Exploring the Zero Trust Models of AWS, Microsoft, and Google
In today’s world of distributed workforces, cloud services, and sophisticated cyber threats, the traditional security approach where everyone inside the network is trusted has become obsolete. The Zero Trust Model has emerged as the new paradigm, enforcing strict identity verification, granular access control, and continuous monitoring for all users, devices, and resources, regardless of their location. Big Cloud providers such as AWS (Amazon Web Services), Microsoft, and Google have each adopted their own version of Zero Trust architecture. In this article we will understand the basics of the mentioned Zero Trust models, its key principles and components. What is Zero Trust? Zero Trust is a security framework based on the principle of "never trust, always verify." Unlike traditional network security models, Zero Trust does not assume that users or devices inside the network are inherently trustworthy. Instead, every user, device, and request must be constantly verified and approved. They must be given the minimum amount of access they need based on their identity and security status. AWS Zero Trust Model The AWS Zero Trust model is a security framework that aims to protect resources by enforcing strict verification, regardless of whether access requests originate from inside or outside a traditional network perimeter. It focuses on continuous validation of trust, treating every access attempt as potentially hostile unless explicitly authenticated and authorized. To get more clearer picture, let's understand the key principles, components followed by an example. Key Principles: Identity-Centric Approach: AWS shifts the security focus to identities (users, devices, services), ensuring that every entity is authenticated and authorized for each action. Least Privilege Access: Access permissions are granted based on the minimal necessary level, reducing the impact of compromised accounts. Context-Aware Access: AWS evaluates additional signals like location, device health, and behavior before granting access to resources. Segmented and Isolated Resources: AWS employs segmentation to isolate workloads, limiting lateral movement if one component is compromised. Continuous Monitoring and Logging: AWS integrates real-time monitoring and logging to detect suspicious activities and adjust security policies dynamically. Key Components: AWS Identity and Access Management (IAM): Central to AWS's Zero Trust model, IAM allows you to manage fine-grained permissions and define access control policies for each user, role, and resource. Multi-Factor Authentication (MFA): AWS uses MFA to enforce stronger identity verification, requiring users to authenticate using something they know (password) and something they have (token or device). AWS CloudTrail and GuardDuty: These services provide continuous monitoring, logging, and threat detection, identifying unusual behavior and potential security risks. Encryption and Secure Communications: AWS enforces encryption both in transit and at rest, ensuring data integrity and confidentiality, with access controlled by encryption keys managed through AWS Key Management Service (KMS). Zero Trust Network Access (ZTNA): AWS offers solutions such as AWS PrivateLink and VPC endpoints to secure and isolate traffic, minimizing exposure to public networks. Example: Imagine an organization running an e-commerce platform on AWS, where sensitive customer data is stored in databases and accessed by employees, services, and third-party APIs. Instead of trusting access by default, AWS Zero Trust ensures that every access request is verified at each stage. If an employee attempts to access a customer database: IAM and MFA verify the employee’s identity and enforce role-based access control, ensuring they only have the necessary permissions. Device and Location Verification: AWS checks if the employee is using a trusted device from an expected location, applying additional security measures if an anomaly is detected (For example., logging in from an unusual location). Network Isolation: AWS VPC and PrivateLink ensures that database traffic remains isolated, preventing lateral movement even if other systems are compromised. Logging and Monitoring: AWS CloudTrail logs the access attempt, while AWS GuardDuty monitors for any suspicious behavior like abnormal data access patterns. If a threat is detected, the system can revoke access or trigger an alert. In this way, AWS Zero Trust minimizes the risk of unauthorized access and data breaches, providing continuous protection of resources, whether they are inside or outside the traditional network boundary. Microsoft Zero Trust Model The Microsoft Zero Trust model is built on real Microsoft features that work together to protect data and resources by eliminating implicit trust. The model