Issue 1

Zero Trust Architecture and Solutions Zero Trust Architecture and Solutions

In the era of cloud computing and big data, the network security Zero Trust Architecture and perimeter is gradually disintegrating, and internal and external Solutions 2 threats are intensifying, leading to the failure of the traditional perimeter-based security architecture, therefore the zero trust security Research from Gartner architecture comes into being. The zero trust security architecture Market Guide for Zero Trust establishes a dynamic digital identity-based perimeter with four Network Access 14 key capabilities, which are identity-based schema, resource secure

About Qi An Xin Group 21 access, continuous trust evaluation and adaptive access control. It helps enterprises realize a new generation network security architecture with comprehensive identity, dynamic authorization, risk measurement, and management automation.

This paper begins with the background, definition and development history of zero trust security, then proposes a general zero trust reference framework, and takes Qi An Xin Zero Trust Security Solution as an example to interpret the application scheme of zero trust reference framework, finally discusses the zero trust migration methodology, and puts forward the migration ideas with defining the vision, planning first and constructing step by step.

1. Introduction The enterprise network infrastructure is becoming more and more complex with gradually blurred perimeter. The digital transformation has driven the rapid evolution of information technology, new IT technologies such as cloud computing, big data, Internet of Things and mobile internet have brought new productivity to all industries, in the meantime, they also have brought great complexity to the enterprise network infrastructure. On one hand, the adoption of cloud computing, mobile internet and other technologies makes enterprise’s staff, businesses and data go outside of the enterprise’s digital walls; on the other hand, the open and collaborative demands for new technologies, such as big data and Internet of Things, lead the outside staff, platforms and services pass through the digital walls and go into the enterprises. The modern enterprise network infrastructure has no single, well-recognized and clear security perimeter anymore, in other words, enterprise security perimeter is gradually disintegrating, and the traditional perimeter-based network security architecture and solutions are found difficult to adapt to modern enterprise network infrastructure.

Zero Trust Architecture and Solutions is published by Qi An Xin Group. Editorial supplied by Qi An Xin Group is independent of Gartner analysis. All Gartner research is © 2020 by Gartner, Inc. All rights reserved. All Gartner materials are used with Gartner’s permission. The use or publication of Gartner research does not indicate Gartner’s endorsement of Qi An Xin Group’s products and/or strategies. Reproduction or distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers.r Fo further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website.

2 3

In addition, the network security situation is 1.1. Definition of Zero Trust to perform fine-grained access control not optimistic. External attacks and internal Zero Trust Architecture has been developing based on identity in order to cope with the threats are intensifying, organized attacks, rapidly and been gradually mature, while increasingly severe risk of overpowered weaponized attacks, and advanced attacks different versions of the definition are lateral movement. with data and services as targets can still described in different dimensions. In the book easily find loopholes that break through the Zero Trust Networks: Building Secure Systems Therefore, NIST defines Zero Trust perimeter of the enterprise, while internal in Untrusted Networks, Evan Gilman and Architecture as follows: threats such as unauthorized access to Doug Barth definite that a zero trust is built internal businesses, employee mistakes and upon five fundamental assertions:1 Zero Trust Architecture (ZTA) provides intentional data theft have been popping out. a collection of concepts, ideas, and component relationships (architectures) Faced with such severe security challenges, • The network is always assumed to be designed to eliminate the uncertainty in the industry’s security awareness has hostile. been paid more attention, and the security enforcing accurate access decisions in information systems and services.2 This investment becomes also higher. However, • External and internal threats exist on the definition identifies key issues that zero trust the security effect is not that satisfactory, network at all times. and security incidents emerge one after needs to address: eliminating unauthorized access to data and services, underscoring another. What is the root cause of the failure • Network locality is not sufficient for the importance of fine-grained access for the traditional security architecture? The deciding trust in a network. fundamental basis of security is to deal with control. risks, and the risks are closely related to • Every device, user, and network flow is 1.2. History of Zero Trust “loopholes”. What “loopholes” lead to the authenticated and authorized. failure of traditional security architecture? The Analyzing the development history of zero answer is trust. The traditional perimeter- • Policies must be dynamic and calculated trust, it is not difficult to find that the different based network security architecture assumes from as many sources of data as possible. perspectives of zero trust finally show strong that the people and devices in the internal consistency after developing and merging. network are trustworthy, therefore the security In short, no person/device/application in strategy is to build the digital walls of the the enterprise network should be trusted The earliest prototype of zero trust came enterprise, and the security products such as by default, no matter it is in the internal or from Jericho Forum, founded in 2004, whose firewalls, WAF, IPS are sufficient to protect the external network. The fundamental basis of mission was to define cyber security under perimeter of the enterprise network. However, the trust should be based on the refactored de-perimeterization trends and to find one should assume that there are always access control using right authentication solutions. The actual term “zero trust” was undiscovered loopholes in the network and authorization. Zero Trust Architecture officially coined in 2010, indicating that all systems, there are always discovered but has paradigmically changed traditional network traffic is untrusted by default, and unpatched loopholes in the systems, the access control mechanism, and its essence all access requests for all resources need to systems have always been infiltrated and that is adaptive trusted access control based on be securely controlled. In the beginning, zero the insiders are always unreliable. These four identity. trust came up with a solution that focuses on “always” assumptions overturn the technical fine-grained access control over the network methods of traditional network security by In the recently published “Zero Trust through micro-segmentation to limit the segmenting network and building the walls, Architecture (NIST.SP.800-207-draft)”, NIST attacker’s lateral movement. and overturn the abuse of “trust” under the points out that “Zero Trust Architecture perimeter security architecture, which the is an end-to-end approach to network/ With the continuous evolution of zero perimeter-based security architecture and data security that encompasses identity, trust, identity-based architecture has solutions have been found difficult to deal credentials, access management, operations, gradually gained mainstream acceptance with today’s network threats. endpoints, hosting environments, and the in the industry. The transformation of this interconnecting infrastructure”. It considers architecture is closely related to the adoption A new network security architecture is needed zero trust as an architectural approach to of mobile computing and cloud computing. In to cope with the modern and complex data protection, while traditional security 2014, Google has published several papers enterprise network infrastructure, and to cope solutions focus only on perimeter defense on how to build Zero Trust Architecture for with the increasingly severe network threat with too much access open to authorized its employees internally, based on its own situation. Zero Trust Architecture emerges in users. The primary goal of zero trust is project BeyondCorp. BeyondCorp’ s starting this context and is an inevitable evolution of point is that it is no longer enough to build security thinking and security architecture.

1 Evan Gilman and Doug Barth, Zero Trust Networks: Building Secure Systems in Untrusted Networks (O’Reilly Media, 2017) 2 NIST, Zero Trust Architecture, 2019.09, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft.pdf

