Use Case 5 - Machine-to-Machine Application Access
Zero Trust architecture eliminates traditional chokepoints as seen in Legacy Trusted Internet Connection (TIC) and DOD Joint Regional Security Stacks (JRSS)/Internet Access Points (IAP)/Cloud Access Points (CAP). Decentralizing these chokepoints and designing into a distributed architecture that aligns with the NIST Special Publication 800-207 PEP/PE/PDP framework may improve security and support digital transformation initiatives. Creating secure access from anywhere on any network giving a user the right access under the right conditions is vital. NIST 800-207 outlines three approaches to Zero Trust of software-defined networking or perimeter, identity governance, and application micro-segmentation. While all three areas may interact together, each focuses on a specific piece of an access attempt.
- Software-defined perimeter and network infrastructure are focused on delivering and routing network and internet traffic.
- Identity governance is focused on uniquely identified people or things requesting access.
- Application micro-segmentation is focused on network segmentation but also relies on identity governance.
CURRENT STATE APPROACH
- Machine to Machine communication includes applications, databases, API calls, etc.
- These communications can operate in one of two ways:
- The first method assumes that machines inside the perimeter, or limited to a subnet, are authorized to make calls to other machines. This method is insecure, especially to insider threats.
- The other method is authentication via service accounts or API keys that the two machines broker. This poses security challenges to auditing and logging, enforcing least privilege, and secure authentication
ZERO TRUST OBJECTIVE
- All machine identities are authenticated and authorized before accessing other resources, no matter the connection's location.
- Enabling risk detection for machine authentication
- Enforcing dynamic policy-based access for breach containment
- Use a secret management centralization strategy over hard-coding credentials, passwords, keys, or secrets.
- Eliminate passwords through robust multi-factor authentication
- Employ ML and ad hoc rules to monitor and assess risk/trust continuously.
- Ensure that all identities who have access to critical workloads are:
- Entitled to access a specific workload
- Properly authenticated
- Challenged when necessary by additional factors of authentication.
- Consider user behavior patterns when identifying users.
VALUE PROPOSITION FROM ZERO TRUST APPROACH
- Identity governance supports granular, user-based access that enables the use of precise control as needed.
- Omnichannel experience and seamless collaboration.
- Automation and orchestration decrease deployment errors, enable Agile development, and continuous integration/continuous deployment (CI/CD) that increase flexibility and speed.
WHERE TO GET STARTED
- Identify applications that have many connections to other components.
- Stakeholders involved in both sides of the machine to machine communications should be willing to test Zero Trust principles and technologies.
- Pilot zero trust brokered machine to machine connections between the identified application and associated components. Connections for applications should be brokered through the policy enforcement point before being allowed to reach the destination component.