continuously verifies identities, devices, and access requests across the entire environment, ensuring security for both internal and external access. To find out more about Microsoft's Zero Trust model, let's understand the key principles, components followed by an example. Key Principles: Verify Explicitly: Always authenticate and authorize using all available data points like identity, location, device, health, service, and anomaly detection. Least Privileged Access: Enforce least privilege by granting only the minimum level of access necessary for users to perform their tasks. Assume Breach: Operate with the mindset that a breach has already occurred, and implement strategies to limit lateral movement, detect anomalies, and mitigate risks. Key Components: Azure Active Directory (Azure AD): Azure AD provides identity verification through Single Sign-On (SSO), Multifactor Authentication (MFA), and Conditional Access, which adapts access policies based on the user’s context (For example., location, device compliance, or risk score). Microsoft Intune: For managing devices, Intune enforces compliance policies, ensuring that only secure and compliant devices can access resources. Through Mobile Device Management (MDM) and Mobile Application Management (MAM), it provides control over both corporate-owned and personal devices (BYOD). Microsoft Defender for Endpoint: This tool ensures device security by providing endpoint detection and response (EDR), identifying vulnerabilities and threats on devices, and enforcing security baselines. It continuously monitors and responds to potential breaches or compromised endpoints. Azure Information Protection (AIP): AIP helps protect sensitive data by classifying and labeling information. It also provides encryption and access control, ensuring data protection both at rest and in transit, regardless of where it is stored or shared. Microsoft Defender for Identity: This component integrates identity protection by continuously analyzing user activities and network signals to detect suspicious behaviors, compromised accounts, or insider threats. Microsoft Defender for Cloud: This feature secures cloud and hybrid infrastructure. It provides threat protection, vulnerability assessments, and compliance management across Azure and non-Azure environments, helping enforce Zero Trust principles on cloud workloads. Azure Sentinel: This is Microsoft's cloud-native Security Information and Event Management (SIEM) system, which provides intelligent security analytics and threat detection. It helps detect, prevent, and respond to security incidents by correlating data across multiple sources. Microsoft Endpoint Manager: This includes Intune and Configuration Manager, allowing centralized management of devices and applications while enforcing Zero Trust policies related to device compliance and security. Azure Network Security: Features like Azure Firewall, Azure DDoS Protection, Network Security Groups (NSGs), and Azure Private Link provide network-level segmentation and protection. These services prevent unauthorized lateral movement and secure network traffic through encryption and micro-segmentation. Example: Suppose a finance team member attempts to access a critical business application from a remote location. Here's how Microsoft's Zero Trust model enforces security: Identity Verification: Azure AD ensures the user's identity through MFA. A Conditional Access policy checks the user’s device compliance (managed through Intune) and location. If the login attempt is from an unusual place, additional security measures (like an extra MFA prompt) are applied. Device Compliance: Microsoft Defender for Endpoint checks if the user’s device meets security baselines (For example., updated OS, antivirus enabled). If the device is not compliant, access to the application is blocked or restricted until remediation. Access Control: Azure AD’s Conditional Access ensures that the user can only access the business application and not any other sensitive resources they don't need. Least-privilege access ensures this by restricting permissions based on role. Data Protection: Azure Information Protection encrypts any sensitive data accessed, preventing it from being exposed or mishandled even if downloaded or shared. AIP also tracks and audits access to the data. Monitoring and Threat Detection: Azure Sentinel continuously monitors the access session, using Microsoft Defender for Identity to detect any unusual or risky behavior (For example., multiple login attempts from different locations). If suspicious activity is detected, security alerts are triggered for investigation. In this way Microsoft features into the Zero Trust model ensures end-to-end protection, validating every access request and continuously monitoring for threats across identities, devices, data, and networks. Google Zero