Use Case 1 - Remote Application Access

Use Case 1 - Remote Application Access

Zero Trust architecture eliminates traditional chokepoints as seen in Legacy Trusted Internet Connection (TIC)  and DOD Joint Regional Security Stacks (JRSS)/Internet Access Points (IAP)/Cloud Access Points (CAP). Decentralizing these chokepoints and designing into a distributed architecture that aligns with the NIST Special Publication 800-207 PEP/PE/PDP framework may improve security and support digital transformation initiatives. Creating secure access from anywhere on any network giving a user the right access under the right conditions is vital. NIST 800-207 outlines three approaches to Zero Trust of software-defined networking or perimeter, identity governance, and application micro-segmentation. While all three areas may interact together, each focuses on a specific piece of an access attempt.

  1. Software-defined perimeter and network infrastructure are focused on delivering and routing network and internet traffic.
  2. Identity governance is focused on uniquely identified people or things requesting access.
  3. Application micro-segmentation is focused on network segmentation but also relies on identity governance.

  • Access to enterprise applications is based on the network location. Enterprise applications hosted in agency data centers usually require users to be on an agency network either directly, through a VPN, or a virtual desktop solution.
  • With the increase in remote access and telework, VPNs are highlighted as a potential single point of failure if on-premise VPN infrastructure can not sustain the high traffic volume. Many agency services are media forms (video conferencing, video training, youtube, or skillport videos), which are also a high consumer of bandwidth. The high volume is a bandwidth chokepoint.
  • This use case relies on configuration management & monitoring of devices on the network regardless of whether the enterprise owns them.
  • The intent is to use the internet, at scale and capacity, without throttling access through on-premise appliances and provide security and compliance for government traffic.
  • This use case assumes an enterprise user is attempting to access agency resources that traditionally required either a VPN or connection to an agency network. Under a zero-trust approach, the IT enterprise has deployed tools to accomplish the following:
  1. Device compliance.
  2. Centralized access point with gateway access to on-premise applications or centralized access point to cloud applications.
  3. Advanced use cases may include limiting user capabilities, such as allowing upload and download from a GFE device while blocking upload and download on a BYOD device.
  • Leverage internet scale, capacity, and services and only steer traffic to on-premise as necessary.
  • Eliminate heavy bandwidth traffic from clogging VPN infrastructure. Split traffic VPN is an option that also comes with administrative overhead in maintaining a split traffic list and existing agency capacity.
  • Understand each user and their connections. A zero-trust approach allows an enterprise to observe and evaluate each device's current state as part of evaluating the access request process.
  • CDM asset management /software asset management allows for configuration, survey, and update with physical and network location.
  • An identity management system that supports federation.
  • Identify pilot applications that support single sign-on that is not an HVA.
  • Identify a small group of users to test application access.
  • Identify a policy enforcement point that either is an identity management system or integrates with an identity management system.