Please enable JavaScript.
Coggle requires JavaScript to display documents.
Zero Trust Network Access - Coggle Diagram
Zero Trust Network Access
Zero Tust Adaptive Identity / Adaptive authentication / Risk based authentication
Method of acces to data
Matches user credentials with the risk of requested authorization
Zero Trust Threat Scope Reduction / Risk Avoidance
Reduced scope of threats
Support agility
Support Complexity
Zero Trust Control Plan
Separate from Data Plan
Contain
Policy Decision Point (PDP)
Policy Engine (PE)
Policy Administrator (PA)
Enable Communication path between a subject and a ressource via commands to associated
Policy enforcement Points(PEP)
Shut Communication path between a subject and a ressource via commands to associated
Policy enforcement Points(PEP)
PA communicate with PEP when creating the communication via the Control Plan
Zero Trust Data Plan
Explicit trust zones
Data Center
DMZ(demilitarized zones) / public acces zones
the public internet
Cloud computing subnets such as private or VPN-only
Honeynets
Policy enforcement points (PEP)
Network based PEPs
SDP acces gateways
Network L2 switches/ ML switches
Edge Firewall appliances
Authentication Proxy Servers
Edge routers
Application based PEPs
API Gateways
Accept web socket APIs
Accept RESTful APIs
Ressource groups
Network VLANs
Code repositories
Very trusted Cloud services
EVERYONE MUST BE VERIFIED
GRANT ONLY MINIMUM ACCESS NEEDED
Continuous monitoring & validation, any change of identity, context or security posture will be reevaluated and revoked
Verification accomplished in different ways depending on the implementation
includes 3 major pillars to verify
Context
(How the user is trying to acces the ressource? )
Least privilege ( grant minimum of acces you need)
Security
Focuses on the device the user is connecting in on
is your machine secure?
Check if a software like Antivirus is running
OS updated
Extend to make sure that several different conditions are met before granting acces
Identity
Authorization (Are you authorized for that ressource ?)
Authentication (Are you who you claim to be ?)
Identification (Who are you?)
Include MFA
Example of ZTNA on
SASE (Secure Access Service Edge) (cloud)
Cato
CloudFlare
Zscaler
Palo Alto Prisma
Physical Network (DataCenter/HQ location)
Palo Alto
Chack Point
Fortinet