Trust Model (BeyondCorp) The Google Zero Trust model, also known as BeyondCorp, is a security framework that eliminates the need for a traditional network perimeter. Instead of assuming that internal networks are inherently secure, Google’s approach treats every access request—whether from within the corporate network or outside—as potentially risky. The model enforces “never trust, always verify” and emphasizes verifying users and devices at every step before granting access. Key Principles: Verify Every Access Request: Regardless of network location, every access request must be authenticated and authorized, using strong identity verification and device checks. Least Privilege Access: Limit user and device access to the minimum necessary, ensuring they can only access the resources required for their specific role. Continuous Monitoring: Continuously monitor users, devices, and behaviors to detect and respond to suspicious activity in real-time. Device Trust: Assess the security posture of the device before granting access, ensuring that only trusted, compliant devices are used. Key Components: Google Identity: Google’s identity system forms the basis of Zero Trust, enforcing strong identity verification with features like Single Sign-On (SSO) and Multi-Factor Authentication (MFA). It ensures that every user is authenticated before access is granted, whether the request originates from inside or outside the network. Access Proxy: This component of BeyondCorp acts as an intermediary between users and resources. Every access request is routed through this proxy, which enforces security policies and checks the identity, context, and device posture before granting access. Device Inventory and Management: Google maintains a detailed inventory of devices accessing corporate resources, ensuring that only compliant, up-to-date devices can connect. Device posture (For example., security patches, encryption status) is continuously assessed to maintain trust. Context-Aware Access: This feature dynamically adjusts access policies based on the user’s identity, device health, location, and risk factors. Google’s Access Control Policies are applied in real time, allowing access only if all conditions meet security requirements. Encryption and Secure Communication: All communication between users and resources is encrypted, ensuring data integrity and confidentiality. Google enforces encryption in transit and at rest for data protection. Continuous Monitoring and Threat Detection: Google uses extensive logging, monitoring, and machine learning to detect anomalies and security risks in real-time, enabling fast response to potential threats. Example: Imagine a scenario where a Google employee wants to access a sensitive cloud-based internal application while working from a public coffee shop. In a traditional security model, the internal network might trust access if the employee used a VPN. In Google’s Zero Trust model, no such implicit trust exists. Here’s how Google’s Zero Trust model would work: Identity and Device Verification: The employee attempts to log in through Google’s SSO, where their identity is verified using MFA. BeyondCorp checks if the device being used is a trusted, compliant device by consulting Google’s Device Inventory. If the device is missing a security update or is not encrypted, access is denied until the device is compliant. Context-Aware Access: Google’s Access Proxy examines additional context, such as the employee’s location (public Wi-Fi network) and device posture. Because the user is accessing from an untrusted network, the system applies stricter security policies. The employee may be asked for additional verification, such as a second MFA prompt, or have restricted access to only specific parts of the application. Real-Time Monitoring: While the employee is logged in, Google continuously monitors the session for any suspicious behavior, such as unusual data access patterns or changes in device posture. If abnormal activity is detected, Google’s system triggers an alert and can immediately terminate the session to prevent data compromise. Secure Access: Even while accessing sensitive data, the entire communication is encrypted both in transit and at rest, ensuring that no data is exposed on the public Wi-Fi network. Google’s encryption standards protect all data during access. In this way, Google's Zero Trust model ensures verification of identity, device, and context at every step and significantly reduces the risk of unauthorized access and breaches. I hope after reading the article up to this point, you are looking for information on F5 Zero Trust Security. I have collected links to some of the very good articles available on DevCentral and F5, which will definitely help you. Zero Trust Solutions What Is Zero Trust Security & Architecture? Secure Corporate Apps with a Zero Trust Security Model Zero Trust in an Application-Centric World Zero Trust - Making use of a powerfull Identity Aware Proxy Zero Trust Access with F5 Identity Aware Proxy and Crowdstrike Falcon | DevCentral Leverage Microsoft Intune endpoint Compliance with F5 BIG-IP APM Access - Building Zero Trust strategy Zero Trust building blocks - Leverage NGINX Plus Single Sign-On (SSO) with F5 XC Web App & API Protection (WAAP) Zero Trust building blocks - F5 BIG-IP Access Policy Manager (APM) and PingIdentity
