Enterprise 4 Build 4 (E4B4) - SDP, Microsegmentation, and EIG - VMware Workspace ONE Access, VMware Unified Access Gateway, and VMware NSX-T as PEs#
Note
This page is supplementary material for the NIST SP 1800-35 publication.
Technologies#
E4B4 uses products from Broadcom (with VMware products), IBM, Mandiant, and Tenable. Certificates from DigiCert are also used. For more information on these collaborators and the products and technologies that they contributed to this project overall, see Collaborators and Their Contributions. Note that after the VMware End User Computing division products were implemented at NCCoE, VMware was acquired by Broadcom, then the VMware End User Computing Division was divested and reformed under a new entity, Omnissa LLC.
E4B4 components consist of VMware Workspace ONE Access, VMware Unified Access Gateway (UAG), VMware NSX-T, VMware Workspace ONE UEM, VMware Workspace ONE MTD, VMware Carbon Black Enterprise EDR, VMware Carbon Black Cloud, VMware vSphere, VMware vCenter, VMware vSAN, IBM QRadar XDR, Mandiant Security Validation, Tenable.io, Tenable.ad, Tenable NNM, and DigiCert ONE.
Table 1 lists all of the technologies used in Build E4B4. It lists the products used to instantiate each ZTA component and the security function that each component provides.
Table 1 - E4B4 Products and Technologies
Component |
Product |
Function |
|---|---|---|
PE |
VMware Workspace ONE Access, VMware UAG, VMware NSX-T |
Decides whether to grant, deny, or revoke access to a resource based on enterprise policy, information from supporting components, and a trust algorithm. |
PA |
VMware Workspace ONE Access, VMware UAG, VMware NSX-T |
Executes the PE’s policy decision by sending commands to a PEP that establishes and shuts down the communication path between subject and resource. |
PEP |
VMware UAG, VMware NSX-T |
Guards the trust zone that hosts one or more enterprise resources; establishes, monitors, and terminates the connection between subject and resource as directed by the PA; forwards requests to and receives commands from the PA. |
ICAM - Identity Management |
VMware Workspace ONE Access |
Creates and manages enterprise user and device accounts, identity records, role information, and access attributes that form the basis of access decisions within an organization to ensure the correct subjects have the appropriate access to the correct resources at the appropriate time. |
ICAM - Access & Credential Management |
VMware Workspace ONE Access |
Manages access to resources by performing user and device authentication (e.g., SSO and MFA) and using identity, role, and access attributes to determine which access requests are authorized. |
ICAM - Federated Identity |
VMware Workspace ONE Access |
Aggregates and correlates all attributes relating to an identity or object that is being authorized by a ZTA. It enables users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Federated identity encompasses the traditional ICAM data, supports identities that may be part of a larger federated ICAM community, and may include non-enterprise employees. |
ICAM - Identity Governance |
None |
Provides policy-based, centralized, automated processes to manage user identity and access control functions (e.g., ensuring segregation of duties, role management, logging, access reviews, analytics, reporting) to ensure compliance with requirements and regulations. |
ICAM - MFA |
VMware Workspace ONE Access |
Authenticates user identity by requiring the user to provide not only something they know (e.g., a password), but also something they have (e.g., a token). |
Endpoint Security - UEM/MDM |
VMware Workspace ONE UEM |
Manages and secures enterprise desktop computers, laptops, and/or mobile devices in accordance with enterprise policy to protect applications and data; ensure device compliance; mitigate and remediate vulnerabilities and threats; monitor for suspicious activity to prevent and detect intrusions; prevent, detect, and disable malware and other malicious or unauthorized traffic; repair infected files when possible; provide alerts and recommend remediation actions; and encrypt data. Pushes enterprise applications and updates to devices, enables users to download enterprise applications that they are authorized to access, remotely deletes all applications and data from devices if needed, tracks user activity on devices, and detects and addresses security issues on the device. |
Endpoint Security - EPP |
VMware Workspace ONE MTD |
Detects and stops threats to endpoints through an integrated suite of endpoint protection technologies including antivirus, data encryption, intrusion prevention, EDR, and DLP. May include mechanisms that are designed to protect applications and data; ensure device compliance with policies regarding hardware, firmware, software, and configuration; monitor endpoints for vulnerabilities, suspicious activity, intrusion, infection, and malware; block unauthorized traffic; disable malware and repair infections; manage and administer software and updates; monitor behavior and critical data; and enable endpoints to be tracked, troubleshooted, and wiped, if necessary. |
Endpoint Security - EPP |
VMware Carbon Black Enterprise EDR, VMware Carbon Black Cloud |
Detects threats to endpoints through an integrated suite of endpoint detection technologies, including antivirus, data encryption, and intrusion detection. May monitor endpoints for vulnerabilities, suspicious activity, intrusion, infection, and malware. |