3 security controls just for corporate perimeter, secure access, continuous trust evaluation to the people and device in the network, and requiring access control to be moved from and adaptive access control, it encrypts, combine the identified people and device at the perimeter to each user and device. By authenticates and enforces all untrusted run-time to set up access subjects, and set up using Zero Trust Architecture, Google has access requests, based on the digital identity the least privilege for the access subject. successfully abandoned the adoption of of all participating entities of the network, traditional VPNs and ensured that all users aggregates a variety of data sources for Digital identity is the cornerstone of Zero from insecure networks have secure access continuous trust evaluation, and adjust the Trust Architecture and it needs to realize to the enterprise business through a new permissions dynamically according to the “comprehensive identity “. It is not enough architecture.3 trust levels, and eventually establish an to simply create identities for people and/or adaptive trust relation between the access devices, and all entities involved in network With the continuous improvement of zero trust subject and the access object. interactions. In fact, in the age of Internet theory and practice of the industry, zero trust of Things, things have become important has gone beyond the scope of the original In Zero Trust Architecture, the access object is participating entities, whose cardinal number micro-segmentation in network layer, evolved the core protected resource, which should be has gone far beyond people. into a new generation of security solutions protected by the protection surface, including based on identity, which can cover many the enterprise’s business applications, service In Zero Trust Architecture, based on different scenarios, such as cloud environment, big APIs, operations, and asset data, and etc. access contexts, the access subject can data centers and micro-services. Research The access subject includes digital entities be a dynamic combination of numeric organizations are also ready to optimize their such as people, devices, applications, and digital entities, such as people, devices security architectures and systems. systems, all of which can be identified. In and applications, which is called “network certain access contexts, those entities can agent” in the book Zero Trust Network. It is By analyzing various definitions and also be combined to further clear and define the term given to the combination of data frameworks of zero trust, it can be seen that the subject. known about the actors in a network request, the essence of Zero Trust Architecture is typically containing a user, application, and adaptive identity-based access control, the Key capabilities of Zero Trust Architecture device, which are the inextricable context security capability of focusing on identity, trust, include: identity-based schema, resource of an access request. It is generated on- resource access and adaptive access control, secure access, continuous trust evaluation demand when authorization decision is and the multi-dimensional factors such as and adaptive access control. (See Figure 1 for made and thus it is usually of short time. people, process, environment and access a conceptual model.) Access agent’s constituent elements (users context based on business scenarios, and or devices) information are generally stored continuous assessment and evaluation of the 1) Identity-based Schema in the database for real-time query and zero trust is needed. The adaptive adjustment combination when authorized, so the network of authority by trust levels can help form a In order to construct access control system agent represents the real-time state of the dynamic adaptive security closed loop with based on identity rather than network attributes of users and devices in each strong risk coping ability. location, it is necessary to give digital identity dimension at the time of authorization.4

2. Zero Trust Reference Framework Figure 1 Key Capabilities of Zero Trust Architecture The key capabilities of zero trust security can be summarized as follows: identity-based schema, resource secure access, continuous trust evaluation and adaptive access control. These capabilities map to a set of interacting core architectural components that are highly adaptable to various business scenarios.

2.1. Key Capability Model The essence of zero trust is to establish an adaptive identity-based access control system between the access subject and the access object. Through the key capabilities of identity-based schema, resource Source Qi An Xin Group, 2019

3 Google, https://cloud.google.com/beyondcorp/ 4 Evan Gilman and Doug Barth, Zero Trust Networks: Building Secure Systems in Untrusted Networks, Aug., 2019

4 5

The principle of least privilege is one of the except for obtaining the access requests established and cover all stages of the digital key practices that should be followed by that are authenticated, licensed, and trusted identity life cycle, including: the configuration any security architecture. However, Zero in compliance with the security policies. In of the digital identity, the trust evaluation of Trust Architecture advances the principle of addition to satisfying the principle of least states and attributes, and the trust evaluation least privilege, and follows the principle of privilege, it can also effectively alleviate of the physical entity to digital identity dynamic least privilege. If users do need security threats such as detection of core mapping process (identity creation and higher access rights, then they can and assets, denial of service, vulnerability verification). As mentioned above, the access only get those privileges when they need utilization, illegal crawling, and etc. subject is the network agent composed of the them. On one hand, it emphasizes that the trinity of people, devices and applications, authorized subject is not a single entity, but Network eavesdropping and middleman therefore, on the basis of the identity trust, a composite subject as network agent, not attacks are the most common causes of data it is necessary to evaluate the subject trust, only follows the principle of least privilege by thefts. In the zero trust practice, it is necessary which is the dynamic adjustment of the the user, as well as a principle followed by to encrypt the traffic of all applications and APIs identity trust in the current access context, the device; on the other hand, the authorized calls with high-intensity TLS, and to consider the and related to authentication intensity, risk subject can be further defined based on support of the domestic cipher algorithm. Zero state and environmental factors. The identity the subject attribute, environment attribute, trust emphasizes full-traffic encryption agent trust is relatively stable. Like the network trust level and the security level of the object. rather than just local traffic of authentication agent, subject trust is a kind of short-time In contrast, traditional identity and access request, which also distinguishes the trusted dynamic trust, and adaptive access control control related implementations generally agent in Zero Trust Architecture from traditional based on subject trust levels is the essence authorize people and devices separately. authentication gateway. of zero trust. Zero trust is a paradigm that uses network agents as the authorized subject. It generates In order to prevent access control Trust and risk are closely associated with temporary entities on demand at the time mechanisms from being bypassed, it is each other, even as the two sides of one of authorization decision, which has strong necessary to have a policy enforcement coin. In Zero Trust Architecture, besides the dynamics and risk awareness, therefore it point. In Zero Trust Architecture, all access trust evaluation, the influencing factors of can greatly mitigate security threats such as requests should be authenticated, licensed, environmental risk need to be considered, credential loss and unauthorized access. and have considerable trust level. Zero and all kinds of environmental risks need to Trust Architecture needs to adapt different be assessed and responded to. However, it 2) Resource Secure Access business scenarios, identify the subject from is important to note that not all risks will affect different access protocols and methods, and the trust degree of the identity or the subject. Zero Trust Architecture focuses on the relate the multi-level and multi-layer accesses For example, in the process of accessing construction of the business protection to the subject. Only in this way, can it be a business resource, device camera may surface to realize the protection of resources. effectively ensured the access control without perceive that many people are surrounded In Zero Trust Architecture, applications, loopholes. observing, which is risky to sensitive services, interfaces and data can be resources and should be mitigated by regarded as business resources. Setting up 3) Continuous Trust Evaluation revoking the current access sessions. Frankly, a protection surface to shrink the exposed in most cases there is no need to degrade surface, all business resources are required Continuous trust evaluation is a key method the current device and user’s trust levels, if to be hidden by default, and all business to build trust from scratch in Zero Trust this behavior constitutes an inherent pattern, access requests are subject to full traffic Architecture. Through trust evaluation model, the subject may be deemed to be intentional, encryption and mandatory authorization identity-based trust evaluation capability and in other words, the subject’s trust should according to the authorization results. The is realized. It also assesses the context be degraded therein. resource secure access mechanism needs environment of access and identifies the to work at the application protocol layer as abnormal behavior of access request and The demand of ability of behavior-based much as possible. adjusts the result of trust evaluation at the anomaly detection and trust evaluation same time. requires establishing models and maker To build Zero Trust Architecture, it is necessary quantitative evaluation for the key factors to pay attention to the core assets that Entities in the physical world, such as people affecting the trust including baseline need to be protected, sort out the various and devices, are identified as digital identities deviation of the individual behavior of the exposed surface of the core assets, and in the digital world, so trust evaluation of subject (corresponding digital identity), hide the exposed surface. Thus, the various entities first requires a trust evaluation of baseline deviation of the subject and the access paths of the core assets are hidden them, which must cover at least two types of group, aggressive behavior of the main behind the security components as not digital identities: people and devices. Identity- environment, and risk behavior of the main visible to the access subjects by default based trust evaluation systems need to be environment. Comprehensive assessment