F5 TIC3.0 Capability Mappings
About The information below lists how F5 products address TIC 3.0 capability requirements (Dec 2023/Version 3.1) from the context of how F5 can help the broader agency. Important Note: Prior to reading this please read each capability as defined in https://www.cisa.gov/sites/default/files/2023-12/CISA%20TIC%203.0%20Security%20Capabilities%20Catalog_508c.pdf If a capability is not explicitly listed it should be assumed the F5 product does not meet the requirement. At the core the security provided by TIC 3.0 is based on Zero Trust. If you would like to learn more about how F5 can help your agency meet its Zero Trust requirements, please contact your local account team for additional detail. F5 Products Background F5 BIG-IP is a reverse proxy with web application security and authentication capabilities. BIG-IP provides these capabilities for traditional applications. F5 BIG-IP delivers applications securely, efficiently and at scale. BIG-IP Web Application Firewall protects applications from the ever-evolving security threat landscape. Specific BIG-IP software modules are matched to certain capabilities below where applicable. F5 NGINX Plusis a reverse proxy with web application security and authentication capabilities in a containerized format. NGINX+ typical use cases is to provide these protections for modern containerized applications. F5 Distributed Cloud is a SaaS offering that provides Application Delivery, WAAP, DNS, DDOS to applications as an edge service. F5 Distributed Cloud also offers a “Customer Edge” CE that provides many of these same capabilities on-prem or in a Cloud Service Provider. F5 Distributed Cloud will be referred to as “F5 XC” below. TIC 3.0 Capabilities Universal Security Capabilities Central Log Management with Analysis BIG-IP BIG-IP provides application security and telemetry logging enterprise wide to a centralized log store. NGINX Plus NGINX Plus provides application security and telemetry logging enterprise wide to a centralized log store. F5 XC F5 XC provides application security and telemetry logging enterprise wide to a centralized log store. Configuration Management BIG-IP BIG-IP configuration and capabilities can be fully automated and orchestrated. NGINX Plus NGINX Plus configuration and capabilities can be fully automated and orchestrated. F5 XC F5 XC configuration and capabilities can be fully automated and orchestrated. Incident Response Planning and Incident Handling BIG-IP F5 BIG-IP provides the ability to detect, prevent and log application security events. NGINX Plus F5 NGINX Plus provides the ability to detect, prevent and log application security events in a containerized form factor. F5 XC F5 Distributed Cloud provides the ability to detect, prevent and log application security events. Strong Authentication BIG-IP F5 BIG-IP supports requiring SAML, OIDC, Active Directory, and mTLS authentication before a client can access an application NGINX Plus F5 BIG-IP NGINX Plus supports requiring OIDC, and mTLS authentication before a client can access an application containerized format. F5 XC N/A Enterprise Threat Intelligence BIG-IP F5 provides threat intelligence feeds that help organizations detect whether they are a target of a threat campaign. This service can be leveraged by BIG-IP. NGINX Plus F5 provides threat intelligence feeds that help organizations detect whether they are a target of a threat campaign. This service can be leveraged by NGINX Plus. F5 XC F5 provides threat intelligence feeds that help organizations detect whether they are a target of a threat campaign. This service can be leveraged by F5 XC. Dynamic Threat Discovery BIG-IP BIG-IP can learn HTTP traffic patterns and establish a baseline to protect applications. NGINX Plus N/A F5 XC N/A Continuous Monitoring Reporting BIG-IP BIG-IP provides application security and telemetry logging providing vital application access, performance, and threat data for analysis. NGINX Plus NGINX Plus provides application security and telemetry logging providing vital application access, performance, and threat data for analysis. F5 XC F5 XC provides application security and telemetry logging providing vital application access, performance, and threat data for analysis. Web PEP Capabilities Break and Inspect BIG-IP F5 BIG-IP provides the ability to decrypt TLS traffic and send