Search
Appgate SDP
SDP Overview
Learn how Appgate SDP reduces risk and complexity, and why it's the industry's most comprehensive Zero Trust network access solution.
How Appgate SDP Works
Find out about the inner-workings of the most flexible and adaptable Zero Trust Network Access solution available today.
SDP Integrations
Explore security, IT and business-system integrations that can enhance and help you adapt Appgate SDP to your existing workflows
SDP for Developers
Access developer tools and resources to maximize the value of your Appgate SDP deployment.
Zero Trust Network Access for:
Risk-Based Authentication
Overview
Learn how Risk-Based Authentication provides a frictionless, intelligent and data-informed approach to user authentication.
Strong Authentication
Find out how you can provide secure, frictionless access with the right multi-factor authentication method.
Transaction Monitoring
Explore the tools you can use to intelligently identify and prevent online fraud.
Behavioral Biometrics Service
Learn how behavioral analysis and machine learning stop fraudulent online web activity in real-time.
Secure Consumer Access for:
Digital Threat Protection
Overview
Discover how you can gain unparalleled threat visibility and the risk management tools that enable early identification and elimination of potential attacks.
Key Features
Take a deep dive into the features and tools contained within our industry-leading Digital Threat Protection (DTP) solution.
SECURE NETWORK ACCESS

Leo TaddeoApril 8, 2022

The CISA Zero Trust Maturity Model Series – Part 3: Network

This is part three of a five-part series on the Cybersecurity and Infrastructure Agency’s CISA) Zero Trust Maturity Model. The two previous blogs covered the first two pillars (Identity and Device). This blog delves into pillar #3: Network.

Share

CISA’s Zero Trust Maturity Model underpins the guidelines set forth by the U.S. Office of Management and Budget (OMB) in its final strategy for federal agencies to move toward a Zero Trust security architecture by the end of fiscal year 2024.

The maturity model focuses on Zero Trust security implementation across five key pillars (Identity, Device, Network, Application Workload and Data,) with each pillar having three stages of maturity (traditional, advanced, and optimal). Today, we cover pillar #3: Network.

Advanced and optimal maturity levels require micro-segmentation, encryption and analytics

According to CISA’s maturity model, a network “refers to an open communications medium, including agency internal networks, wireless networks, and the Internet, used to transport messages.” At a high level, agencies will have achieved the following in each stage of the Network pillar:

  • Traditional: large macro-segmentation; minimal internal or external traffic encryption
  • Advanced: defined by ingress/egress micro-perimeters; basic analytics
  • Optimal: fully distributed ingress/egress micro-perimeters; machine learning-based threat protection, all traffic is encrypted

As they are advancing on their Zero Trust security journeys, it is important that agencies segment and control their networks and manage internal and external data flows.

Traditional tools, such as next-generation firewalls (NGFW), are no longer the best option to achieve advanced or optimal maturity in Pillar #3. NGFWs are not stateless; they have a consistent policy, which creates attack vectors. They are typically designed as single ingestion points—thereby creating congestion—and do not scale for performance compared to modern Zero Trust Network Access (ZTNA) solutions like Appgate SDP. While Appgate SDP can achieve 9 Gbps as a virtual service, NGFWs still suffer the same shared state issue as regular firewalls and therefore limit performance to sub 1Gbps.

Leveraging ZTNA solutions to achieve higher level maturity in Pillar #3

As IT environments become more complex—via growth in hybrid and/or multi-cloud infrastructure, device proliferation and remote work—and cyberthreats intensify, legacy network security solutions like VPNs are inadequate, as they essentially provide access to large segments of the network once a user is authenticated.

ZTNA solutions offer more fine-grained segmentation and protection and are now the industry-leading standard for secure enterprise access control. In fact, according to Gartner, “By 2025, at least 70% of new remote access deployments will be served predominantly by ZTNA as opposed to VPN services, up from less than 10% at the end of 2021.”1

ZTNA is based on the fundamental principle that no user—human or machine—should be automatically granted access to anything. With ZTNA, a user is denied access to networks and digital assets by default and is only permitted access after their identity (user + device + context) is extensively authenticated. More advanced Zero Trust Access solutions like Appgate SDP enable near real-time dynamic policies and entitlements which are granted to the identity, provisioning limited access to authorized resources. These surgical entitlements are continually validated, conditional and context-aware, helping an organization define their risk tolerance.

Micro-perimeters for segmented access

All users and devices, regardless of whether they are coming from inside or outside the network, should be treated as guests—i.e., put into café networks. Think of this as guest access VLAN for everyone, as if each user has gone to their local coffee house and jumped online via the guest network. This helps organizations:

  • Move all users and devices off the network and use public internet for transport for anything from the outside to manage costs and improve performance
  • Leverage encryption for all traffic, as directed in the Administration’s Cybersecurity Executive Order, to move the boundary out
  • Eliminate man-in-the-middle attacks where an attacker intercepts communications between two parties
  • Democratize the network to improve user access and experience

Appgate SDP—an industry-leading ZTNA solution—delivers dynamic and individually tailored access between the user and their assigned resources. This establishes a microperimeter that is specific to each user, their identity and the conditional entitlements assigned to them. These microperimeters are established using per user session-based micro-firewalls that only allow access to specifically granted resources, eliminating unsanctioned lateral movement.

Encryption

All Appgate SDP communications are natively FIPS 140-2 encrypted and leverage Mutual Transport Layer Security (mTLS) to ensure that the parties at each end of a network connection are who they claim to be.

Attack surface reduction is a critical component of ZTNA, providing the first line of defense against adversaries. A ZTNA solution should leverage single packet authorization (SPA) to actively cloak ports, making them and the resources they allow entry to invisible and preventing lateral movement in case of a breach. In addition, segmenting the network is necessary to prevent an infected system from being used to compromise others in the same network.

Analytics

Appgate SDP also addresses the following areas of CISA’s Network pillar:

  • Threat protection: Appgate SDP’s built-in APIs allow it to natively integrate with any artificial intelligence (AI) solution using REST APIs to create context-aware network management
  • Visibility and analytics: Since all Appgate SDP logs can be aggregated and reactions automated, it helps provide deep insight into patterns of user/device behavior
  • Automation and orchestration: Appgate SDP can be fully deployed and managed as code. The SDP operator, SDP Sidecar client and API allow for Appgate SDP to run in DevSecOps, DevOps or automation deployment models (i.e., Terraform, Cloud Formations)

For more on how our Appgate Federal Division assists agencies on their Zero Trust security journey, visit www.appgate.com/federal-division.

Additional resources:

Blog: The CISA Zero Trust Maturity Model Series—Part 1: Start with Identity
Blog: The CISA Zero Trust Maturity Model Series—Part 2: Devices
Blog: Federal march to Zero Trust security
Blog: Control access with identity-centric micro-perimeters
Ebook: Zero Trust Network Access: Everything you need to know
Blog and Podcast: Zero Trust for critical infrastructure

1 Gartner Forecast Analysis: Enterprise Network Equipment, Worldwide, 26 October 2021 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Receive News and Updates From Appgate