5 needs to integrate the behavioral analysis the risk. According to the continuous trust • Principle of Closed Loop Security with identity situation to reduce misjudgment evaluation, the trust level of the subject will be and reduce the negative impact on the user adjusted, dynamically within the baseline of The trust level is evaluated based on the experience. access control in real time. attributes, behaviors and access context of the subject, and the access authority is 4) Adaptive Access Control It should be noted that not all risks have an dynamically and automatically adjusted in impact on trust, especially environmental real time based on the trust level to form an Adaptive access control is an important risks, a corresponding disposal strategy automatic closed loop security. embodiment of the security closed loop should be implemented once the risk occurs. capability of Zero Trust Architecture. It is The common approach is to cancel the • Principle of Business Aggregation suggested that flexible access control access session. Therefore, the control plane baselines should be implemented through will be able to receive the risk notification of Zero Trust Architecture is a built-in security. the combination of RBAC and ABAC, the external risk platform and process the It is necessary to design the architecture hierarchical business access can be realized current access session on demands, so as to based on the actual business scenarios on the basis of trust level, at the same time, realize the interaction of risk management, and security conditions. It is recommended real-time intervention of access rights should and truly integrate Zero Trust Architecture to plan the zero trust security and business be performed when risks exists in the context and other existing security solutions of the simultaneously. Zero Trust Architecture should and environment of access, and assessed enterprise. have strong adaptability and can be tailored whether the trust of the access subject should or extended according to the requirements of be degraded. 2.2. Basic Principles actual scenarios. The section “Key Capability Model” describes The establishment of any access control four zero trust key capabilities of “identity- • Principle of Multi-scenario Coverage system is inseparable from the access control based schema, resource secure access, model, and it is necessary to establish a continuous trust evaluation, and adaptive Modern IT environment has a variety of permission baseline based on a certain access control” in detail. These security business access scenarios, including user access control model. There are many capabilities need to be supported in Zero access resources, service API calls, data access models, including RBAC, ABAC, Trust Architecture through architectural center service interactions, and etc. Access MAC, DAC, and other classical models components, interactive logic, and etc. In the terminals include mobile, desktops, as well and their variants. Zero trust emphasizes process of mapping security capabilities into as IoT devices. The deployment locations grayscale philosophy, there is no need to the architecture, some basic architectural of business are also various. Zero Trust worry about which is better between RBAC principles would apply in order to ensure that Architecture should cover various scenarios and ABAC from the practical experience, the implemented architecture can effectively and maintain its strong scalability to achieve but take the integration into consideration. It meet the security requirements under the universal security capabilities for all business is suggested to implement coarse-grained new IT environment. The principles include: scenarios. authorization based on RBAC model, establish a baseline of authority to meet the • Principle of Comprehensive Identity • Principle of Component High Interactivity enterprise’s basic principle of least privilege, and implement dynamic mapping and Far more than managing the identity of The components of Zero Trust Architecture filtering mechanism based on subject, object people, all access subjects should be should have high interactivity, and the and environmental attributes while giving full identified, including people, devices, and etc. components should be adjusted to each play to the dynamics and flexibility of ABAC. The subjects of access control are network other to form a whole to mitigate all kinds The permission baseline determines the full agents, not isolated people or devices. of threats and to form a secure closed loop. set of permissions allowed by a subject, and In the practice of Zero Trust Architecture, at different access times, the access context, • Principle of Application-level Control one should not stack or piece together trust level, and risk state may be closely product components. The interactivity of each related to the granted access rights. The access should work as much as possible product is an important foundation for the in the application layer rather than the implementation of zero trust. Besides the access control baseline, the network layer, which is usually implemented hierarchical access control strategy should be by an application agent. The application 2.3. Core Components implemented according to the trust level of agent should be full-flow and fully encrypted. The core logical architectural components of the subject and the security level of the object. It is not allowed to only authorize the agent to Zero Trust Architecture are shown in Figure 2: When the trust level of the subject is higher applications’ authentication request. than that of the object, access will be actually granted, otherwise denied to alleviate

6 7

Figure 2 Architectural Components of Zero Trust Architecture In order to implement the identity-based access control strategy and dynamic authority adjustment, the adaptive access control engine components should authenticate identities and manage sessions of the access subject simultaneously to ensure that all access requests are identity- aware, visible, and controllable.

3) Trust Evaluation Engine

As the core component to realize the capability of continuous trust evaluation in Zero Trust Architecture, the trust evaluation engine is linked with the adaptive access control engine to provide the trust level assessment as the basis of authorization decision.

Source Qi An Xin Group, 2019 It continuously receives the log reports of the trusted proxy and the adaptive access control engine, combines the data of the identity 1) Trusted Proxy also TCP proxy technology for some legacy repository and the authority repository, applications according to different service carries out profiles on the identity and A trusted proxy is a data plane component, applications even in the same scenario continuous analysis on the access behaviors, the first gateway to resource secure access, where users access services. In the actual assesses continuously by using big data and a policy execution point for adaptive implementation of the scheme, trusted proxy and AI technology, and finally generates access control capability. with various forms must work under the and maintains the trust repository to provide unified management of the control plane the decision for the adaptive access control After the trusted proxy intercepts the access components to ensure the implementation engine. In addition, the trust evaluation request, the access subject is authenticated of the security strategy in various scenarios engine can also receive the analysis results through the adaptive access control engine, without differences. from external security analysis platforms, and the authority of the access subject is including: trusted environment awareness, dynamically determined. Only the access 2) Adaptive Access Control Engine continuous threat detection, situation requests that pass the authentication and awareness and other security analysis have access rights are released. At the same The adaptive access control engine is linked platforms, which may well supplement the time, the trusted proxy should encrypt all with the trusted proxy to authenticate and data required for identity analysis and enrich access traffic, which also demands its high dynamically authorize all access requests, the context so as to carry out more accurate performance and high scalability. Supporting constituting the policy decision point of Zero risk identification and trust evaluation. horizontal extension is the core capability that Trust Architecture control plane. the trusted proxy must have. 4) Identity Security Infrastructure The adaptive access control engine According to different scenarios, the product determines the authority of all access The identity infrastructure is critical for forms of the trusted proxy are quite different. requests. The authority determination is building the identity-based capabilities of For example, for users accessing services, based on context attributes, trust levels and Zero Trust Architecture. the trusted proxy may be the application security strategies dynamically rather than on gateway based on reverse proxy technology. static rules. It is based on identity repository, The identity infrastructure includes at least For service interface calls, the trusted authority repository and trust repository, with the functional components of identity proxy may be an API gateway. For service the first providing the identity attributes of management and authority management, mesh scenario, a trusted proxy can be the access subject, the second providing the the former may realize identity and identity simplified as an agent module running in basic authority repository line, and the third life-cycle management of various entities the service environment. Similarly, capability continuously maintaining the control by the while the latter may carry out fine-grained requirements vary in different scenarios. identity analysis engine through real-time management and tracking analysis of Trusted proxy is required to support not multidimensional risk association and trust authorization policies. only application-level reverse proxy, but evaluation.

7 The identity security infrastructure of Zero Trust implementation of specific schemes. Any The following presents the simplified Architecture should meet the complex and enterprise with a mature identity infrastructure schematic diagram of the zero trust reference efficient management requirements under to meet the requirements may couple Zero framework for each business scenario the modern IT environment. The traditional Trust Architecture with an existing system. respectively, this article leaves out the static identity and authority management Any enterprise does not have an identity components of identity security infrastructure, fails to meet the requirements of the new infrastructure, or its maturity cannot meet other security analysis platforms and the technological environment and cannot support the requirements of Zero Trust Architecture differences there between. the enterprise’s strategic visions of building the should build or optimize one. zero trust security architecture for not being 1) Resource Access Scenario agile and flexible enough or manage identity 2.4. Adaptability for Multi Scenarios and authority management for more new Under a modern IT environment, business Resource access refers to the scenario scenes and applications. In addition, in order scenarios are diverse. Those scenarios may where users access business applications, to improve the management efficiency, the key be sorted out as: resource access scenario, and is also the main scenario of Zero Trust capabilities of modern identity management data exchange scenario, and service mesh Architecture. There are many sub-scenarios such as self-service and workflow engines are scenario according to their typical business in this one, such as desktop office scenario, also essential. architecture, access subjects and objects, and mobile office scenario, dumb device access traffic modules. Zero trust reference framework scenario, and etc. Types of users, devices and With the present situation of the existing should be applicable to each scenario and applications may vary according to different enterprise infrastructure, the identity security can combine multiple scenarios as needed to sub-scenarios, which put forward more infrastructure can be handled flexibly in the form a unified zero trust security architecture. capability requirements for the implementation (See Figure 3 for a conceptual model.) of zero trust logic components. (See Figure 4 for a conceptual model.) Figure 3 Different Business Scenarios

The person/user of the access subject may be an insider, an employee, an external partner, or even the customer of the enterprise. The device of the access subject may be a PC, a mobile device, an enterprise-owned device, or a BYOD device. In addition, application types, especially access means of applications, including WEB applications based on HTTP protocols, some well-known non-HTTP protocols, such as RDP, SSH, and even some non-well-known private protocols, may vary.

