Jason GarbisOctober 19, 2022
The Power of Zero Trust Integrations: Security as a By-Product of Operations
Last week, Appgate and Illumio announced a joint solution, which illustrates the benefits that an integrated Zero Trust security approach can bring. The solution ties together Appgate SDP, a leading Zero Trust Network Access (ZTNA) with Illumio Core, a leading Zero Trust Segmentation (ZTS) solution, expanding the value and reach of both to protect network connectivity and stop breaches from spreading across hybrid infrastructure.
Yes, it’s exciting to bring industry firsts such as this Appgate + Illumio integration to market. But it’s important to understand that this singular instance is a visionary example of the kind of cross-functional integrations necessary for truly effective Zero Trust policies and maturity.
Let’s set this up with some context. The National Institute of Standards and Technology (NIST) Special Publication 800-207, Zero Trust Architecture, lists as one of the basic Zero Trust tenets that “access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.” And, the National Security Telecommunications Advisory Committee (NSTAC) report on Zero Trust and Trusted Identity Management states that a Zero Trust policy must define the who, what, when, where, why and how of resource access.
Taken together, what this means is that the Appgate + Illumio joint Zero Trust solution—and by extension the policies it enforces—must be aware of, and be able to base decisions on, several factors: identity attributes, the device in use and resources being accessed. This is interesting because the joint solution’s policy decision point spans multiple domains in a way that traditional security solutions cannot achieve. In our Zero Trust environment, the policy model (and the underlying runtime system) can interrogate the workloads under its protection and use attributes of those workloads to make an access decision.
Automating access via business processes
Appgate SDP provides best-in-class Zero Trust Network Access (ZTNA), controlling and enabling user access across all locations, based on dynamic policy. Illumio provides best-in-class workload microsegmentation, enabling dynamic visibility and control of server-to-server communications. Illumio provides the ability for enterprise customers to define workload tags and thereby control inbound, outbound and cross-workload access based on those tags. The combined solution delivers a powerful new capability that can automatically drive access via a business process. Let’s explore this further via an example.
Enterprises require stability and predictability for production workloads and typically implement access control and change management windows. In this example, the enterprise needs a policy that grants system administrators access to production workloads, but only if these workloads are in a maintenance window. These workload states are the types of metadata that Illumio excels at managing. Now that Appgate SDP can consume workload information from Illumio, enterprise customers can easily define an enforcement policy to automatically detect workload tag changes within the Illumio system ... and grant or deny admin access accordingly.
The beauty of this approach is that security (admin access) becomes a by-product of the process or system that the enterprise is using to set the workload tags. The organization can use a standard process for placing workloads into a maintenance window and rely on the system to quickly and automatically adjust appropriate user access. The same holds true for removing a workload from a maintenance window, by executing a process (automated, tool-driven, or business process) to change the workload tag.
While this specific example shows how the Appgate SDP and Illumio Core platforms are integrated, and therefore may appear to be a more advanced use case for a Zero Trust security environment, I argue that it’s not. In fact, this type of dynamic policy can and should be used even by organizations just beginning a Zero Trust journey.
The essence of a Zero Trust dynamic policy is that access should be a by-product of operations. So, for organizations who wish to get started with Zero Trust, look at your current technical and business processes, and imagine how they could drive access. And look at modern, capable Zero Trust joint solutions, such as Appgate SDP and Illumio Core, to automate and enforce that access.
To learn more about the new Appgate + Illumio integrated Zero Trust solution, register to attend the joint webinar on Wed., Nov. 16, at 11:00 am ET.
More Zero Trust security resources