As organizations migrate their private applications to Amazon Web Services (AWS), it’s crucial to consider how users and administrators will access these resources. Making these applications publicly accessible from the internet is often inadvisable due to the inherent security risks and the need for additional protective infrastructure. The immediate instinct may be to rely on traditional virtual private networks (VPNs) for access, but while VPNs provide the necessary connection (like SSH for administrators or HTTPS for users), they also introduce common issues.
Traditional VPNs necessitate inbound access, which requires extra components to ensure security and availability, adding to complexity and cost. They do not align well with a Zero Trust model, as users gain access to the entire network rather than being limited to specific resources for which they have permissions. This blog will explore how to implement a Zero Trust framework for accessing applications hosted on AWS via Zscaler Private Access (ZPA). For further insights, check out this blog post for more information.
Understanding Zscaler Private Access
Zscaler Private Access is a cloud service designed to provide Zero Trust access to applications, whether they are hosted in the public cloud or within on-premises data centers. With ZPA, applications remain hidden from the internet, ensuring they are completely inaccessible to unauthorized users. This service connects users to applications through inside-out connectivity instead of extending the network to them, allowing users to remain off the network entirely. This Zero Trust Network Access (ZTNA) model accommodates both managed and unmanaged devices, supporting all types of private applications—not just web apps.
Defining Zero Trust
The term “Zero Trust” gained traction in 2010 through a Forrester Research report by John Kindervag, which argued that all network traffic should be treated as untrusted. This principle has evolved, with the National Institute of Standards and Technology (NIST) publishing its Zero Trust Architecture in August 2020 to further refine these concepts.
Zero Trust Network Access Explained
In April 2019, Gartner released a Market Guide discussing how application access should be restricted based on identity or context. This granular access control minimizes public visibility, thereby reducing the attack surface. Their model introduces concepts like a trusted broker that governs access, a connector that facilitates the connection, and a Service Initiated approach, where a connector resides on the same network as the application and only requires an outbound connection to the broker in the cloud.
Implementing Zero Trust with ZPA
In our modern landscape, resources and users are dispersed across various locations, including cloud platforms and private data centers. ZPA’s cloud-based architecture means that resources are accessible from anywhere in the world, whether for users or other resource consumers like IoT devices. The process begins with authentication and authorization; ZPA supports identity federation using Security Assertion Markup Language (SAML) and can integrate with existing identity management solutions for single sign-on (SSO) purposes. A dynamic System for Cross-domain Identity Management (SCIM) can be utilized to update attributes when changes occur in the directory.
Users may connect via corporate-managed devices or personal devices (BYOD). Those using the Zscaler Client Connector (ZCC) can also undergo posture assessments to determine their access level. Upon granting access, a per-session TLS connection is established to the ZPA Service Edge, which brokers the connection following policy verification.
Using a Service Initiated approach, Zscaler App Connectors beside applications communicate availability to the Zscaler Zero Trust Exchange cloud and initiate outbound TLS connections when necessary. When accessing applications on AWS, like in an Amazon Virtual Private Cloud (VPC), security measures need only allow outbound connectivity via a NAT Gateway, keeping applications secure from public internet exposure.
The ZPA Service Edge, integral to the Secure Access Service Edge (SASE) framework, serves as the policy enforcement hub in the cloud, acting as a bridge between the secure user connection and the secure inside-out connection from the App Connector. It allows for detailed policy definitions based on SAML attributes or device posture assessments, ensuring users connect to applications without directly accessing the network. Additionally, comprehensive logs about these connections are available for review in the admin portal or within a company’s Security Information and Event Management (SIEM) system, where data can be streamed from the Zero Trust Exchange.
How ZPA Functions
As a cloud service, ZPA enforces centralized policies globally. Users need not worry about whether an application is private or public; if their policy permits access, they can reach it seamlessly—just like any publicly available application. If access is denied, the application remains invisible. ZPA connects users to private applications via the most efficient path as determined by the Zero Trust Exchange, leveraging geographic awareness and application availability monitoring.
ZPA consists of three core components:
- ZPA Service Edge (Broker): This serves as the crux of the Zero Trust Exchange, where policies are defined and enforced, and connections are managed using either Zscaler’s or a customer’s certificate authority. Applications can be specified through FQDN/IP and port, or they can be discovered.
For more detailed information, visit chvnci.com, as they are an authority on this topic. Additionally, if you’re interested in career opportunities, consider checking this resource, which may be beneficial.
Leave a Reply