Enterprise 4 Build 3 (E4B3) - EIG Run - IBM Security Verify as PE#

Note

This page is supplementary material for the NIST SP 1800-35 publication.

Technologies#

E4B3 uses products from Broadcom (with VMware products), IBM, Mandiant, Palo Alto Networks, and Tenable. Certificates from DigiCert are also used. For more information on these collaborators and the products and technologies that they contributed to this project overall, see Collaborators and Their Contributions.

E4B3 components consist of IBM Security Verify, IBM Security MaaS360 (for both laptops and mobile devices), IBM Cloud Pak for Security, IBM QRadar XDR, Mandiant Security Validation, Palo Alto Networks GlobalProtect VPN, Tenable.io, Tenable.ad, Tenable NNM, IBM Security Guardium Data Encryption, IBM Security Guardium Data Protection, VMware infrastructure, and DigiCert ONE.

Table 1 lists all of the technologies used in E4B3 ZTA. It lists the products used to instantiate each ZTA component and the security function that each component provides.

Table 1 - E4B3 Products and Technologies

E4B3 Products and Technologies#

Component

Product

Function

PE

IBM Security Verify

Decides whether to grant, deny, or revoke access to a resource based on enterprise policy, information from supporting components, and a trust algorithm.

PA

IBM Security Verify

Executes the PE’s policy decision by sending commands to a PEP that establishes and shuts down the communication path between subject and resource.

PEP

IBM Security Verify

Guards the trust zone that hosts one or more enterprise resources; establishes, monitors, and terminates the connection between subject and resource as directed by the PA; forwards requests to and receives commands from the PA.

ICAM - Identity Management

IBM Security Verify

Creates and manages enterprise user and device accounts, identity records, role information, and access attributes that form the basis of access decisions within an organization to ensure the correct subjects have the appropriate access to the correct resources at the appropriate time.

ICAM - Access & Credential Management

IBM Security Verify

Manages access to resources by performing user and device authentication (e.g., SSO and MFA) and using identity, role, and access attributes to determine which access requests are authorized.

ICAM - Federated Identity

IBM Security Verify

Aggregates and correlates all attributes relating to an identity or object that is being authorized by a ZTA. It enables users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Federated identity encompasses the traditional ICAM data, supports identities that may be part of a larger federated ICAM community, and may include non-enterprise employees.

ICAM - Identity Governance

IBM Security Verify

Provides policy-based, centralized, automated processes to manage user identity and access control functions (e.g., ensuring segregation of duties, role management, logging, access reviews, analytics, reporting) to ensure compliance with requirements and regulations.

ICAM - MFA

IBM Security Verify

Authenticates user identity by requiring the user to provide not only something they know (e.g., a password), but also something they have (e.g., a token).

Endpoint Security - UEM/MDM

IBM Security MaaS360

Manages and secures enterprise desktop computers, laptops, and/or mobile devices in accordance with enterprise policy to protect applications and data; ensure device compliance; mitigate and remediate vulnerabilities and threats; monitor for suspicious activity to prevent and detect intrusions; prevent, detect, and disable malware and other malicious or unauthorized traffic; repair infected files when possible; provide alerts and recommend remediation actions; and encrypt data. Pushes enterprise applications and updates to devices, enables users to download enterprise applications that they are authorized to access, remotely deletes all applications and data from devices if needed, tracks user activity on devices, and detects and addresses security issues on the device.

Endpoint Security - EPP

IBM Security MaaS360

Detects and stops threats to endpoints through an integrated suite of endpoint protection technologies including antivirus, data encryption, intrusion prevention, EDR, and DLP. May include mechanisms that are designed to protect applications and data; ensure device compliance with policies regarding hardware, firmware, software, and configuration; monitor endpoints for vulnerabilities, suspicious activity, intrusion, infection, and malware; block unauthorized traffic; disable malware and repair infections; manage and administer software and updates; monitor behavior and critical data; and enable endpoints to be tracked, troubleshooted, and wiped, if necessary.

Endpoint Security - Endpoint Compliance

IBM Security MaaS360

Performs device health checks by validating specific tools or services within the endpoint including antivirus, data encryption, intrusion prevention, EPP, and firewall.

Security Analytics - SIEM

IBM QRadar XDR

Collects and consolidates security information and security event data from many sources; correlates and analyzes the data to help detect anomalies and recognize potential threats and vulnerabilities; and logs the data to adhere to data compliance requirements.

Security Analytics - SOAR

IBM Cloud Pak for Security

Integrates the SIEM and other security tools into a single pane of glass to support generation of insights into threats and help track, manage, and resolve cybersecurity incidents. Executes predefined incident response workflows to automatically analyze information and orchestrate the operations required to respond.