A mature zero trust solution should meet the business access requirements of different people and devices to various application protocols, and have high adaptability while maintaining the same architecture.

Source Qi An Xin Group, 2019 The above business access architecture diagram does not cover the fine-grained Figure 4 Resource Access Scenario access control at the functional level or even the data level within the application. In terms of the specific implementation plan, it is suggested that Zero Trust Architecture and the business architecture are closely coupled. The components of the Zero Trust Architecture can transfer identity, trust, and authority information to the business application which can perform finer-grained access control based on this information. Source Qi An Xin Group, 2019 In this way, not only the zero trust can be

8 9

regarded as the endogenous capability of the data exchange protocols should be analyzed Generally, the zero trust scheme in the business security, but also the development, to better identify abnormal access behaviors. service mesh scenario does not use deployment and continuous evolution of The adaptive access control engine should independent trusted proxy as data plane the security and business can be ensured perform fine-grained access control at the components, but disperses them, and takes independently to a certain extent. content level. over each other’s access requests and interacts with the control plane by deploying 2) Data Exchange Scenario In addition, under the data exchange trusted proxy. Numerous nodes and the scenario, the access subject that directly complex access control rules set higher Data exchange refers to a business scenario conducts the data exchange with the trusted standards for both adaptive access control in which external applications/platforms proxy is the external application, not the engine and trust evaluation engine of the exchange data through service interfaces user or the device, which requires identifying zero trust solutions for service mesh scenario. and enterprise services. In the era of big data, and evaluating the user and the device that open collaboration has become the trend of accesses the external application through The service mesh scenario is also the information technology development, and certain technical means, so as to ensure end- deepest embedded scenario in the the data exchange scenario has gradually to-end trust establishment and fine-grained service architecture. It needs to be built become the mainstream. (See Figure 5 for a access control of identity awareness. in combination with the service mesh or conceptual model.) container orchestration technology. It is best 3) Service Mesh Scenario to plan Zero Trust Architecture at the same Zero trust solutions for data exchange time as the service platform is built to achieve scenario face the challenges of diverse Service mesh refers to the multi-party a true built-in security. interfaces and computing environments interaction scenario among servers within where access subjects run. Trust proxy which the data center. With the large adoption 3. Zero Trust Security Solution is compatible with various data exchange of container layout and micro-service This section analyzes the specific practice protocols or API interfaces is required. Trust technology, the service mesh scenario is of the zero trust reference framework by the evaluation engine should collect and evaluate increasingly evolving into the mesh access example of Qi An Xin ‘s zero trust security data from the computing environment in control among the data center workloads. solution. Qi An Xin has been paying great which access subjects run. Meanwhile the (See Figure 6 for a conceptual model.) attention to Zero Trust Architecture. Qi An Xin Zero Trust Security Solution is designed Figure 5 Data Exchange Scenario based on the zero trust reference framework, making full use of the advanced technological achievements, and making optimization in combination with typical domestic business and security status quo. At present, it is strongly advanced and feasible as it has been verified by a large number of practices and widely recognized by large organizations and enterprises in China.

Source Qi An Xin Group, 2019 3.1. System of Core Products Qi An Xin Zero Trust Security Solution Figure 6 Service Mesh Scenario includes: Qi An Xin TrustAccess Adaptive Access Control Platform, Qi An Xin TrustID Identity Platform, Qi An Xin ID Phone Token and other agent compositions, as shown in Figure 7. In Qi An Xin Zero Trust Security Solution, Adaptive Access Control Platform and Identity Platform are logically decoupled. If the customer’s existing identity security infrastructure meets the requirements of Zero Trust Architecture, it is not necessary to deploy the Identity Platform, and the cost of construction can be reduced be making use of the existing system. Source Qi An Xin Group, 2019

9 Figure 7 Qi An Xin Zero Trust Security Solution

Source Qi An Xin Group, 2019

1) Qi An Xin TrustAccess Adaptive Access • Trusted API Proxy (TIP) authorization, risk aggregation correlation, Control Platform application auditing, etc. Trusted API Proxy (TIP) is the product Qi An Xin TrustAccess provides the core implementation of the trusted proxy in the • Identity Analysis (IDA) capability of adaptive trusted access control in data exchange scenario in the zero trust Zero Trust Architecture to quickly set up Zero reference framework. Identity Analysis (IDA) is the product Trust Architecture for enterprises and realize implementation of the trust evaluation engine the zero trust migration of enterprise data. Based on the security requirements of API in the zero trust reference framework. service, it realizes the unified agent, access The main components of Qi An Xin authentication, data encryption, security IDA carries out comprehensive risk correlation TrustAccess include: Trusted Application Proxy protection, application auditing and other judgment based on identity and authority (TAP), Trusted API Proxy (TIP), Trusted Access capabilities of APIs. information, TAP/TIP/TAC access logs, Console (TAC), Identity Analysis (IDA), Trusted attributes and risk assessment reported Environment Sensor System (TESS) and Trusted • Trusted Access Console (TAC) by trusted environment sensor, logs and Network Sensor System (TNSS). events submitted by other external analysis Trusted Access Console (TAC) is the product platforms. It uses big data analysis and AI • Trusted Application Proxy (TAP) implementation of adaptive access control technology to build a trust evaluation model engine in the zero trust reference framework. for continuous trust evaluation and to provide Trusted Application Proxy (TAP) is the product TAC with trust level as decision-making basis. implementation of the trusted proxy in the TAC provides TAP/TIP with self-adaptive resource access scenario in the zero trust authentication service, adaptive access • Trusted Environment Sensor System reference framework. control and centralized management (TESS) capabilities. According to various business Based on the requirements of enterprise access scenarios of the enterprise, Trusted Environment Sensor System (TESS), as application-level access control, it realizes TAC implements the functions of self- an important data source of IDA, provides the ability of layered secure access, one-stop adaptive authentication service, unified the device environment security status and application access, application single sign- configuration management of access control environment awareness of various scenarios on, and application auditing. policies, centralized management of WEB and the real-time reliability judgment basis applications and API services, dynamic for IDA.

10 11

• Trusted Network Sensor System (TNSS) Figure 8 Relation between Qi An Xin Zero Trust Security Solution and Reference Framework

Trusted Network Sensor System (TNSS), also as an important data source of IDA, provides the security status and environment awareness of the network environment and the real-time judgment basis of network reliability for IDA.

2) Qi An Xin TrustID Identity Platform

Qi An Xin TrustID Identity Platform is a product implementation of identity security infrastructure in the zero trust framework, and is a modern identity and authority management product.

Qi An Xin TrustID can provide enterprises with more advanced and flexible modern identity and authority management capabilities. When TrustAccess’s own basic identity and Source Qi An Xin Group, 2019 authority management capabilities or the enterprise’s existing identity infrastructure does not meet the enterprise’s management In addition, Qi An Xin Zero Trust Security 3.2. Scheme of Typical Scenarios needs, the capabilities of identity and Solution can seamlessly interacts with other Here’s an example of a typical application authority management can be improved by Qi An Xin’s security products and solutions. scenario that describes the logic principle TrustID to meet the capability requirements For example, it can achieve the zero trust of Qi An Xin Zero Trust Security Solution. The of the zero trust architecture to identity mobile solutions by linking with Qi An Xin’s resources including business applications security infrastructure. In addition to serving mobile security solutions. It can achieve data and API services need to be protected in TrustAccess, TrustID can also provide identity access scenarios by linking with Qi An Xin’s the data subnet. The user and the device and permission-based services for the data security solutions. It can achieve zero in the user subnet need to access business enterprise’s business systems and other trust solutions for cloud and virtualization applications, and external applications scenarios that require identity, authentication, scenarios by linking with Qi An Xin’s cloud need to call API services. The scheme logic and authorization. security management platforms. diagram is shown in Figure 9. Qi An Xin TrustID also supports docking with the existing external identity source systems of the enterprise, including PKI, 4A, AD, etc. Figure 9 Scheme of Typical Scenarios A healthy identity life cycle management capabilities is formed to provide identity infrastructure services for TrustID by integrating and synchronizing the existing identity sources of the enterprise.

