Typical network security of the past relied on the notion of network perimeter, with the assumption that “Trust, but Verify” was sufficient. Trust was granted based on whether the user, device, or application was inside or outside these network boundaries.
Perimeter networks are protected by security barriers and once these are crossed, trust is given, and users/devices can roam and make lateral movements while gaining access to resources and sensitive information. This type of perimeter network security has created a threat conduit for malicious actors if they get past it. Once inside, they have access to data, apps, and resources. With resources and services residing anywhere in the physical and cloud networks, the attack surface has expanded significantly. Therefore, it is critical that security access evolves rapidly beyond typical perimeter security.
The benefits of the “Zero Trust” approach
Zero Trust Network Access (ZTNA) is an emerging security architecture based on eliminating inherent trust as well as relying on the principle of “Never Trust and Always Verify." ZTNA requires regular authentication and authorization checks of the “Subject” before entrusting access to a “Resource.” Upon request of the resource, identity assessment is performed, and, based on current contextual factors such as user identity, type of service and, so forth, ZTNA allows “least privilege” access to a specific service, rather than the entire network, for that authorized entity.
ZTNA applies the “Zero Trust” approach regardless of whether the entity is inside or outside of the security perimeter and always verifies before granting access. This ensures data safety and integrity and makes ZTNA a key enabler for the transformation from perimeter security with a static, data-center centric approach to a more dynamic, policy-based, and contextually driven approach, securing today’s distributed and cloud-based network resources. Due to this elastic, dynamic, and distributed nature inherent in today’s networks, validation of performance, security, and user experience become even more critical for the success of organizations.
Validating ZTNA and the impact on end-user quality of experience
Spirent supports Zero Trust Network Access architectures with the new CyberFlood ZTNA Test Builder. The solution helps validate the performance, scalability, and effectiveness of ZTNA Policy Enforcement Points (PEP) and the impact on end-user Quality of Experience (QoE).
CyberFlood test agents interact with Policy Enforcement Points (PEP) and the Identity Provider (IdP) with simulated authorized and unauthorized users, emulating traffic and accessing protected applications.
For example, users are attempting to access an HTTPS-based application in the following diagram. User 1 is authorized to access the app and User 3 is not. User 2 cannot be authenticated (due to a bad password). As illustrated below:
User requests access to protected app
Policy Enforcement Point (PEP) intercepts the request and redirects for authentication
User identity and authorization for accessing the app is validated
Traffic flows based on policy assessments
The CyberFlood report shows the status and related statistics regarding authorized and unauthorized users attempting to access protected apps. CyberFlood ZTNA live and final report provides the progression of Attempted Requests, Successful Identity Sessions, Unsuccessful Authentication, and Unsuccessful Authorization. The detailed reporting also offers statistics of Failed Authentication and Failed Authorization on a per-user basis.
CyberFlood ZTNA Test Builder is capable of emulating malicious and non-malicious traffic at scale to:
Validate the performance, scalability, and effectiveness of secure ZTNA Policy Enforcement Points (PEPs) based on SAML and OIDC
Measure the scale of Okta Identity Provider (IdP) integration and measure the impact of an IdP on PEP responsiveness
Proactively assess functionality, performance, and efficacy of Zero Trust PEPs and policies on a continuous or periodic basis to monitor for any undesirable or unintended deviations
See ZTNA Validation in action in our latest demo video
Learn how Spirent security test solutions, including the newly released CyberFlood ZTNA Test Builder, can help verify the performance and security strength of your organization.