Zero Trust Architecture: A Deep Dive into the Trust IAP Engine

Zero Trust and Trust IAP Architecture: A Deep Dive into the Engine

Implementing a Zero Trust model requires a comprehensive approach spanning all infrastructure layers. Trust IAP (Identity Aware Proxy) from Trust Tech is a powerful tool for building such an architecture, providing granular access control and protection against unauthorized intrusion. In this article, we will take a detailed look at the key components of Trust IAP and their role in implementing the principles of ZTNA (Zero Trust Network Access), with a focus on device posture checking, adaptive access policies, and scalability of the solution.

Overview of Trust IAP

Trust IAP acts as a solution that implements some components of SASE (Secure Access Service Edge), providing secure access to applications and data, regardless of the user's or device's location. For more detailed information about the SASE architecture, you can refer to Gartner's definition. Its primary function is to act as an intermediary between the user and the protected resources, thereby hiding the internal infrastructure and reducing the attack surface. Trust IAP uses advanced MFA (Multi-Factor Authentication) and contextual verification to grant access, based not only on user identification, but also on the state of their device, their location, and other factors.

Device Posture Checking

One of the key elements of the Zero Trust architecture is device posture checking. This means that before granting access to resources, Trust IAP must ensure that the device meets certain security requirements. This includes checking for the presence of antivirus software, the currency of the operating system, compliance with encryption policies, and other parameters. Trust IAP implements device posture checking as follows:

Gathering Device Information

The first step is to gather information about the device. Trust IAP uses special agents installed on end devices to collect data about the configuration, installed software, and security level. These agents can collect the following information:

• Operating system and its version
• Presence and status of antivirus software
• Presence and status of firewall
• Is disk encryption enabled
• Presence of the latest security updates
• Installed applications
• Compliance with password protection policies

The collected data is transmitted to Trust IAP for further processing and evaluation.

Evaluating Policy Compliance

The received information is compared against defined security policies. These policies can be configured by the administrator according to the organization's requirements. For example, you can set a policy that requires the presence of antivirus software with up-to-date databases, as well as mandatory disk encryption for devices used to access certain resources. Trust IAP evaluates the device's compliance with these policies and assigns a score.

Actions Based on Evaluation

Depending on the compliance score, Trust IAP decides whether to grant, restrict, or block access. The following scenarios are possible:

• Full access: If the device fully complies with security policies, it is granted full access to the requested resources.
• Limited access: If the device does not comply with some policies but does not pose a serious threat, it may be granted limited access. For example, the device may be allowed to view publicly available information, but not to modify confidential data.
• Access blocked: If the device does not comply with critical security policies, it is blocked from accessing all resources. In this case, the user may be prompted to correct the deficiencies (e.g., install antivirus or update the operating system) and try again.
• Quarantine: In some cases, the device may be placed in quarantine, where it is isolated from the main network and is only given access to the resources necessary to fix security issues.

In addition, Trust IAP can automatically take action to correct inconsistencies. For example, it may prompt the user to install missing security updates or enable disk encryption.

Examples of Security Policies

To illustrate, consider several examples of security policies that can be implemented using Trust IAP:

• Policy for Accessing Financial Data: Requires the presence of antivirus software with up-to-date databases, enabled disk encryption, and compliance with minimum password complexity requirements.
• Policy for Accessing Email: Requires the presence of antivirus software and an up-to-date operating system.
• Policy for Guest Devices: Provides limited access to the Internet through a separate VLAN, without access to internal company resources.

These policies can be configured to meet the specific needs of the organization and level of risk.

Advantages of Device Posture Checking

Implementing device posture checking with Trust IAP offers several advantages:

• Increased security level: Reducing the attack surface by preventing access from devices that do not comply with security policies.
• Reduced risk of malware infection: Preventing the spread of malware across the company network.
• Compliance with regulatory requirements: Ensuring compliance with regulatory requirements in the area of data protection.
• Improved visibility of device status: Obtaining information about the security status of devices used to access company resources.

Adaptive Access Policies

Adaptive access policies are a key component of Zero Trust. They allow dynamically changing the level of access to resources depending on the context of the request. Instead of static rules that grant access based solely on user identification, adaptive policies take into account many factors, such as:

Contextual Factors

• User Location: Where the user is trying to access from (country, city, company network, public Wi-Fi).
• Time of Day: What time of day the access attempt is being made.
• Device Type: What type of device is being used to access (laptop, smartphone, tablet, unauthorized device).
• Device Posture: Does the device comply with security policies (antivirus presence, up-to-date updates, disk encryption).
• User Behavior: Analyzing user behavior for anomalies (e.g., attempts to access resources that they do not normally access, or an unusually large number of requests).
• Data Sensitivity: What data the user is trying to access (confidential financial data, personal data, publicly available information).
• Application Trust Level: How secure is the application through which access is being made.

