multi-year journey and it starts with secure access. Most organizations we help start with a particular problem and then scale out their Zero Trust strategy having achieved an initial win and with some momentum to build on. The most common use cases for our customers to start are:

Explore Appgate SDP