3) Relation between Qi An Xin Zero Trust Security Solution and Reference Framework

Qi An Xin Zero Trust Security Solution splits and extends the product components based on the zero trust reference framework, but remains highly consistent on the overall architecture. Its product components are mapped to the zero trust reference framework as shown in Figure 8. Source Qi An Xin Group, 2019

11 In this scheme, an end-to-end zero trust 4. Migration Methodology of Zero Development Department, IT Service solution is set up by deploying a logical zero Trust Department, Operation Department, and etc. trust access control area between the user The key decision-makers of the company’s As a new security architecture, Zero Trust subnet and the data subnet. TAP takes over digital transformation should raise the new Architecture has a certain connection with access requests of all the user and device generation of zero trust security architecture the existing business conditions, security business, and TIP takes over all the external to a strategic level and define a unified vision. capabilities, and organizational structure of application API call requests. All the access It is recommended to establish a dedicated the enterprise. Zero trust migration cannot requests are authenticated and dynamically organization (or virtual organization) and be accomplished overnight. It is necessary to authorized through TAC. TESS continuously assign people with sufficient authority to carry follow a certain methodology, combine the carries on the assessment to the device, and out the whole process of zero trust migration. current situation of the enterprise unify the TNSS continuously carries on the assessment It is suggested that people at least at the CIO/ goal and vision, to make plans properly and to the network traffic, and generates the CSO or level CISO should promote zero trust construct step by step. security event to IDA. IDA comprehensively projects with the support of the company’s accesses log reports, the security event senior decision makers. The zero trust migration methodology is reports, the identity and authority information shown in Figure 10. and carries on key information and trust Usually Security Department’s words are not evaluation. It acted as the basis of permission 4.1. Define Vision valued that much in enterprises and security determination or revocation for the trust level projects are often blocked or even opposed output from TAC platform. by Business Department. Zero trust is the start The construction and operation of zero point for the initiators of zero trust projects to trust requires the active participation of persuade the Business Department and the all the leading departments of enterprise, company’s senior decision makers. including Security Department, Business

Figure 10 Migration Methodology of Zero Trust

Source Qi An Xin Group, 2019

12 13

In addition, it needs more cooperation and Zero Trust Architecture ultimately needs to optimize some local optimization points in support from departments and personnel cover all the resources of the enterprise and validation process, and move into more during the process of zero trust migration, build a protection surface for it. Enterprise business applications for further verification especially the critical support from its resources include applications, APIs, and detect new security requirements; finally, numerous end users, their own ordinary functions, data, etc. During the planning plan the evolution phase of subsequent staff. It is also important to suggest that all phase, business priorities for migration to capacity based on validation results to personnel should enhance their recognition zero trust need to be determined. In general, enhance the zero trust capabilities in all to zero trust security through the continuous new businesses and core businesses are aspects gradually and methodically. security culture activities on company level. considered as first priority. Zero Trust Architecture continues its evolution 4.2. Plan First After sorting out the current situation, by improvement and progress of zero trust Zero Trust Architecture was born inevitably requirements, business status and priority of capability based on business requirements, under the evolution of security thinking security capability, it is necessary to further security operation status and technology and security architecture with focus on the sort out the exposed surface of the core development trends. security capabilities of identity, business, business, the access subjects and the rights trust and adaptive access control and other of access subjects of each exposed surface, 5. Conclusion dimensions, all of which are inseparable, and determine the initial construction path Zero Trust Architecture reevaluates and requiring zero trust being a built-in security and the construction scheme of the first examines the traditional perimeter-based naturally. The construction path of zero trust phase. security architecture, and gives new should combine the current situation and suggestions on security architecture idea: requirement, embed the core capability 4.3. Construct Step-by-step By default, any user, device, system, or of zero trust and the component into the The construction phase closely follows the application shall not be trusted inside and business system, and construct the adaptive planning. According to the thought orientation outside the network, instead, the trust base built-in security mechanism. It is suggested of planning, the division of construction phase of access control shall be reconstructed that make plans at the beginning of business varies according to different enterprises. If it based on adaptive authentication, construction and carry on the in-depth is a capability- priority construction idea, it is authorization, and encryption technology aggregation of security and the business. necessary to build a low-to-high capability and be dynamically adjusted based on the for a small number of services, verify the trust evaluation of access subjects. It is a The purpose of planning is to identify and complete capability of zero trust through a brand new security concept and architecture define the path. Zero Trust Architecture needs local business scenario, and then gradually other than a coarse-grained access control to be combed and evaluated from two migrate more services. Scope- priority is to on perimeter of enterprise network. The fine- dimensions, capability maturity and business migrate as many businesses as possible in grained access control shall be made to all scope. a moderate capacity dimension, and then access requests among the people, devices, gradually improve the capabilities. Both ideas business applications and data assets of The key capabilities of Zero Trust Architecture have their own key points, and the enterprise enterprises. Moreover, the access control include: identity-based schema, resource should select the ideas and divide the strategy should be dynamically adjusted secure access, continuous trust evaluation construction stages according to the specific based on trust evaluation of context request. and adaptive access control. Each key conditions in the planning phase. It is a “built-in security” mechanism to deal capability can be divided into several with threats under the new IT environment. skills. The enterprises need to evaluate A proposed step-by-step thought consists the current security capabilities, and of three main steps, proof of concept, Source Qi An Xin Group determine the priority of security capability application migration, and capability construction based on the risks, security evolution. First, build a medium zero trust budget, compliance requirements and other security capability and validate the overall information. scheme in a small business scope; then

13 Research from Gartner Market Guide for Zero Trust Network Access

Zero trust network access replaces traditional • Replace designs for employee- and requires anywhere, anytime, any device technologies, which require companies to partner-facing applications that expose access to services that may not be located extend excessive trust to employees and services to direct internet connections. “inside” an on-premises data center. Similarly, partners to connect and collaborate. Security Pilot a ZTNA deployment using a digital the old model expects all programmers to be and risk management leaders should plan business service that needs to be security engineers, building intrinsically secure pilot ZTNA projects for employee/partner- accessible to partners as a use case. networked applications, and incorporating facing applications. sophisticated authentication and access • Phase out legacy VPN-based access for controls. That does not scale today. Key Findings high-risk use cases and begin phasing in • Digital business transformation requires ZTNA. This reduces the ongoing need to The new model presents an approach in that systems, services, APIs, data and support widely deployed VPN clients and which a trust broker mediates connections processes be accessible through multiple introduces clientless identity- and device- between applications and users. ZTNA ecosystems anywhere, anytime, from any aware access. Support unmanaged abstracts away and centralizes the security device over the internet. This expands the devices for employees. mechanisms so that the security engineers surface area for attackers to target. and staff can be responsible for them. ZTNA • Choose ZTNA products/services that starts with a default deny posture of zero • Secure access capabilities must evolve to expand identity assurance beyond a single trust. It grants access based on identity, the cloud, where the users are and where factor, which is an important supplement plus other attributes and context (such as applications and services are moving. to the ZTNA principle of context-based/ time/date, geolocation and device posture), Many software-defined perimeter offerings adaptive access control. and adaptively offers the appropriate trust are cloud-based. required at the time. The result is a more Strategic Planning Assumptions resilient environment with improved flexibility • IP addresses and location are no longer By 2022, 80% of new digital business and better monitoring. ZTNA will appeal to practical to establish sufficient trust for applications opened up to ecosystem organizations looking for adaptive and secure network access. partners will be accessed through zero trust ways to connect and collaborate with their network access (ZTNA). digital business ecosystem, remote workers • Zero trust network access provides and partners. adaptive, identity-aware, precision access. By 2023, 60% of enterprises will phase out Removing network location as a position most of their remote access virtual private ZTNA provides controlled access to resources, of advantage eliminates excessive implicit networks (VPNs) in favor of ZTNA. reducing the surface area for attack. The trust. isolation afforded by ZTNA improves By 2023, 40% of enterprises will have connectivity, removing the need to directly • ZTNA improves flexibility, agility and adopted ZTNA for other use cases described expose applications to the internet. The scalability, enabling digital ecosystems to in this research. internet becomes an untrusted transport and work without exposing services directly to access to applications occurs through an the internet, reducing risks of distributed Market Definition intermediary. The intermediary can be a cloud service controlled by a third-party provider or denial of service attacks. ZTNA, which is also known as a software- a self-hosted service. In either case, incoming defined perimeter (SDP), creates an identity- traffic to applications always passes through • Although virtual private network and context-based, logical-access boundary the intermediary after users have successfully replacement is a common driver for the around an application or set of applications. authenticated to it. adoption of ZTNA, ZTNA can also offer a The applications are hidden from discovery, solution for allowing unmanaged devices and access is restricted via a trust broker to a In many cases, entity behavior is continuously to securely access applications. set of named entities. The broker verifies the monitored for abnormal activity, as described identity, context and policy adherence of the in Gartner’s Continuous Adaptive Risk and Recommendations specified participants before allowing access. Trust Assessment (CARTA) framework. In a Security and risk management leaders This removes the application assets from sense, ZTNA creates individualized “virtual responsible for secure network access public visibility and significantly reduces the perimeters” that encompass only the user, the should: surface area for attack. device and the application. ZTNA normalizes the user experience, removing the access • Go beyond using IP addresses and Market Description distinctions that exist when on, versus off, the network location as a proxy for access The old security mindset of “inside means corporate network. trust. Use ZTNA for application-level trusted” and “outside means untrusted” is access only after sufficient user and device broken in the world of digital business, which authentication.