Implementation of Adaptive Access Policies in Trust IAP

Trust IAP uses a powerful context analysis mechanism to make access decisions. It integrates with various data sources, such as:

• Identity and Authentication Systems: To obtain information about users and their groups.
• Mobile Device Management (MDM) Systems: To obtain information about device status.
• SIEM (Security Information and Event Management) Systems: To obtain information about security events and anomalies in user behavior.
• Geo-IP Databases: To determine the user's location by IP address.
• Traffic Analysis Systems: To monitor network activity and detect suspicious behavior.

Based on the information collected, Trust IAP applies customizable rules that determine the level of access to resources. These rules can be very granular and take into account many factors simultaneously.

Examples of Adaptive Access Policies

Consider several examples of adaptive access policies that can be implemented using Trust IAP:

1. Access to Financial Data:

   • If the user is on the company network, the device complies with security policies, and the time of day is working hours, then full access is granted.
   • If the user is outside the company network, the device complies with security policies, and the time of day is working hours, then MFA (Multi-Factor Authentication) is required.
   • If the user is outside the company network, the device does not comply with security policies, or the time of day is not working hours, then access is blocked.

2. Access to Email:

   • If the user is on the company network, then full access is granted.
   • If the user is outside the company network, then access is granted only through a secure VPN tunnel.
   • If the user is in a country with a high level of cyber threats, then access is blocked.

3. Access to Publicly Available Information:

   • Access is granted at all times, regardless of the user's location, device type, or device status.

Advantages of Adaptive Access Policies

Implementing adaptive access policies with Trust IAP offers several advantages:

• Increased Security Level: Protecting resources from unauthorized access by dynamically changing the level of access depending on the context.
• Reduced Operational Costs: Automating the access management process and reducing the number of manual operations.
• Improved User Experience: Providing users with convenient and secure access to resources, regardless of their location or device type.
• Compliance with Regulatory Requirements: Ensuring compliance with regulatory requirements in the area of data protection.
• Flexibility and Scalability: The ability to quickly adapt access policies to changing business needs.

Scalability Under Load

In today's realities, when the number of users and devices accessing corporate resources is constantly growing, ensuring the scalability of the ZTNA solution is critically important. Trust IAP from Trust Tech is designed with high performance and scalability requirements in mind, allowing organizations to handle large volumes of traffic and support thousands of simultaneous connections. For specific data on Trust IAP scalability, it is recommended to refer to the official Trust Tech documentation.

Trust IAP Architecture for Scalability

Trust IAP uses a modern microservices architecture, which allows scaling individual components of the system independently of each other. This means that if, for example, the load on the authentication module increases, you can increase the number of instances of this module without affecting other parts of the system. The main components of Trust IAP that affect scalability:

• Identity Provider (IdP) Integration: Trust IAP integrates with various IdPs (Identity Provider) for user authentication. It supports standards such as SAML (Security Assertion Markup Language) and OIDC (OpenID Connect), which allows using existing authentication systems and scaling them independently of Trust IAP. Additional information about SAML and OIDC standards can be found, for example, on the Okta website.

• Policy Enforcement Point (PEP): PEP is the component that makes access decisions based on policies. Trust IAP uses a distributed PEP architecture, which allows scaling this component horizontally by adding new PEP instances as needed.

• Trust Gateway: Trust Gateway is the component that provides secure access to protected resources. Trust IAP uses clustering of Trust Gateway, which allows distributing the load between multiple Trust Gateway servers and ensuring high availability of the solution.

• Caching: Trust IAP uses caching mechanisms to reduce the load on authentication and authorization servers. Frequently used data, such as information about users, groups, and policies, is cached.

Scaling Mechanisms

Trust IAP supports various scaling mechanisms:

• Vertical Scaling: Increasing the computing power of existing servers (e.g., increasing the amount of RAM or adding new processors).
• Horizontal Scaling: Adding new servers to the cluster.
• Automatic Scaling: Automatically adding or removing servers depending on the current load. This allows Trust IAP to dynamically adapt to changing needs and ensure optimal performance.

Performance Optimization

In addition to scalability, Trust IAP also provides opportunities for performance optimization:

• Policy Configuration: Optimizing access policies reduces the load on the authorization system.
• Caching: Using caching reduces the load on authentication and authorization servers.
• Traffic Compression: Using traffic compression reduces the load on network channels.
• Geographic Distribution: Placing Trust IAP components in different geographic regions reduces latency and improves user experience.

Advantages of Trust IAP Scalability

Ensuring scalability with Trust IAP offers several advantages:

• Support for Large Volumes of Traffic: Trust IAP is capable of handling large volumes of traffic and supporting thousands of simultaneous connections.
• High Availability: Trust IAP provides high availability of the solution through clustering and automatic failover to backup servers in the event of a failure.
• Flexibility and Adaptability: Trust IAP can dynamically adapt to changing needs and ensure optimal performance.
• Reduced Operational Costs: Automatic scaling reduces operational costs by optimizing resource utilization.
• Protection of Investments: Trust IAP scalability allows organizations to protect their infrastructure investments by enabling further expansion as the business grows.

In conclusion, Trust IAP from Trust Tech is a powerful and scalable solution for implementing a Zero Trust architecture. Thanks to device posture checking, adaptive access policies, and a scalable architecture, Trust IAP provides a high level of security and usability for users.