Enterprise 2 Build 6 (E2B6) - SASE - Google Chrome Enterprise Premium (CEP) - Access Context Manager as PE

Enterprise 2 Build 6 (E2B6) - SASE - Google Chrome Enterprise Premium (CEP) - Access Context Manager as PE#

Note

This page is supplementary material for the NIST SP 1800-35 publication.

This section of the practice guide contains detailed instructions for installing, configuring, and integrating all the products used to implement E2B6. For additional details on E2B6’s logical and physical architectures, please refer to Architecture and Builds.

Google Chrome Enterprise Premium (CEP)#

Google’s CEP is a zero trust platform that is secure and reliable, providing continuous and real-time end-to-end protection. CEP’s PE and PDP (Access Context Manager) are managed by Google’s cloud platform. Use Google’s Access Context Manager Documentation for setup and configuration of policies. CEP leverages Chrome browser for endpoint protection and compliance and leverages the Identity Aware Proxy (IAP) to act as the PEP. Use the CEP How-to Guides to configure access to resources.

Note: BeyondCorp and Chrome Enterprise has merged and it is called Chrome Enterprise Premium (CEP) now.

Google CEP Chrome Browser#

Google’s CEP Chrome browser is the endpoint security solution implemented in this build. The CEP Chrome browser provides endpoint and user information to Okta and CEP for endpoint verification and compliance checks based on policies set by CEP Access Context Manager. To setup and configure CEP to manage the Chrome browser, follow the Chrome Browser Cloud Management documentation. Steps include:

  • Sign up for Chrome Browser Cloud Management

  • Enroll cloud-managed Chrome browsers

  • Enable Chrome browser reporting

  • Set policies for enrolled browsers including data protection

Google Application Connector#

Google’s identity aware proxy (IAP) is the application connector that is used to protect both cloud and on-prem resources. For this build, we have resources on-prem and in the cloud. To begin setup, please start with the Identity-Aware Proxy overview document. For specific configuration for cloud resources, follow the instructions in the Enabling IAP for Compute Engine document.

The On-Premises connection setup, review the information in the Overview of IAP for on-premises apps document prior to installation. Follow the instructions to configure the on-prem IAP in the Enabling IAP for on-premises apps document.

Google Cloud#

For installation, configuration, and integration instructions, refer to Google Cloud.

Google Workspace#

For installation, configuration, and integration instructions, refer to Google Workspace.

Refer to Google’s Okta user provisioning and single sign-on documentation for integration with Okta.

Okta Identity Cloud#

The Okta Identity Cloud was implemented in the same manner as Enterprise 1. No significant changes were made. Refer to Okta Identity Cloud.

Specific configuration for Okta’s integration with Google can be found in Okta’s Google Workspace integration documentation.

Okta Verify App#

The Okta Verify App was implemented in the same manner as Enterprise 1. No significant changes were made. Refer to Okta Verify App.

Radiant Logic RadiantOne#

Installation and Configuration#

Refer to Radiant Logic RadiantOne Installation and Configuration.

Integrations#

Refer to Radiant Logic RadiantOne Integration for integration of Radiant Logic with SailPoint.

SailPoint IdentityIQ#

Installation and Configuration#

Refer to SailPoint IdentityIQ Installation and Configuration.

Integration with Radiant Logic#

Refer to SailPoint IdentityIQ Integration with Radiant Logic.

Integration with AD#

Refer to SailPoint IdentityIQ Integration with AD.

VMware Workspace ONE#

For installation, configuration, and integration instructions, refer to VMware Workspace ONE.

Note that after the VMware End User Computing division products were implemented at NCCoE, VMware was acquired by Broadcom, then the VMware End User Computing Division was divested and reformed under a new entity, Omnissa LLC.

IBM Security QRadar XDR#

For installation, configuration, and integration instructions, refer to IBM Security QRadar XDR.

Tenable.io#

For installation, configuration, and integration instructions, refer to Tenable.io.

Tenable.ad#

For installation, configuration, and integration instructions, refer to Tenable.ad.

Tenable NNM#

For installation, configuration, and integration instructions, refer to Tenable NNM.

Mandiant Security Validation (MSV)#

For installation, configuration, and integration instructions, refer to Mandiant Security Validation (MSV).

DigiCert CertCentral#

For installation, configuration, and integration instructions, refer to DigiCert CertCentral.

Contents