IdP Plus ZTNA: A Match Made in Security Heaven

Identity is an important part of ZTNA

We talk a lot about how Zero Trust Network Access makes your company more secure and better prepared to face today’s cybersecurity risks. But right now we want to emphasize an important part of ZTNA that facilitates all this security magic: Identity Providers (IdP). 

Your company’s IdP is an essential part of any modern cloud-based, converged network security solution. A well-organized identity management system makes it much easier to implement customized ZTNA rules.

ZTNA Essentials

To illustrate this point let’s start with the basics: what exactly is Zero Trust Network Access? At its core, ZTNA is an identity- and context-based approach to creating what’s called a “logical access boundary” around an application or set of applications. 

ZTNA starts from a point of assigning identities to employees, grouping them into teams, and then distributing access permissions based on those identities. If you can’t assign identities to people, and then organize those people into groups, you aren’t going to get very far.

Modern Boundaries 

Now let’s talk about the “logical access boundary.” That’s just a technical way to describe the digital borders we create around company resources. These days organizations are filled with remote and hybrid workers who are accessing on-prem and cloud-based resources every day. That means for most organizations the traditional perimeter is dissolving – or already gone.

Protection has to be based on something other than the geographic location of a bunch of computers. Guarding access to on-prem servers using legacy VPN hardware is the old way of doing things. Under the old model, if an employee wanted access to a company database, or to a cloud-based service like Salesforce, they would first need to login to the VPN at a handful of company data centers. This often required backhauling Internet traffic that would hamper performance.

When you have a globally-distributed workforce it just doesn’t make sense to center your network around a few legacy VPN locations. Today’s boundaries are about access to a set of applications that can exist on-prem or in the cloud. In addition, they should be accessible from anywhere with minimal latency.

Identity and VPNs

ZTNA offers a gigantic difference in approach to the old VPN model, and identity enables a big part of that. Under the VPN-based approach nearly everyone with a company login could get in and do what they needed to do – usually with overly permissive access settings. 

ZTNA throws all of that away and says, “we are not going to assume you can access resource X or Y just because you have the right domain name in your email address.” Instead, ZTNA starts from a position of automatic denial of access for every resource. Then administrators open up access to applications based on what people need to carry out their daily tasks. 

A sales person may need access to Salesforce and Chili Piper, for example, but do they need access to the website CMS or code repository? Probably not. Providing access to unneeded resources exposes the company to serious damage should a threat actor ever obtain employee credentials.

A hacker’s primary goal is to achieve lateral movement (moving throughout the network) by logging in with any old account. Then they try to obtain other accounts with greater access permissions. ZTNA prevents lateral movement, because even with company credentials a hacker would only be able to see a subset of company applications. If they even got that far. Well defined context-based policies – custom access rules based on location, time of day, and device status – could prevent them from seeing anything at all even with valid login credentials. 

That’s the power of ZTNA.

IdPs: The Jelly to ZTNA’s Peanut Butter

There are a ton of advantages to ZTNA, but none of them work without a proper, well-organized  identity management system. It should also support single sign-on (SSO) for a more efficient user experience. That way users only need to sign-in to one portal to get access to all their permitted applications – as opposed to regularly signing into each one individually.  

Perimeter 81 supports the major IdP services and SAML 2.0 services such as Azure AD, ADFS, Auth0, Google, Okta, OneLogin, PingIdentity, PingFederate, Rippling, and JumpCloud. We also support SCIM, which makes it easy to automatically provision and deprovision identities as needed. 

ZTNA is an important security measure that is purpose-built for today’s work environment. One of the key pillars on which it stands is identity. That’s why having a well-organized identity management system can help make your company’s transition to better security so seamless. 

Want to learn more about how we can take your organization’s security to the next level? Book a demo today to see Perimeter 81’s Zero Trust Network Access in action.