Introduction to ZTA - Implementation options of ZTA Flashcards
What does ZTA stand for?
Zero Trust Architecture
Which document defines the various ZTA implementation approaches?
NIST SP 800-207
What are the two main ZTA implementation approaches defined by NIST?
- ZTA Using Micro-Segmentation
- ZTA Using Network Infrastructure and Software-Defined Perimeters
What is one of the primary ZTA implementation options covered in this unit?
CSA’s SDP
Name another primary ZTA implementation option.
Zero Trust Network Access (ZTNA)
What is the third primary ZTA implementation option mentioned?
Google BeyondCorp
True or False: The unit focuses on ZTA implementation options outside of network architecture.
False
Fill in the blank: The options presented in this unit align with NIST approaches including ZTA Using _______.
Micro-Segmentation
Fill in the blank: The options presented in this unit align with NIST approaches including ZTA Using Network Infrastructure and _______.
Software-Defined Perimeters
What does NIST stand for?
National Institute of Standards and Technology
What is the primary focus of the NIST ZT model?
Designing secure workflows
How many approaches does NIST provide for ZT implementation?
Three approaches
Name one of the three NIST ZTA approaches.
ZTA using Enhanced Identity Governance
Name another NIST ZTA approach.
ZTA using Micro-Segmentation
Name the last NIST ZTA approach.
ZTA using Network Infrastructure and Software Defined Perimeters
What factors influence the selection of a NIST ZT approach?
Existing business flows, requirements, and cybersecurity maturity level
True or False: A fully-realized ZT solution incorporates elements from all three NIST ZTA approaches.
True
Fill in the blank: The unit focuses on NIST approaches for ‘ZTA Using _______’ and ‘ZTA Using Network Infrastructure and Software-Defined Perimeters’.
Micro-Segmentation
What does ZTA stand for?
Zero Trust Architecture
What does NIST SP 800-207 outline?
ZT tenets
What is the significance of policy rules in NIST ZT approaches?
They vary according to the components used and the organization’s environment
Subsequent ZT training courses provide what?
A more comprehensive and expanded overview of NIST’s approach to ZT
What is the Software-Defined Perimeter (SDP)?
An approach to enabling and enforcing Zero Trust principles by providing dynamically provisioned air-gapped networks.
What does Zero Trust (ZT) require in terms of access verification?
Verification of anything and everything attempting to access assets prior to authorization.
How does SDP improve security posture?
By defending against new variations of old attack methods and adapting to expanding attack surfaces.
What is the default policy enforced by the SDP gateway?
Drop-all policy until users/devices are authenticated and authorized.
List the major components of SDP architecture.
- Client/initiating host (IH)
- Service/accepting host (AH)
- SDP controller
- SDP gateway
What is the role of the SDP controller?
Secures access to isolated services by ensuring authentication, authorization, device validation, and secure communications.
What types of devices can act as the initiating host (IH)?
Laptops, tablets, and smartphones.
True or False: The AH devices typically reside on a network under the enterprise’s control.
True.
What are the four key responsibilities of the SDP controller?
- Users are authenticated and authorized
- Devices are validated
- Secure communications are established
- User and management traffic remain separate
What deployment options are available for implementing SDP?
- Client-to-Gateway
- Client-to-Server
- Server-to-Server
- Client-to-Server-to-Client
- Client-to-Gateway-to-Client
- Gateway-to-Gateway
What principle ensures that users can only access resources they are explicitly granted permissions to?
Principle of least privilege.
What must be verified before the IH can connect to the AH?
The IH and users must be authenticated and authorized by the controller.
Fill in the blank: SDP controllers should be designed for high _______ to withstand attacks.
availability
What should be considered when deploying gateways in an SDP?
They can block a service in the event of failure or overload.
How can SDP controllers inform access policies?
Through internal user-to-service mapping or connections to third-party services.
What is a common use case for deploying Zero Trust Architecture (ZTA) with multiple cloud providers?
Managing a local network while using two or more cloud service providers for hosting applications/services and data.
What is a prominent use case of ZTA?
Cross-enterprise collaboration
In a cross-enterprise collaboration, which enterprises are involved in the hypothetical project example?
Enterprise A and Enterprise B
Who manages the project database in the collaboration between Enterprise A and Enterprise B?
Enterprise A
What is required for Enterprise B employees in the context of accessing data from Enterprise A?
Specialized accounts
What must be denied to all other resources for Enterprise B employees accessing data from Enterprise A?
Access
What can complicate the management of access permissions between Enterprise A and Enterprise B?
The approach of setting up specialized accounts
What system can streamline the configuration of permissions for cross-enterprise collaboration?
Federated ID management system
What is necessary for both organizations’ PEPs in a federated ID community?
Authenticate subjects
What are the main advantages of SDP?
Maturity and widespread adoption
SDP has been supported by prominent enterprises and institutions such as the DOD.
What types of deployments is SDP used for?
Hybrid and multi-cloud deployments, VPN replacement, securing IoT
SDP is implemented across various industries for differing purposes.
What ongoing events contribute to SDP’s popularity?
Regular hackathons testing SDP’s attack durability
These events help validate the security of SDP.
What mechanisms are effective for enforcing ZT principles in SDP?
SPA and mTLS
These mechanisms enhance security without compromising user experience.
How does SDP improve user experience?
Provides robust security while replacing legacy solutions
SDP can enhance the overall experience for users.
Is SDP easy to implement?