Security Analytics - SIEM |
IBM QRadar XDR |
Collects and consolidates security information and security event data from many sources; correlates and analyzes the data to help detect anomalies and recognize potential threats and vulnerabilities; and logs the data to adhere to data compliance requirements. |
Security Analytics - Endpoint Monitoring |
Tenable.io |
Discovers all IP-connected endpoints and performs continuous collection, examination, and analysis of software versions, configurations, and other information regarding hosts (devices or VMs) that are connected to the network. |
Security Analytics - Vulnerability Scanning and Assessment |
Tenable.io and Tenable.ad |
Scans and assesses the enterprise infrastructure and resources for security risks; identifies vulnerabilities and misconfigurations; and provides remediation guidance regarding investigating and prioritizing responses to incidents. |
Security Analytics - Traffic Inspection |
Tenable NNM |
Intercepts, examines, and records relevant traffic transmitted on the network. |
Security Analytics - Network Discovery |
Tenable NNM |
Discovers, classifies, and assesses the risk posed by devices and users on the network. |
Security Analytics - Security Validation |
Mandiant Security Validation |
Provides visibility and evidence on the status of the security controls- effectiveness in the ZTA. Enables security capabilities of the enterprise to be monitored and verified by continuously validating and measuring the cybersecurity controls; also used to automate the demonstrations that were performed to showcase ZTA capabilities. Mandiant Security Validation is deployed throughout the project’s laboratory environment to enable monitoring and verification of various security aspects of the builds. VMs that are intended to operate as actors are deployed on each of the subnetworks in each of the enterprises. These actors can be used to initiate various actions for the purpose of verifying that security controls are working to support the objectives of zero trust. |
General - Remote Connectivity |
VMware UAG |
Provides remote users with connectivity to on-premises and IaaS resources. |
General - Certificate Management |
DigiCert ONE |
Provides automated capabilities to issue, install, inspect, revoke, renew, and otherwise manage TLS certificates. |
General - Virtualized Infrastructure |
VMware includes NSX-T, vSphere, vCenter, and vSAN |
On-premises virtualized infrastructure hosting enterprise resources. |
General - Cloud IaaS |
IBM Cloud - GitLab |
Provides computing resources, complemented by storage and networking capabilities, hosted by a cloud service provider, offered to customers on demand, and exposed through a GUI and an API. |
General - Cloud SaaS |
DigiCert ONE, Tenable.io, VMware Workspace ONE Access, VMware Workspace ONE MTD, VMware Workspace ONE UEM, VMware Carbon Black Enterprise EDR, VMware Carbon Black Cloud |
Cloud-based software delivered for use by the enterprise. |
General - Application |
GitLab |
Example enterprise resource to be protected. (In this build, GitLab is integrated directly with VMWare Workspace ONE Access using SAML, and IBM QRadar XDR pulls logs from GitLab.) |
General - Enterprise-Managed Device |
Mobile devices (iOS and Android) and desktops/laptops (Windows, Mac, and Linux) |
Example endpoints to be protected. |
General - BYOD |
Mobile devices (iOS and Android) and desktops/laptops (Windows, Mac, and Linux) |
Example endpoints to be protected. |
Build Architecture#
In this section we present the logical architecture of E4B4. We also describe E4B4’s physical architecture and present message flow diagrams for some of its processes.
Logical Architecture#
Figure 1 depicts the logical architecture of E4B4. Figure 1 uses numbered arrows to depict the general flow of messages needed for a subject to request access to a resource and have that access request evaluated based on subject identity (both requesting user and requesting endpoint identity), authorizations, and requesting endpoint health. It also depicts the flow of messages supporting periodic reauthentication of the requesting user and the requesting endpoint and periodic verification of requesting endpoint health, all of which must be performed to continually reevaluate access. The labeled steps in Figure 1 have the same meanings as they do in Architecture - Figure 1. However, Figure 1 includes the specific products that instantiate the architecture of E4B4. Figure 1 also does not depict any of the resource management steps found in Architecture - Figure 1 because the ZTA technologies deployed in E4B4 do not support the ability to perform authentication and reauthentication of the resource or periodic verification of resource health.
E4B4 was designed with VMware Workspace ONE Access, VMware UAG, and VMware NSX-T as its PEs and PAs, VMware UAG and VMware NSX-T as its PEPs, and VMware Workspace ONE Access providing ICAM support. Other components that support endpoint security, security analytics, and data security are also listed in Figure 1.
Figure 1 - Logical Architecture of E4B4
Physical Architecture#
Enterprise 4 describes the physical architecture of the E4B4 network.
Message Flows for Successful Resource Access Requests#
This section depicts some high-level message flows for E4B4. Resource access is protected by VMware technology, which acts as a PDP and PEP. VMware products also serve as the identity provider for the build and provide endpoint protection.