the decrypted traffic to any number of security devices, allowing the security devices. NGINX Plus N/A F5 XC N/A Active Content Mitigation BIG-IP BIG-IP provides the ability to decrypt TLS traffic and send this traffic to a content filtering solution for further inspection. This allows the filtering solution to inspect previously encrypted traffic and remove any malicious content. NGINX Plus N/A F5 XC N/A Certificate Denylisting BIG-IP F5 BIG-IP can enforce certification revocation on clients (human or non-human) presenting certificates (mTLS/Smart Card/CAC/PIV) via OCSP or CRLs before granting access to the application. BIG-IP can also be configured to deny certificates based on a blacklist. NGINX Plus F5 BIG-IP can enforce certification revocation on clients (human or non-human) presenting certificates (mTLS/Smart Card/CAC/PIV) via OCSP or CRLs before granting access to the application. F5 XC N/A Content Filtering BIG-IP BIG-IP provides the ability to decrypt TLS traffic and send this traffic to a content filtering solution for further inspection. This allows the filtering solution to inspect previously encrypted traffic and remove any malicious content. NGINX Plus N/A F5 XC N/A Authenticated Proxy BIG-IP F5 BIG-IP is a reverse proxy that provides the ability to require SAML, OIDC, Active Directory and mTLS authentication before a client can access an application. NGINX Plus F5 BIG-IP NGINX Plus is a reverse proxy that provides the ability to require OIDC, and mTLS authentication before a client can access an application in a containerized format. F5 XC N/A Data Loss Prevention BIG-IP BIG-IP can detect and block sensitive data leaving an application. Data patterns that are deemed sensitive can be added. Additionally, BIG-IP provides the ability to decrypt TLS traffic and send this traffic to a DLP solution for further inspection preventing sensitive data leakage. NGINX Plus NGINX Plus can detect and block sensitive data leaving an application. Data patterns that are deemed sensitive can be added. F5 XC F5 XC can detect and block sensitive data leaving an application. Data patterns that are deemed sensitive can be added. Domain Resolution Filtering BIG-IP BIG-IP can report of block DNS over HTTPS originating from or destined for your agency. NGINX Plus N/A F5 XC N/A Protocol Compliance Enforcement BIG-IP BIG-IP provides protocol compliance for both HTTP and DNS with the ability to report or reject traffic that is out of compliance. NGINX Plus NGINX Plus provides protocol compliance for HTTP with the ability to report or reject traffic that is out of compliance. F5 XC F5 XC provides protocol compliance for HTTP with the ability to report or reject traffic that is out of compliance. Domain Category Filtering BIG-IP BIG-IP provides break and inspect capabilities for traffic egressing from the network. Categories may be configured to bypass break and inspect for domain categories (e.g., banking, medical, government). This is typically done so that PII data is not inspected. NGINX Plus N/A F5 XC F5 XC CEs provide forward proxy capabilities with the ability to restrict domain and URL access. https://docs.cloud.f5.com/docs/how-to/network-firewall/forward-proxy-policies Domain Reputation Filtering BIG-IP BIG-IP provides the ability to deny access to domains via a list or categories of domains enforced at the HTTP protocol layer. Domain filtering can also be provided via DNS using a list of domains or an integration with a RPZ provider such as Spamhaus or SUBRL. NGINX Plus N/A F5 XC N/A Bandwidth Control BIG-IP F5 BIG-IP provides the ability to limit bandwidth on a per application basis. https://techdocs.f5.com/en-us/BIG-IP-16-1-0/big-ip-policy-enforcement-manager-implementations/managing-traffic-with-bandwidth-controllers.html NGINX Plus F5 NGINX Plus provides the ability to rate limit on a per application basis in a containerized/Kubernetes environment. F5 XC F5 XC provides the ability to rate limit on a per application basis at a regional edge, on-prem or in the cloud. Malicious Content Filtering BIG-IP BIG-IP provides the ability to decrypt TLS traffic and send this traffic to a content filtering solution for further inspection. This allows the filtering solution to inspect previously encrypted traffic and remove any malicious content. NGINX Plus N/A F5 XC N/A Access Control BIG-IP F5 BIG-IP provides the ability to define policies to limit actions on protected web applications. This is achieved by limiting on a per user and per application basis the URLs and HTTP methods that a user is permitted to access. NGINX Plus F5 NGINX Plus provides the ability to define policies to limit actions on protected web applications. This is achieved by limiting on a per user and per application basis the URLs and HTTP methods that a user is permitted to access. F5 XC F5 XC provides the ability to define policies to