Cybersecurity

The Value of Zero Trust Network Access Validation

November 22, 2023 · 3 min read

Network security architectures are changing. We’ll examine an emerging new architecture called Zero Trust Network Access and how it helps ensure data safety and integrity and enables the transformation from a static, data-centric approach to a more dynamic, policy-based one. You’ll learn about the benefits of the Zero Trust approach and related validation solutions.

Typical network security of the past relied on the notion of network perimeter, with the assumption that “Trust, but Verify” was sufficient. Trust was granted based on whether the user, device, or application was inside or outside these network boundaries.

Perimeter networks are protected by security barriers and once these are crossed, trust is given, and users/devices can roam and make lateral movements while gaining access to resources and sensitive information. This type of perimeter network security has created a threat conduit for malicious actors if they get past it. Once inside, they have access to data, apps, and resources. With resources and services residing anywhere in the physical and cloud networks, the attack surface has expanded significantly. Therefore, it is critical that security access evolves rapidly beyond typical perimeter security.

The benefits of the “Zero Trust” approach

Zero Trust Network Access (ZTNA) is an emerging security architecture based on eliminating inherent trust as well as relying on the principle of “Never Trust and Always Verify." ZTNA requires regular authentication and authorization checks of the “Subject” before entrusting access to a “Resource.” Upon request of the resource, identity assessment is performed, and, based on current contextual factors such as user identity, type of service and, so forth, ZTNA allows “least privilege” access to a specific service, rather than the entire network, for that authorized entity.

ZTNA applies the “Zero Trust” approach regardless of whether the entity is inside or outside of the security perimeter and always verifies before granting access. This ensures data safety and integrity and makes ZTNA a key enabler for the transformation from perimeter security with a static, data-center centric approach to a more dynamic, policy-based, and contextually driven approach, securing today’s distributed and cloud-based network resources. Due to this elastic, dynamic, and distributed nature inherent in today’s networks, validation of performance, security, and user experience become even more critical for the success of organizations.

Validating ZTNA and the impact on end-user quality of experience

Spirent supports Zero Trust Network Access architectures with the new CyberFlood ZTNA Test Builder. The solution helps validate the performance, scalability, and effectiveness of ZTNA Policy Enforcement Points (PEP) and the impact on end-user Quality of Experience (QoE).

CyberFlood test agents interact with Policy Enforcement Points (PEP) and the Identity Provider (IdP) with simulated authorized and unauthorized users, emulating traffic and accessing protected applications.

For example, users are attempting to access an HTTPS-based application in the following diagram. User 1 is authorized to access the app and User 3 is not. User 2 cannot be authenticated (due to a bad password). As illustrated below:

User requests access to protected app
Policy Enforcement Point (PEP) intercepts the request and redirects for authentication
User identity and authorization for accessing the app is validated
Traffic flows based on policy assessments

The CyberFlood report shows the status and related statistics regarding authorized and unauthorized users attempting to access protected apps. CyberFlood ZTNA live and final report provides the progression of Attempted Requests, Successful Identity Sessions, Unsuccessful Authentication, and Unsuccessful Authorization. The detailed reporting also offers statistics of Failed Authentication and Failed Authorization on a per-user basis.

CyberFlood ZTNA Test Builder is capable of emulating malicious and non-malicious traffic at scale to:

Validate the performance, scalability, and effectiveness of secure ZTNA Policy Enforcement Points (PEPs) based on SAML and OIDC
Measure the scale of Okta Identity Provider (IdP) integration and measure the impact of an IdP on PEP responsiveness
Proactively assess functionality, performance, and efficacy of Zero Trust PEPs and policies on a continuous or periodic basis to monitor for any undesirable or unintended deviations

See ZTNA Validation in action in our latest demo video Right arrow icon

Learn how Spirent security test solutions, including the newly released CyberFlood ZTNA Test Builder, can help verify the performance and security strength of your organization.

Like our content?

Subscribe to our blogs here.

Blog Newsletter Subscription

Tags: Cybersecurity

Reza Saadat

Senior Technical Marketing Engineer, Application and Security Group

Reza Saadat is a Senior Technical Marketing Engineer at Spirent in the Applications and Security group, with over 25 years of experience in computers and data communication technologies. At Spirent, Reza works with the Product Management, Engineering and Sales teams to bring to market new, cutting-edge applications and security testing solutions for network equipment manufacturers, enterprises, and service providers. His in-depth industry, market and software development knowledge as well as collaborative design and development skills have resulted in the creation of numerous hardware and software solutions, which have been successfully released at companies such as IBM Corp, Cisco Systems and many more.