14 15

Market Direction • Granting access only to the specific about its security context to a controller. The The ZTNA notion has been gaining application, not the underlying network. controller prompts the user on the device for momentum since an initial specification This limits the need for excessive access to authentication and returns a list of allowed for software-defined perimeters (SDP) was all ports and protocols or all applications, applications. After the user and device are introduced at the Cloud Security Alliance some of which the user may not be authenticated, the controller provisions Summit in 2014. The initial SDP specification entitled to. connectivity from the device through a addressed web-based applications only, and gateway that shields services from direct updates to the specification have lagged, but • Providing end-to-end encryption of internet access. The shielding protects they are expected later in 2019. Commercial network communications. applications from distributed denial of service products roughly based on this initial (DDoS) attacks. specification are available, as are products • Providing optional inspection of the traffic based on Google’s BeyondCorp zero trust stream for excessive risks in the form of Some products remain in the data path networking vision — also limited to web- sensitive data handling and malware. once the controller establishes connectivity; enabled applications only. In addition, a large others remove themselves. This approach is number of alternative commercial products • Enabling optional monitoring of the difficult, if not impossible, to implement on an using other approaches that are not limited to session for indications of unusual activity, unmanaged device, due to the requirement web applications have entered the market. duration or bandwidth requirements. to install an agent. In some cases, a third- party mobile threat defense (MTD) product — The ZTNA market is still nascent, but it’s • Providing a consistent user experience which users may be more willing to accept growing quickly. It has piqued the interest for accessing applications — clientless or than full device management — can provide of organizations seeking a more flexible via a ZTNA client regardless of network a posture assessment to the trust broker. (See alternative to VPNs and those seeking location. Figure 1 for a conceptual model.) more precise access and session control to applications located on-premises and Gartner has identified different approaches Service-Initiated ZTNA in the cloud. ZTNA vendors continue to vendors have adopted as they develop These models more closely follow the Google attract venture capital funding. This, in turn, products and services for the market. BeyondCorp vision. A connector installed encourages new startups to enter the market in the same network as the application and seek ways to differentiate. Merger and Client-Initiated ZTNA establishes and maintains an outbound acquisition (M&A) activity in this market has These offerings more closely follow the connection to the provider’s cloud. Users begun, with three startup vendors now original Cloud Security Alliance (CSA) authenticate to the provider to access having been acquired by larger networking, SDP specification. An agent installed on protected applications. The provider then telecommunications and security vendors. authorized devices sends information typically authenticates to an enterprise

Although ZTNA offerings differ in their technical approaches, they provide generally the same fundamental value proposition: FIGURE 1 Conceptual Model of Client-Initiated ZTNA • Removing applications and services from direct visibility on the public internet.

• Enabling precision (“just in time” and “just enough”) access for named users to specific applications only after an assessment of the identity, device health (highly encouraged) and context has been made.

• Enabling access independent of the user’s physical location or the device’s IP address (except where policy prohibits — e.g., for specific areas of the world). Access policies are based on user, device and application identities.

15 identity management product. Application mechanisms. The messy problem of two things. For some users, we create a VPN traffic passes through the provider’s cloud, authentication is handled by higher levels to allow the user to pass through the firewall which provides isolation from direct access of the stack, typically the OS and application and connect to the internal network. Once via a proxy. Enterprise firewalls require no layers. For network connectivity, this default “inside,” the VPN connection is treated as openings for inbound traffic. However, the allow posture creates an excessive amount of trusted. provider’s network becomes another element implicit trust. of network security that must be evaluated. Alternatively, we place the front end to the Attackers abuse this trust. The first companies service in a segmented part of the network The advantage of this model is that no agent that connected to the public internet quickly with direct internet connectivity — referred is required on the end user’s device, making found out that they needed a demarcation to as a demilitarized zone (DMZ) — so it an attractive approach for unmanaged point where their internal network connected users can access it. Both alternatives create devices. The disadvantage is that the to the internet. This ultimately created excessive trust and do little to restrict lateral application’s protocols must be based on what has become a multibillion dollar movement, resulting in latent risk. In the case HTTP/HTTPS, limiting the approach to web market for perimeter firewalls. Networked of VPNs, attackers with credentialed access applications and protocols such as Secure systems on the inside were “trusted” and now have access to our networks. (The Target Shell (SSH) or Remote Desktop Protocol (RDP) free to communicate with each other. HVAC breach is an example.) Likewise, if the over http. (See Figure 2 for a conceptual External systems were “untrusted” and service is exposed in the DMZ, anyone on the model.) communications with the outside, inbound or internet — including all the attackers — can outbound, were blocked by default. If needs see it as well, even if it is protected by a web Some vendors offer both alternatives. This arose for communication with the outside, application firewall (WAF). provides enterprises with the ability to mix these required a series of exceptions (i.e., and match, as needed, to address specific holes) in the firewall, which were difficult and Excessive network trust leads to excessive use cases. cumbersome to maintain and monitor. latent risk. This will inevitably be exploited, leading to breaches and bringing legal, Market Analysis This trusted/untrusted network security model financial and regulatory exposure. Network The internet was designed to connect things is a relatively coarse and crude control, but connectivity (even the right to “ping” or see a easily, not to block connections. The internet it was initially effective. However, it creates server) should not be an entitlement; it should uses inherently weak identifiers (specifically, excessive trust (on the inside) that is abused be earned based on trust. Gartner believes IP addresses) to connect. If you have an IP by attackers from the outside (once they the time has come to isolate services and address and a route, you can connect and penetrate the defenses and reach the inside). applications from the dangers of the public communicate to other IP addresses, which When external access to our systems and internet, and to provide compartmentalized were never designed to be authentication services is needed, we typically do one of access only to required applications in any given context. The tremendous increase in the number of internet-connected services, and the growing likelihood that services and users could be located at virtually any IP address, FIGURE 2 exacerbate the weaknesses of the old model. Conceptual Model of Service-Initiated ZTNA Benefits and Uses The benefits of ZTNA are immediate. Similar to a traditional VPN, services brought within the ZTNA environment are no longer visible on the public internet and, thus, are shielded from attackers. In addition, ZTNA brings significant benefits in user experience, agility, adaptability and ease of policy management. For cloud-based ZTNA offerings, scalability and ease of adoption are additional benefits. ZTNA enables digital business transformation scenarios that are ill-suited to legacy access approaches. As a result of digital transformation efforts, most enterprises will