limit actions on protected web applications. This is achieved by limiting on a per user and per application basis the URLs and HTTP methods that a user is permitted to access. Resiliency PEP Security Capabilities Distributed Denial of Service Protections BIG-IP BIG-IP provides protection against DOS attacks at layers 3-7 by providing the ability to learn traffic patterns and establish a baseline. BIG-IP Layer 3-4 capabilities provide protection against IP, UDP and TCP based attacks. Layer 7 capabilities provide protection against DNS, TLS and HTTP based DOS attacks. NGINX Plus NGINX Plus provides protection against HTTP based DOS attacks. F5 XC F5 XC provides protection against HTTP based DOS attacks. Elastic Expansion BIG-IP F5 BIG-IP provides the ability to scale out applications by distributed the application traffic across as many instances as needed. NGINX Plus F5 NGINX Plus provides the ability to scale out applications by distributed the application traffic across as many instances as needed in a containerized environment. F5 XC F5 XC provides the ability to scale out applications by distributed the application traffic across as many instances as needed. Regional Delivery BIG-IP N/A NGINX Plus N/A F5 XC F5 XC provides the ability through a Regional Edge to host containerized application and their associated services through a secure scalable fabric. Additionally, F5 XC’s Regional Edge provides the ability to scale, secure and deliver applications across a geographically dispersed set of environments. Domain Name System PEP Security Capabilities Domain Name Sinkholing BIG-IP Domain Name Sinkholing DNS using a list of domains or an integration with a RPZ provider such as Spamhaus or SUBRL. NGINX Plus N/A F5 XC N/A Domain Name Verification for Agency Clients BIG-IP F5 BIG-IP can enforce that queries from agency clients utilize DNSSEC NGINX Plus N/A F5 XC N/A Domain Name Validation for Agency Domains BIG-IP F5 BIG-IP can enforce DNSSEC chain of trust for all agency domains. NGINX Plus N/A F5 XC N/A Intrusion Detection PEP Security Capabilities Intrusion Detection and Prevention Systems BIG-IP F5 BIG-IP provides Intrusion Detection capabilities that allow for the reporting and blocking of threats over a wide range of protocols. NGINX Plus N/A F5 XC N/A Enterprise PEP Security Capabilities Virtual Private Network BIG-IP F5 BIG-IP provides site-to-site IPSEC capabilities along with end user remote access SSL VPN. NGINX Plus N/A F5 XC N/A Application Container BIG-IP N/A NGINX Plus F5 NGINX Plus provides load balancing, ingress services (for K8s), WAF, HTTP DOS protection and API Security for containerized services. F5 XC F5 XC provides the ability to host containerized services in F5 XC Regional Edge. Services PEP Security Capabilities Active Content Mitigation BIG-IP BIG-IP provides the ability to decrypt TLS traffic and send this traffic to a content filtering solution for further inspection. This allows the filtering solution to inspect previously encrypted traffic and remove any malicious content. NGINX Plus N/A F5 XC N/A Data Loss Prevention BIG-IP BIG-IP can detect and block sensitive data leaving an application. Data patterns that are deemed sensitive can be added. Additionally, BIG-IP provides the ability to decrypt TLS traffic and send this traffic to a DLP solution for further inspection preventing sensitive data leakage. NGINX Plus NGINX Plus can detect and block sensitive data leaving an application. Data patterns that are deemed sensitive can be added. F5 XC F5 XC can detect and block sensitive data leaving an application. Data patterns that are deemed sensitive can be added. Protocol Compliance Enforcement BIG-IP F5 BIG-IP provides the ability to enforce protocol compliance for HTTP and DNS protocols. NGINX Plus F5 NGINX Plus provides the ability to enforce protocol compliance for the HTTP protocol. F5 XC F5 XC provides the ability to enforce protocol compliance for the HTTP protocol. Malicious Content Filtering BIG-IP BIG-IP provides the ability to decrypt TLS traffic and send this traffic to a content filtering solution for further inspection. This allows the filtering solution to inspect previously encrypted traffic and remove any malicious content. NGINX Plus N/A F5 XC N/A Access Control BIG-IP F5 BIG-IP provides the ability to define policies to limit actions on protected web applications. This is achieved by limiting on a per user and per application basis the URLs and HTTP methods that a user is permitted to access. NGINX Plus F5 NGINX Plus provides the ability to define policies to limit actions on protected web applications. This is achieved by limiting on a per user and per application basis the URLs and HTTP methods that a user is permitted to access. F5 XC F5 XC provides the ability to define policies to limit actions on protected web applications. This is achieved by