Security Analytics - Endpoint Monitoring

Tenable.io

Discovers all IP-connected endpoints and performs continuous collection, examination, and analysis of software versions, configurations, and other information regarding hosts (devices or VMs) that are connected to the network.

Security Analytics - Vulnerability Scanning and Assessment

Tenable.io and Tenable.ad

Scans and assesses the enterprise infrastructure and resources for security risks; identifies vulnerabilities and misconfigurations; and provides remediation guidance regarding investigating and prioritizing responses to incidents.

Security Analytics - Traffic Inspection

Tenable NNM

Intercepts, examines, and records relevant traffic transmitted on the network.

Security Analytics - Network Discovery

Tenable NNM

Discovers, classifies, and assesses the risk posed by devices and users on the network.

Security Analytics - Security Validation

Mandiant Security Validation

Provides visibility and evidence on the status of the security controls’ effectiveness in the ZTA. Enable security capabilities of the enterprise to be monitored and verified by continuously validating and measuring the cybersecurity controls; also used to automate the demonstrations that were performed to showcase ZTA capabilities. Mandiant Security Validation is deployed throughout the project’s laboratory environment to enable monitoring and verification of various security aspects of the builds. VMs that are intended to operate as actors are deployed on each of the subnetworks in each of the enterprises. These actors can be used to initiate various actions for the purpose of verifying that security controls are working to support the objectives of zero trust.

Security Analytics - User Behavior Analytics

IBM Security Verify/Trusteer

Monitors and analyzes user behavior to detect unusual patterns or anomalies that might indicate an attack.

Security Analytics - Security Analytics and Access Monitoring

IBM Security Guardium Data Protection (GDP)

Monitors and protects sensitive data storage both on-premises and in the cloud.

Data Security - Data Encryption

IBM Security Guardium Data Encryption (GDE)

Provides strong encryption and key management capabilities for both structured and unstructured data both on-premises and in the cloud.

Data Security - Data Access Protection

IBM Security Guardium Data Encryption (GDE)

Discovers, classifies, and labels sensitive business critical data in the cloud and on-premises and provides protection by preventing unauthorized access and minimizing the risk of data theft and data leaks using security policy rules.

General - Remote Connectivity

Palo Alto Networks GlobalProtect VPN

Provides remote users’ connectivity to on-premises and IaaS resources.

General - Certificate Management

DigiCert ONE

Provides automated capabilities to issue, install, inspect, revoke, renew, and otherwise manage TLS certificates.

General - Virtualized Infrastructure

VMware

On-premises virtualized infrastructure hosting enterprise resources.

General - Cloud IaaS

IBM Cloud - GitLab

Provides computing resources, complemented by storage and networking capabilities, hosted by a cloud service provider, offered to customers on demand, and exposed through a GUI and an API.

General - Cloud SaaS

DigiCert ONE, IBM MaaS360, IBM Security Verify, Tenable.io

Cloud-based software delivered for use by the enterprise.

General - Application

GitLab

Example enterprise resource to be protected. (In this build, GitLab is integrated directly with IBM Security Verify using SAML, and IBM QRadar XDR pulls logs from GitLab.)

General - Enterprise-Managed Device

Windows client, and mobile devices (iOS and Android)

Example endpoints to be protected.

General - BYOD

Windows client, and mobile devices (iOS and Android)

Example endpoints to be protected.

Build Architecture#

In this section we present the logical architecture of E4B3. We also describe E4B3’s physical architecture and present message flow diagrams for some of its processes.

Logical Architecture#

Figure 1 depicts the logical architecture of E4B3. Figure 1 uses numbered arrows to depict the general flow of messages needed for a subject to request access to a resource and have that access request evaluated based on subject identity (both requesting user and requesting endpoint identity), authorizations, and requesting endpoint health. It also depicts the flow of messages supporting periodic reauthentication of the requesting user and the requesting endpoint and periodic verification of requesting endpoint health, all of which must be performed to continually reevaluate access. The labeled steps in Figure 1 have the same meanings as they do in Architecture - Figure 1. However, Figure 1 includes the specific products that instantiate the architecture of E4B3. Figure 1 also does not depict any of the resource management steps found in Architecture - Figure 1 because the ZTA technologies deployed in E4B3 do not support the ability to perform authentication and reauthentication of the resource or periodic verification of resource health.

E4B3 was designed with IBM Security Verify as the ZTA PE, PA, and PEP, and IBM Security Verify providing ICAM support. Other components that support endpoint security, security analytics, and data security are also listed in Figure 1.

Figure 1 - Logical Architecture of E4B3

This figure depicts the logical architecture of E4B3. It uses numbered arrows to depict the general flow of messages needed for a subject to request access to a resource and have that access request evaluated based on subject identity (both requesting user and requesting endpoint identity), authorizations, and requesting endpoint health.