Authentication Message Flow for Access to Both Internal and External Resources (VMware Workspace ONE Access, VMware Workspace ONE UEM)#
Figure 2 depicts the high-level message flow supporting the use case in which a subject who has an enterprise ID, is using a compliant device, and is authorized to access an enterprise resource, requests and receives access to that resource. In the case depicted here, the request to access the resource and all communication between the user and the resource flows through an authenticated tunnel. Access to the resource is authenticated and authorized by:
VMware Workspace ONE Access, which acts as both PDP and IdP
VMware Workspace ONE UEM, which has an agent running on the requesting endpoint that assesses device compliance and periodically reports device compliance status to the VMware Workspace ONE UEM controller
The message flow depicted in Figure 2 shows only the messages that are sent in response to the access request. However, the authentication and access process also relies on additional background communications that occur between the Workspace ONE UEM agent and the Workspace ONE UEM controller that provide the controller with device compliance status on an ongoing basis.
Prior to the message flow depicted in Figure 2, the user is assumed to have authenticated to the VMware Workspace ONE UEM agent on the device. After the user authenticates to this agent, if the user requests access to a protected resource, an authenticated tunnel can be established between the Workspace ONE UEM agent on the user’s device and the UAG that is protecting the requested resource.
Figure 2 - Use Case E4B4 - User Authentication and Access Enforcement Using Workspace ONE Access and Workspace ONE UEM
The message flow depicted in Figure 2 consists of the following steps:
A user who has already logged into the UEM agent on an enterprise-managed device requests to access a resource. This request flows through an authenticated tunnel to the VMware Unified Access Gateway (UAG) that is protecting the resource.
The UAG contacts Workspace ONE UEM to verify that the device is compliant.
Assuming the device is compliant, the UAG forwards the user’s request to the resource.
Because the user does not have an access token for the resource, the user’s access request is redirected to Workspace ONE Access so the user can be authenticated.
Workspace ONE Access contacts Workspace ONE UEM to verify that the device is compliant.
Assuming the device is compliant, Workspace ONE Access challenges the user for their authentication credentials.
The user responds with their first-factor credentials (i.e., username and password).
Workspace ONE Access challenges the user for their second authentication factor.
The user responds with their second-factor credential.
Assuming that the user has authenticated successfully, and that policy indicates that the user is authorized to access the resource, Workspace ONE issues the requesting user a SAML asser-tion for access to the resource.
The user sends the SAML assertion to the resource via the authenticated tunnel to the UAG. The resource accepts the assertion and grants the access request.
User traffic to and from the resource is secured according to policy on the authenticated tunnel.
Note that the message flow described above is the same regardless of whether the employee is located on-premises at headquarters, on-premises at a branch office, or off-premises at home or elsewhere. It is also the same regardless of whether the resource is located on-premises or in the cloud.
Authentication Message Flow for Network Access to a Resource from a VM (VMware NSX-T, VMware VMtool, Microsoft AD)#
Figure 3 depicts the high-level message flow supporting the use case in which a subject who has an enterprise ID, is using a VM on an NSX-T managed network segment, and is authorized to have network access to an enterprise resource, requests and receives network access to the resource. In the use case depicted here, network access to the resource is managed by VMware NSX-T, which uses device identity information provided by a VMware VMtool agent running on the requesting VM and relies on Microsoft AD as an identity provider:
NSX-T provides network access based on identity, but does not control access to the resource itself.
VMtool is a client agent running on the requesting VM that provides identity information to NSX-T.
Microsoft AD serves as the IdP to authenticate user identities.
NSX AD log scraping is another method that NSX uses to determine who is logged into a VM if the VMtool agent stops working or if the VMtool agent is not installed on a VM. (VMtool is the primary method of determining who is logged in, and log scraping is a secondary backup method.)
Figure 3 - Use Case E4B4 - User Authentication and Authorization for Network Access to a Resource from a VM Using NSX-T and VMtool client agent
The message flow depicted in Figure 3 consists of the following steps:
NSX-T synchronizes select AD groups from Microsoft AD. These groups are then used to create access policies in NSX-T based on identity.
The user enters their Microsoft AD credential (e.g., username and password) on the device to attempt to log into a VM.
The device (VM) passes the user authentication request to Microsoft AD
Microsoft AD verifies the user’s credentials to authenticate the user’s identity and grants the logon request.
(5a.) The VMtool agent on the requesting VM sends the user’s username to NSX-T, or, alternatively, if the VMtool agent is not installed on the VM or if it is not working, then (5b.) NSX uses AD log scraping as a secondary method to identify the user.
The user makes a request to access a resource on the network, which is sent to NSX-T.
Assuming enterprise policy permits, NSX-T grants the user network access to the resource.
Note that the message flow described above authenticates and authorizes the user to have network access to the resource based on the user’s identity. However, it does not control access to the resource itself. That is, the user is permitted to reach the resource, but is not logged into the resource. After a user has performed the message flow described here to gained network access to the resource, they would initiate the call flow described in Authentication Message Flow for Access to Both Internal and External Resources (VMware Workspace ONE Access, VMware Workspace ONE UEM) to be authenticated and authorized for access to the resource itself using VMware Workspace ONE Access and VMware Workspace One UEM.