limiting on a per user and per application basis the URLs and HTTP methods that a user is permitted to access. Identity PEP Security Capabilities Behavioral Baselining BIG-IP BIG-IP can learn HTTP traffic patterns and establish a baseline to protect applications. NGINX Plus N/A F5 XC N/A Multi-factor Authentication BIG-IP F5 BIG-IP supports requiring SAML, OIDC, Active Directory, and mTLS authentication before a client can access an application NGINX Plus F5 BIG-IP NGINX Plus supports requiring OIDC, and mTLS authentication before a client can access an application containerized format. F5 XC N/A Continuous Authentication BIG-IP F5 BIG-IP provides the ability to authenticate users prior to accessing an application. After access to the application BIG-IP can enforce periodic requests for authentication to reverify the client’s identity in addition to their OS posture. NGINX Plus N/A F5 XC N/A
F5's Access Policy Manager the Access Proxy for Zero Trust Architectures
In my previous article titled 7 Steps for Successfully Implementing Zero Trust Architectures, I detailed how to get started on the journey of implementing Zero Trust Architectures. In that article, I pointed out 7 steps I felt were critical in effectively implementing a Zero Trust Architecture. One of the necessary steps was having a robust Access Proxy. This article will showcase F5’s robust Access Proxy. In a Zero Trust architecture the centralized control point for all clients and applications is the Access Proxy. At the Access Proxy we need to handle authentication, authorization, and centralized logging. This Access Proxy should interface with multiple systems for authentication, handling both multi factor authentication and Single Sign On (SSO) to relieve users of the burden of logging into multiple systems. This Access Proxy initially checks and continuously monitors devices for the required configuration. Finally, robust Access Proxy should be able to seamlessly integrate with third party solutions. F5’s Access Proxy is the Access Policy Manager (APM). APM is one of the best Access Proxy’s on the market. The following sections will highlight the versatility and ease that F5’s solution offers: Select Appropriate Configuration F5 released Access Guided Configurations to make it simple and intuitive. The image below illustrates all the guided configurations available at the time of this article. This article we will focus on the Zero Trust selection. Click the Zero Trust option Verify Required Configuration F5 will verify that basic configuration items required are present. If not, you will be guided through the steps. Here the base configuration is already in place. Select Appropriate Configuration Determine whether a single or multi proxy topology is required. You are presented a diagram and a description to help make the decision based on your requirements. Select Appropriate Configuration Object The next decision is the enabling/leaving unselected any of the following items based on how you decided to implement this solution. The user will be presented different options based on their previous selections. ● Device Posture ● MFA ● SSO ● Application Group ● Webtop Select Appropriate Authentication Properties Based on your environment you are offered the authentication type required and supported by APM. Select Appropriate MFA Properties - If Selected F5 has developed third party integrations based on demand from customers. This simplifies and streamlines the process. Review and Modify Session Management Variables F5 provides the opportunity to fine tune session variables before finalizing the configuration. The form has default values provided, if you are unsure. Review and Modify Final Deployment The final step in this Guide Configuration before deployment is reviewing and the ability to edit anything previously configured before deployment. Closing – As illustrated, F5’s APM solution deployed as an Identity Aware Proxy nicely fits in a Zero Trust Architecture. IAP is a single control point for all users and devices accessing your applications. IAP continuously monitors users and devices and applies access control policies as finely grained as you specify. It will handle SSO and MFA if configured. The APM has the ability to be configured to implement a per-request policy enforcement posture to better align with a Zero Trust Architecture. This article was not meant for a step by step guide to implement F5’s APM in a Zero Trust Architecture. This was to show the ease of deployment and how this implementation walks one through the setup. https://www.f5.com/company/blog/zero-trust-azure-active-directory-access-big-ip-apm For detailed steps I have linked several resources below. https://clouddocs.f5.com/training/community/access-solutions/ https://clouddocs.f5.com/training/community/iam/html/class2/class2.html #zerotrust #ZT #ZTA #ZTNA