Yes, it is relatively easy to implement and can complement existing solutions
Organizations can adopt a gradual implementation or migration to SDP.
What kind of environments can SDP protect?
Highly complex deployments, such as hybrid and multi-cloud environments
SDP’s distributed and scalable nature aids in protecting these environments.
What is a built-in feature of SDP’s architecture?
High availability
This feature ensures that services remain accessible.
What is a major disadvantage of SDP?
Requirement for client agent installation on each endpoint
This can complicate deployment for organizations.
What access methods are primarily supported by SDP?
Traditional user access methods
API-based, micro-service, and serverless access methods are not well-supported.
What does ZTNA stand for?
Zero Trust Network Access
Which three models have influenced ZTNA?
CSA’s SDP, Google’s BeyondCorp, and ZTNA itself
What is the primary premise of ZTNA?
Neither users nor applications are behind the perimeter
What are the two distinct architectures of ZTNA?
- Endpoint-initiated ZTNA
- Service-initiated ZTNA
What is a key feature of endpoint-initiated ZTNA?
A lightweight agent is installed on the end-user’s device
What is a disadvantage of endpoint-initiated ZTNA?
Difficult to implement on unmanaged devices
How does service-initiated ZTNA function?
Uses a broker between the user and the application
What is the role of the lightweight ZTNA connector in service-initiated ZTNA?
Establishes an outbound connection from the service to the ZTNA service broker
What does ZTNA assume about the user access environment?
It assumes a hostile user access environment
What principle does ZTNA operate under regarding user access?
Never trust, always verify
What is a major advantage of using ZTNA?
Reduces the attack surface by hiding services behind brokers
In what mode can ZTNA be implemented?
- Stand-alone product
- As a service
What are some advantages of cloud-based ZTNA?
- Scalability
- Ease of adoption
What is a significant disadvantage of ZTNA in terms of malicious actors?
Cannot guard against malicious actors already inside the perimeter
What technology provides continuous inspection beyond initial connection authorization?
Secure access service edge (SASE)
What is a challenge related to policy management in ZTNA?
Orders of magnitude more complex for programmatic access
Fill in the blank: ZTNA is often considered a _______ replacement.
VPN
True or False: ZTNA can guard against all types of malicious actors.
False
What is BeyondCorp?
Google’s internal network and access security platform designed to enable employee access to internal resources
BeyondCorp Enterprise is available to organizations with Google-based IT infrastructures.
What is the primary component of BeyondCorp?
The web proxy
It acts as the chokepoint every user/device needs to traverse to access the organization’s resources.
List notable features of BeyondCorp.
- Any access to protected resources is done via proxy
- Device and user identities are checked using a device inventory and user/group database
- 802.1x protocol is used for verifying managed devices and providing micro-segmentation
- An access control engine authorizes the organization’s applications and services
- A data pipeline feeds additional information into the access control engine
Additional information includes location, device/user trust levels, etc.
How does BeyondCorp comply with Zero Trust (ZT) principles?
- Device/user must be authenticated and authorized by the access proxy before connecting to enterprise applications
- The access proxy denies any access request from unauthenticated users or devices
- Each access request is handled separately by the access proxy, following the principle of least privilege
- The access proxy is continuously monitored, logging all network communications
This includes both legitimate and illegitimate access attempts.
Fill in the blank: The access proxy in BeyondCorp is the _______ of all access attempts and communication.
[choke point]
True or False: BeyondCorp allows access requests from unauthenticated users.
False
What protocol is used in BeyondCorp to verify managed devices?
802.1x
What does the access control engine in BeyondCorp do?
Provides authorization for the organization’s applications and services
Fill in the blank: BeyondCorp uses a _______ to check device and user identities.
[device inventory and user/group database]
What is the purpose of the data pipeline in BeyondCorp?
To feed additional information into the access control engine
What is BeyondCorp?
Google’s proprietary implementation of Zero Trust Architecture (ZTA)
BeyondCorp focuses on providing secure access to applications without relying on traditional perimeter security.
What are the limited implementation options for BeyondCorp?
Some organizations implement a simplified version using an access proxy only
This means additional components like device inventory and trust engine are left out.
What is the Service Initiated (Remote Application Access) approach in BeyondCorp?
A connector is deployed on the same network as shared applications to establish an outbound session
Users/devices authenticate with the provider to access protected applications.
How does the authentication workflow function in BeyondCorp’s implementation?
Users are forced through an authentication workflow before access is granted
This prevents direct access to applications until the authentication process is complete.
What is the significance of the agentless model in BeyondCorp?
Agent software is not required on the connecting device
Application access occurs over HTTP/HTTPS at layer 7 of the OSI model.
What are the advantages of BeyondCorp?
Does not require client agent installation on devices, devices must be registered in the inventory
Each device is assigned a unique certificate.
What are the disadvantages of BeyondCorp?
Less flexible, difficult to integrate with existing security mechanisms, lack of strong cryptographic controls
Compared to SDP, BeyondCorp’s access proxy is less scalable and secure.
True or False: BeyondCorp requires client agent installation on connecting devices.
False
BeyondCorp does not require client agent installation, but devices should be registered.
Fill in the blank: BeyondCorp’s lack of strong cryptographic controls makes it less secure than _______.
SDP
Strong cryptographic controls are necessary for implementing an invisible cloud.
What role does the access proxy play in BeyondCorp?
It handles both control and data traffic
This makes it less scalable and secure compared to the SDP controller.
