How does cipherscale provide Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is a security model that operates on the principle of "never trust, always verify." Unlike traditional security models that rely on perimeter defenses, ZTNA assumes that threats can exist inside and outside the network. Therefore, strict identity verification is required for every person and device attempting to access resources on a network, regardless of their location.

Main Features of Zero Trust Network Access:

1. Identity Verification: Every user and device must be authenticated and authorized before accessing resources. This often involves multi-factor authentication (MFA).

2. Least Privilege Access: Users are granted the minimum level of access necessary to perform their tasks. This limits the potential damage from compromised accounts.

3. Micro-Segmentation: The network is divided into smaller, isolated segments to contain potential breaches and limit lateral movement.

4. Continuous Monitoring: Ongoing monitoring of device health is essential. Any anomalies can trigger alerts or automatic responses.

Cipherscale allows for the easy implementation of the ZTNA security model through its inherent operation and by providing the features needed for the configuration of zero trust controls. Let us examine how cipherscale fulfills the ZTNA principles:

1. Identity Verification: Identity verification is required to start a cipherscale session from any device. The user’s authentication is delegated to Google or Microsoft as the OpenID Connect (OIDC) identity provider (IdP) or a SAML Identity provider. Therefore, the use of MFA, password complexity policy, and conditional access is entirely under the control of the customer. The inability to set up local user accounts prevents account misuse and aids in centralized identity and account management.

2. Least Privilege Access: Configuration of private resources in cipherscale allows using domain names and IP addresses. This encourages defining granular private resources and not providing network-wide access. Additional restrictions can be set on the type of application protocols allowed while defining private resources. Access privileges can be configured at a finer granularity than user groups. A specific user or a particular user’s device can be granted different access privileges. All of the above capabilities ensure that cipherscale can provide least privilege access for a user group, user, or a specific user’s device.

3. Micro-Segmentation: Cipherscale allows one to create multiple cipherscale spaces using the same account. Each cipherscale space can be used to segment the network. For example, one cipherscale space can be dedicated to the business’s IoT network, while another can be devoted to the business’s financial operations.
   Cipherscale’s inherent operation automatically creates an identity-based microsegment and prevents lateral movement. After admission and access policy checks are cleared, routes to authorized applications are added to the device on demand. At the same time, firewalls are provisioned in the gateway, allowing access to the specific app from that specific authorized device. Using least privilege access combined with the gateway firewall functionality offers a robust micro-segmentation implementation.

4. Continuous Monitoring: Cipherscale access polices are linked to admission rules that are checked before making access decisions and continuously evaluated. This provides unprecedented flexibility by allowing different admission rules based on the application accessed. For example, access to an internet application might require antivirus software. In contrast, access to a sensitive private app might require disk encryption and the presence of a digital certificate. Admission rules can be based on the device's location, time of day, and the device posture factors below:

   Device OS (Android, iOS, macOS, Windows) and OS Version

   Presence of digital certificate

   Disk Encryption

   Use of Antivirus software

   Presence of a specific application or process