Zero Trust network topology and its importance
Zero Trust is a security strategy and, as such, there are many different architectures that companies can use depending on their specific business, network and technological environment. It is important that security architects fully understand their current enterprise architecture in order to make informed decisions about the changes required for Zero Trust initiatives.
Subscribe to our weekly Newsletter
Enterprise architecture covers a wide range of elements such as applications, access methods, data flows, network infrastructure, and the way in which different devices and systems are connected to each other. Network topology, on the other hand, refers to the way in which these devices and systems are connected to each other. Enterprise networks are often complex, and include many interdependent elements such as DNS, IP address management and routing, which reside on LAN, WAN, cloud and SD-WAN segments. These networks can also include new network types, such as those found in IaaS(Infrastructure as a Service) environments.
A Zero Trust Network Access (ZTNA) project requires a good understanding of your network, the location of private corporate resources, network topology and how these interdependent systems work. ZTNA requires thoughtful changes to the way users access resources across the network, as well as changes to the network itself. The benefits of ZTNA are considerable, but they need to be deployed as part of a well-developed strategy.
What are the two main Zero Trust network topology models?
There are two main models for Zero Trust network topology: cloud-routed and direct-routed. Gartner refers to them as " service-initiated and endpoint-initiated", while other analysts use the terms software-defined perimeter (SDP) and identity management proxy. These are represented in the diagrams below, where we'll use Zero Trust's standard terms of policy decision point (PDP) to represent the control plane and policy enforcement point (PEP ) to represent the data plane. Note also that, in this article, we focus solely on user access to private corporate resources and not on user access to public web resources.
In both cases, the control plane is located within the provider's cloud security infrastructure. This is how providers offer this as a service, providing management, monitoring and updates for customers, simplifying operations and reducing complexity.
Cloud routed VS Direct routed network topology models
In the cloud-routed model, the provider's cloud acts as a centralized location where connections meet "in the middle". Remote users connect to the nearest provider's PEP to control their network access to the company's private resources. The resources, which may be business applications or data, may be running in an on-premises data center, an IaaS cloud environment, or both. The provider's connector software runs alongside the resources and establishes an outbound connection to the nearest PEP in the provider's cloud. Since the connector establishes an outbound connection, it generally simplifies deployment, but often limits use cases to remote user access for web applications only.
As for the direct routing model, with this architecture, the service provider's cloud is only used as a control plane. The data plane is never visible or accessible by the service provider, as companies deploy the service provider's PEPs in their environment to run alongside their resources. Once authenticated, users obtain a security token that enables them to establish connections directly to the PEPs, hence the name direct routing. Network traffic flows between the user's device and the resource via the PEP, reducing the number of network hops and lowering latency. What's more, traffic routing is under the company's control, enabling it to manage data residency requirements, for example.
The direct routing model supports all network protocols (Web, non-Web, all TCP, UDP and ICMP) and handles server-initiated connections transparently. It also supports the universal concept of ZTNA, as on-site users accessing local resources will have their network traffic entirely within the local corporate network. Since the PEP must be deployed where the resources are located, firewall modifications are generally required. This architecture is best suited to support most complex and sophisticated enterprise environments.
HTBS helps you secure your organization with the Zero Trust approach, which not only protects and secures all the elements that make up your infrastructure, but also gives you global visibility of your attack surface.
Source: Appgate