Physical Architecture#

Enterprise 4 describes the physical architecture of the E4B3 network.

Message Flows for Successful Resource Access Requests#

This section depicts some high-level message flows for E4B3 supporting the use case in which a subject who has an enterprise ID and who is authorized to access an enterprise resource requests and receives access to that resource. In both use cases depicted here, access to the resource is protected by IBM Security Verify/Trusteer, which acts as a PDP and an identity provider. In the first use case, the access request is coming from a managed device, and in the second use case, the access request is coming from an unmanaged device.

Use Case in which the Requesting Endpoint is Managed, so Access Is Enforced by IBM Security Verify/Trusteer and Authentication Is Performed by IBM MaaS360#

In this use case, the requesting endpoint is managed by IBM MaaS360. MaaS360 is a UEM that consists of an agent on the endpoint and a cloud component that work together to perform device authentication and first and second-factor user authentication, and also to gather device posture information to ensure device compliance.

The message flow depicted in Figure 2 shows only the messages that are sent in response to the access request. However, the authentication process also relies on the following additional background communications that occur among components on an ongoing basis:

  • The IBM MaaS360 endpoint agent periodically syncs with the IBM MaaS360 cloud component to reauthenticate the requesting endpoint device using a unique certificate that has been provisioned specifically for that device and sends the cloud component information about device health (e.g., firewall running, anti-malware software, iOS version).

  • IBM MaaS360 is integrated with IBM Security Verify/Trusteer and periodically sends Verify/Trusteer assurance that, based on the device health information collected by IBM MaaS360, the device is compliant with configured policy.

Figure 2 depicts the message flow for the user’s request to access the resource when the requesting endpoint is managed.

Figure 2 - Use Case E4B3 - The Requesting Endpoint Is Managed, so Access Is Enforced by IBM Security Verify/Trusteer and IBM MaaS360

This figure depicts the message flow for the user's request to access the resource when the requesting endpoint is managed.

The message flow depicted in Figure L-2 consists of the following steps:

  1. A user requests to access a resource from a managed endpoint.

  2. The resource receives the access request and sends a user authentication request to IBM Se-curity Verify/Trusteer.

  3. Certificate authentication is initiated with the MaaS360 agent.

  4. IBM Security Verify/Trusteer authenticates the requesting device’s certificate.

  5. Verify/Trusteer checks the endpoint’s compliance status based on information shared by MaaS360.

  6. Verify/Trusteer evaluates the access policy rules to determine if the access request is author-ized.

  7. Assuming the request is authorized and the endpoint has passed the authentication and au-thorization checks, IBM Security Verify/Trusteer creates a SAML assertion token and sends it to the resource. The resource accepts the assertion and grants the access request.

  8. User traffic to and from the resource is secured according to policy (e.g., using TLS or HTTPS).

Use Case in which the Requesting Endpoint Is Unmanaged, so Access Is Enforced by IBM Security Verify/Trusteer, which Also Performs User Authentication#

In this use case, the requesting endpoint is unmanaged. There is no endpoint agent running on the device, so device compliance cannot be enforced.

Figure 3 depicts the message flow for the user’s request to access the resource when the requesting endpoint is unmanaged.

Figure 3 - Use Case E4B3 - The Requesting Endpoint Is Unmanaged, so Access Is Enforced by IBM Security Verify/Trusteer

This figure depicts the message flow for the user's request to access the resource when the requesting endpoint is unmanaged.

The message flow depicted in Figure 3 consists of the following steps:

  1. A user requests to access a resource from an unmanaged endpoint.

  2. The resource receives the access request and sends a user authentication request to IBM Se-curity Verify/Trusteer.

  3. The user is prompted to provide username and password.

  4. IBM Security Verify/Trusteer verifies the username and password.

  5. Verify/Trusteer evaluates the access policy rules to determine if the access request is author-ized.

  6. Assuming the request is authorized and the endpoint has passed the authentication and authorization checks, IBM Security Verify/Trusteer creates a SAML assertion token and sends it to the resource. The resource accepts the assertion and grants the access request.

  7. User traffic to and from the resource is secured according to policy (e.g., using TLS or HTTPS).

Note that the message flows depicted in both of these use cases applies to several of the other use cases we are considering. It applies to all cases in which a user with an enterprise ID who can successfully authenticate themselves requests and receives access to an enterprise resource that they are authorized to access. The message flow is the same regardless of whether the user is located on-premises at headquarters, on-premises at a branch office, or off-premises at home or elsewhere. It is also the same regardless of whether the resource is located on-premises or in the cloud.