16 17

have more applications, services and data and enabling more-secure direct • Compromised user credentials could outside their enterprises than inside. Cloud- application access. allow an attacker on the local device based ZTNA services place the security to observe and exfiltrate information controls where the users and applications • Creating secure enclaves of Internet of from the device. ZTNA architectures are — in the cloud. Some of the larger ZTNA Things (IoT) devices or a virtual-appliance- that combine device authentication with vendors have invested in dozens of points based connector on the IoT network user authentication contain this threat of presence worldwide for low-latency user/ segment for connection. to a degree, stopping the attack from device access. propagating beyond the device itself. We • Cloaking systems on hostile networks, suggest that, wherever possible, stronger Several use cases lend themselves to ZTNA: such as systems that would otherwise face authentication for access be used. the public internet, used for collaboration. • Opening applications and services to • Some ZTNA vendors have chosen to collaborative ecosystem members, • Enabling SaaS applications to connect focus their developments on supporting such as distribution channels, suppliers, back to enterprise systems and data for web application protocols only (HTTP/ contractors or retail outlets, without processes that require SaaS applications HTTPS). Carrying legacy applications and requiring a VPN or DMZ. Access is more to interact with enterprise on-premises or protocols through a ZTNA service could tightly coupled to applications and infrastructure as a service (IaaS)-based prove to be more difficult. services. services. • The market is in flux, and smaller vendors • Normalizing the user experience for Risks could disappear or be acquired. application access — ZTNA eliminates the Although ZTNA greatly reduces overall risks, distinction between being on and off the it doesn’t eliminate every risk completely, as Evaluation Factors corporate network. these examples illustrate: When evaluating ZTNA technologies, here are the key questions to ask: • Carrying encryption all the way to the • The trust broker could become a single endpoints for scenarios where you don’t point of any kind of failure. Fully isolated • Does the vendor require that an trust the carrier or cloud provider. applications using ZTNA will stop working endpoint agent be installed? What OSs when the ZTNA service is down. Well- are supported? What mobile devices? • Providing application-specific access designed ZTNA services include physical How well does the agent behave in the for IT contractors and remote or mobile and geographic redundancy with multiple presence of other agents? employees as an alternative to VPN-based entry and exit points to minimize the access. likelihood of outages affecting overall • Does the offering support single packet availability. Furthermore, a vendor’s SLA authentication (SPA) as an initial form of • Extending access to an acquired (or lack thereof) can be an indicator of identity verification to the trust broker? SPA organization during M&A activities, without how robust it views their offering. Favor allows the broker to ignore any attempts having to configure site-to-site VPN and vendors with SLAs that minimize business to communicate, unless the first attempt firewall rules. disruptions. contains a specialized, encrypted packet.

• Permitting users in potentially dangerous • Attackers could attempt to compromise the • Does the offering provide the ability to areas of the world to interact with trust broker system. Although unlikely, the perform a security posture assessment applications and data in ways that reduce risk isn’t zero. ZTNA services built on public of the device (OS version, patch levels, or eliminate the risks that originate in those clouds or major internet carriers benefit password and encryption policies, etc.), areas — pay attention to requirements for from the provider’s strong tenant isolation without requiring a unified endpoint strong identity and endpoint protection. mechanisms. Nevertheless, collapse of the management (UEM) tool? Is any tenant isolation would allow an attacker option provided for achieving this on • Isolating high-value enterprise applications to penetrate the systems of the vendor’s unmanaged devices? within the network or cloud to reduce customers and move laterally within and insider threats and affect separation of between them. A compromised trust • Does the offering integrate with UEM duties for administrative access. broker should fail over to a redundant one providers, or can the local agent immediately. If it can’t, then it should fail determine device health and security • Authenticating users on personal devices closed — that is, if it can’t deflect abuse, it posture as a factor in the access decision? — ZTNA can improve security and simplify should disconnect from the internet. Favor What UEM vendors has the ZTNA vendor bring your own device (BYOD) programs by vendors who adopt this stance. partnered with? reducing full management requirements

17 • What authentication standards does the is it laced with too-good-to-be-true crypto access into enterprise systems, a privileged trust broker support? Is integration with “snake oil”? access management (PAM) tool can be a an on-premises directory or cloud-based useful alternative to a VPN. identity services available? Does the trust • After the user and device pass broker integrate with the organization’s authentication, does the trust broker • Exposing web applications through a existing identity provider? Does the trust remain resident in the data path? This reverse-proxy-based WAF is another broker support common options for approach deserves consideration. Trust option. With WAF as a service (i.e., cloud multifactor authentication (MFA)? Can the brokers that remain in the data path WAF), traffic passes through the provider’s provider enforce strong user authentication offer greater visibility and can monitor for WAF service for inspection before delivery for administrators? unusual and suspicious activities. They to its destination. To avoid false positives or could, however, become bottlenecks potential application malfunctions, cloud • Is there user and entity behavior analytics or single points of failure. Designs that WAFs, like any other WAF, typically require (UEBA) functionality that can identify when include failover support mitigate this some time for testing and adjusting rules. something anomalous happens within the concern, but could be vulnerable to DDoS Because the protected services are still ZTNA-protected environment? attacks that attempt to bypass inspection. visible to attackers on the public internet, the isolation is limited to the strength of the • Some ZTNA products are delivered partly • Can the vendor provide inspection WAF. However, partner- and employee- or wholly as cloud-based services. Does of session flows and content for facing applications are not normally this meet the organization’s security and inappropriate sensitive data handling, candidates for WAFs. residency requirements? Has the vendor malware detection and unusual undergone one or more third-party behaviors? • Choosing to retain existing design patterns attestations, such as SOC 2 or ISO 27001? and exposing digital business applications • To what extent is partial or full cloaking, in traditional DMZs remain alternatives. • How geographically diverse are the or allowing or prohibiting inbound However, DMZs provide limited isolation vendor’s entry and exit points (referred connections, a part of the isolated against modern attacks (typically a to as edge locations and/or points of application’s security requirements? reverse-proxy WAF). Furthermore, DMZs presence) worldwide? What edge/physical Perhaps the more minimal protection of a still leave the application discoverable to all infrastructure providers or colocation content delivery network (CDN) is sufficient. attackers. facilities does the vendor use? Different enterprise applications might have different requirements. • A remote browser isolation product offers • What is the vendor’s technical behavior another option, specifically for the isolation when the ZTNA service comes under • Does the provider maintain a bug bounty of web-enabled application access. Here, sustained attack? Does the service fail program and have a credible, responsible, the browser session itself is rendered from closed (thus blocking digital business public or private disclosure policy? It is the end user’s device and, typically, in a partners from accessing enterprise critical for software providers to constantly service, from the enterprise network (e.g., services) or does the service fail open? test for and remove product vulnerabilities. a cloud-based remote browser service), Is it possible to selectively choose fail- Favor providers that actively do so. providing isolation on both sides. closed or fail-open for specific enterprise applications? If fail-open is a requirement, ZTNA Alternatives • CDNs can absorb DDoS attacks, reduce the don’t forget to add in other layers of There are several alternative approaches to noise and threats of bot attacks, and guard defense to protect applications no longer ZTNA: against website defacement. However, shielded by the ZTNA service. they offer no application-level protection • Legacy VPNs remain popular, but and no anonymity — attackers targeting • Does the offering support only web they might not provide sufficient risk sites can discover the site is protected applications, or can legacy applications management for exposed services with a CDN and might attempt to exploit also gain the same security advantages? and may be difficult to manage, given vulnerabilities present in the CDN. Many the dynamic nature of digital business. CDNs include a basic cloud WAF. • What algorithms and key lengths has Always-on VPNs that require device and the vendor chosen? What third-party user authentication align with the ZTNA • Applications that don’t require full, certifications has the vendor obtained? model; however, basic network-access interactive internet connectivity, but instead Does the vendor’s product description VPNs do not. Factor security requirements expose only APIs to the public internet demonstrate an understanding of into VPN models and user satisfaction could be protected by an API gateway, contemporary cryptographic practices, or expectations. For third-party, privileged although ZTNA can also work here. API gateways enforce authentication, validate

