Zero Trust network topology and its importance
Zero Trust is a security strategy, and as such, there are many different architectures that organizations can adopt depending on their specific business, network, and technology environments. It is important for security architects to have a thorough understanding of their organization’s current architecture in order to make informed decisions about the changes required for Zero Trust initiatives.
Sign up so you don't miss our weekly newsletterÂ
Enterprise architecture encompasses a wide range of elements, such as applications, access methods, data flows, network infrastructure, and the way in which various devices and systems are connected to one another. Network topology, on the other hand, refers to how these devices and systems are interconnected. Enterprise networks are often complex and include many interdependent elements such as DNS, IP address management, and routing, which are found on LAN, WAN, cloud, and SD-WAN segments. These networks may also include new types of networks, such as those found in IaaS (Infrastructure as a Service) environments.
A Zero Trust Network Access (ZTNA) project requires a thorough understanding of your network, the location of the company’s private resources, the network topology, and how these interdependent systems work. ZTNA requires thoughtful changes to how users access resources across the network, as well as changes to the network itself. The benefits of ZTNA are significant, but they must be implemented as part of a well-developed strategy.
What are the two main Zero Trust network topology models?
There are two main models for Zero Trust network topology: "cloud-routed" (cloud-routed network topology models) and "direct-routed" (direct-routed network topology). Gartner refers to them as “service-initiated and endpoint-initiated,” while other analysts use the terms software-defined perimeter (SDP) and identity management proxy. They are depicted in the diagrams below, where we will use standard Zero Trust terms: Policy Decision Point (PDP) to represent the control plane and Policy Enforcement Point (PEP) to represent the data plane. Note also that, in this article, we focus solely on user access to private corporate resources and not on user access to public web resources.
In both cases, the control plane is located within the provider’s cloud security infrastructure. This is how providers offer this as a service, handling management, monitoring, and updates for customers, which simplifies operations and reduces complexity.
Cloud-based vs. Directly Routed Network Topology Models
In the cloud-routed model, the provider’s cloud acts as a centralized location where connections meet “in the middle.” Remote users connect to the nearest provider PEP to control their network access to the company’s private resources. The resources, which can be business applications or data, can run in an on-premises data center, an IaaS cloud environment, or both. The provider’s connection software runs alongside the resources and establishes an outbound connection to the nearest PEP in the provider’s cloud. Because the connector establishes an outbound connection, it generally simplifies deployment but often limits use cases to remote user access for web applications only.
As for the direct routing model, with this architecture, the service provider’s cloud is used solely as a control plane. The data plane is never visible or accessible to the service provider because companies deploy the service provider’s PEPs in their own environment to operate alongside their resources. Once authenticated, users receive a security token that allows them to establish connections directly to the PEPs, hence the name “direct routing.” Network traffic flows between the user’s device and the resource via the PEP, which reduces the number of network hops and lowers latency. Furthermore, traffic routing is under the enterprise’s control, allowing it to manage data residency requirements, for example.
The direct routing model supports all network protocols (Web, non-Web, all TCP, UDP, and ICMP) and transparently handles server-initiated connections. It also supports the universal ZTNA concept because on-premises users accessing local resources will have their network traffic entirely within the local corporate network. Since the PEP must be deployed where the resources are located, firewall modifications are generally required. This architecture is better suited to support most complex and sophisticated enterprise environments.
HTBSÂ helps you secure your organization using the Zero Trust approach, which allows you to protect and secure all components of your infrastructure while also providing comprehensive visibility into your attack surface.
Source:Â AppgateÂ