18 19

authorization and mediate the correct use Table 1. Representative Vendors of ZTNA as a Service of application APIs. This is especially useful if the application lacks mechanisms for Vendor Product or Service Name ensuring API security. Most API gateways Akamai Enterprise Application Access also expose logs of all activity through Cato Networks Cato Cloud a native monitoring tool or integration Cisco Duo Beyond (acquisition by Cisco) with popular security information and event management (SIEM) tools. Favor API CloudDeep Technology (China only) DeepCloud SDP gateways that integrate with enterprise Cloudflare Cloudflare Access directories and single sign-on (SSO) InstaSafe Secure Access protocols — or use a ZTNA service instead. Meta Networks Network as a Service Platform • It is possible to go full IaaS. When ZTNA New Edge Secure Application Network or other isolation measures are not Okta Okta Identity Cloud (Acquired ScaleFT) good enough, moving the application off-enterprise completely is the best Perimeter 81 Software Defined Perimeter alternative. Many of the suggested SAIFE Continuum isolation mechanisms are available to Symantec Luminate Secure Access Cloud (acquisition by workloads placed in the cloud and are Symantec) designed more for primary protection, Verizon Vidder Precision Access (acquisition) rather than enterprise isolation. The goal shifts to protecting the application and Zscaler Private Access data, with less concern for isolation. Source: Gartner (April 2019) However, this still leaves systems exposed to attack, especially if legacy DMZ architectures are replicated in the cloud. Table 2. Representative Vendors of Stand-Alone ZTNA Representative Vendors Vendor Product or Service Name The vendors listed in this Market Guide do not imply an exhaustive list. This section is BlackRidge Technology Transport Access Control intended to provide more understanding of Certes Networks Zero Trust WAN the market and its offerings. Cyxtera AppGate SDP Google Cloud Platform (GCP) Cloud Identity-Aware Proxy (Cloud IAP) Market Introduction Microsoft (Windows only) Azure AD Application Proxy ZTNA products and services are offered by vendors in one of two ways: Pulse Secure Pulse SDP Safe-T Software-Defined Access Suite • As a service from the cloud Unisys Stealth

• As a stand-alone offering that the Waverley Labs Open Source Software Defined Perimeter customer is responsible for supporting Zentera Systems Cloud-Over-IP (COiP) Access Source: Gartner (April 2019) As-a-service offerings (see Table 1) require less setup and maintenance than stand- alone offerings. As-a-service offerings typically require provisioning at the end-user or service side and route traffic through the vendor’s cloud for policy enforcement. Stand-alone offerings (see Table 2) require customers to deploy and manage all elements of the product. In addition, several of the major IaaS cloud providers offer ZTNA capabilities for their customers.

19 Market Recommendations them from the scope. This includes access • Attackers will target ZTNA trust brokers. For Given the significant risk that the public to and download of unstructured data not on-premises ZTNA products, harden the internet represents and the attractiveness protected by application- and consumer- host OSs using a cloud workload protection of compromising internet-exposed systems facing applications. platform (CWPP) tool that supports on- to gain a foothold in enterprise systems, premises deployments Rely primarily on enterprises need to consider isolating • The ZTNA market is emerging, so sign default deny allow-listing to explicitly define digital business services from visibility by only short-term contracts for no more than the code allowed to execute on the system. the public internet. Don’t mistake Gartner’s 12 to 24 months to retain greater vendor Don’t rely solely on patching to keep the recommendation for the tried, yet true selection flexibility as the market grows system hardened. “security by obscurity is no security at all” and matures. axiom. Although ZTNA cloaks services from • If you choose a smaller provider, plan discovery and reconnaissance, it erects • For most digital business scenarios, favor for potential acquisitions by placing true barriers that are proving to be more vendors that offer ZTNA as a service for appropriate clauses in contracts and challenging for attackers to circumvent than easier deployment, higher availability having a list of alternative providers lined older notions of simple obfuscation. and protection against DDoS attacks. up, if needed. Favor vendors that require no openings For legacy VPN access, look for scenarios in in firewalls for listening services (inbound Note 1. Representative Vendor Selection❋ which targeted sets of users performing their connections), which is typical for most as- The vendors named in this guide were work through a ZTNA service can provide a-service flavors of ZTNA. selected to represent two types of ZTNA immediate value in improving the overall offerings: as-a-service and stand-alone. For security posture of the organization. In most • When security requirements demand these categories, we list the vendors known to cases, this could be a partner- or employee- an on-premises installation of a ZTNA Gartner as of April 2019. facing application. A ZTNA project is a product, favor vendors that can reduce the step toward a more widespread zero trust number of firewall openings as much as Note 2. Gartner’s Initial Market Coverage possible. networking (default deny) security posture. This Market Guide provides Gartner’s initial Specifically, nothing can communicate (or coverage of the market and focuses on the • If unmanaged devices will be used by even see) an application resource until market definition, rationale for the market and named users, plan to deploy a reverse- sufficient trust is established, given the market dynamics. risk and current context to extend network proxy-based ZTNA product or service to connectivity. avoid the need for agent installation. Source: Gartner Research Note G00386774, Steve Riley, Neil MacDonald, Lawrence Orans, 29 April 2019 For DMZ-based applications, evaluate • Ensure that the vendor supports the what sets of users require access. For those authentication protocols the organization applications with a defined set of users, plan and partners use now, including the to migrate them to a ZTNA service during the enterprise’s standard identity store, as next several years. Use the migration of these well as any it expects to use in the future. applications to public cloud IaaS as a catalyst The wider the available range, the better, for this architectural shift. including cloud SSO providers and SaaS- delivered access management providers. Specific Recommendations • Don’t expect partners to use your identity • Budget and pilot a ZTNA project to store. Require support for SAML, OAuth, demonstrate the benefits of ZTNA to the OIDC and similar identity federation organization. capabilities.

• Plan for user-to-application mapping. • Evaluate the effectiveness of a vendor’s Role-based access control (RBAC) can help ability to query other kinds of device with this. Avoid allowing all users to access agents, such as UEM, endpoint detection all applications. and response (EDR) and MTD, to gain additional context for improved adaptive • Identify which applications and workflows access decisions. are not candidates for ZTNA, and exclude

20 About Qi An Xin Group

Qi An Xin Group is leading security provider dedicated in protecting critical and valuable internet assets in a wide range of areas including governments, finance, energy, telecom, and etc. Qi An Xin Group is the fastest growing company in the Chinese security market with over 90% consecutive compound annual growth rate since 2015. Under hard work of over 6500 employees, its technologies have been adopted in 90% of government departments, state-owned companies, and large banks. It starts our international development in 2019 and extend our global business in Indonesia, Singapore, Canada, Hong Kong, Macao etc.

Qi An Xin takes “protecting the security in the big data era” as the Qi An Xin Identity Security Lab, a professional lab under Qi An Xin mission, “data-driven security” as technical thinking, and big data Group, focusing on “Zero Trust Security Architecture”. The team takes collection and analysis as support to provide escort and protection for “Zero Trust Security, New Identity Perimeter” as its core concept enterprise customers. and explores new type of security architecture in the assumption of “enterprise’s perimeter is vanishing and perimeter-based defense Qi An Xin’s corporate vision is to comprehensively enhance security measures are becoming ineffective”. It has launched Qi An Xin protection ability and level of Chinese organizations and enterprises, Zero Trust Security Solution with four key capabilities: identity-based and build a reliable network environment for economic development. schema, resource secure access, continuous trust evaluation and Qi An Xin uses innovative means of “Internet+” such as big data adaptive access control. The team has invested heavily in the research analysis to help Chinese organizations and enterprises better respond of Zero Trust Security Architecture and product standardization and to security threats. actively pushed forward the deployment and implementation of the architecture, whose program has been deployed in the central government agencies and state-owned enterprises and highly recognized by the market and the industry.

21