NIST Zero Trust Draft Playbook - Draft1

F5 Confidential – Internal Use Only
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
F5 / NIST Zero Trust Architecture

Technical Sales Playbook
April 2021
1 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
End of Perimeter Security Enter Zero Trust
Perimeter security approach

Trust, but Verify
Trust Zone
A typical enterprise’s
infrastructure started simply,
but has grown increasingly
complex
VPN
Corporate Network
(Old Perimeter)
2 | ©2021 F5
ZTA Use /
Remote / Branch Office

Trust Zone
Enterprises are more complex,

outpacing perimeter security
• An enterprise may operate several internal
networks, remote offices with local
infrastructure, remote and/or mobile users, and
VPN cloud services
• Complexity has exceeded legacy methods of
perimeter-based network security
• No more single, easily identifiable enterprise
perimeter
Corporate Network • Perimeter-based network security is now
(Old
3 Perimeter)
| ©2021 F5
insufficient – once attackers breach the
ZTA Use /
Securing the network perimeter is insufficient because…
Apps are now on multiple Global remote work / WFA Global mobile workforce
cloud environments to continue growth
81% of enterprises have apps

in at least 2 providers* 58% of workers “always” or
“sometimes” work from
home or remotely**
1.87B global mobile
workers by 2022***
• IBM MOBILE WORKFORCE REPORT

** GALLUP SURVEY
*** WHY ORGANIZATIONS CHOOSE A MULTICLOUD STRATEGY, GARTNER
65% of workers would like to
continue to work from

home or remotely**
4 | ©2021 F5
ZTA Use /
Zero Trust approach is primarily focused on protecting data and services… Enter Zero Trust
Eliminates the idea of a trusted
network inside a defined perimeter
THE ZERO TRUST PARADIGM

…but should be expanded to include all enterprise assets (devices, Assume attackers already
infrastructure components, applications, virtual and cloud components)… lurking on the network
No environment is any more

trustworthy than any other
Assume no implicit trust

…and subjects (end users, applications and other non-human entities that
request information from resources). Continually analyze and
evaluate risks
Mitigate risks
5 | ©2021 F5
ZTA Use /
The Zero Trust proverb

“Trust, But Verify” is outdated and dangerous
NEVER TRUST ALWAYS VERIFY CONTINUOUSLY MONITOR

Users even if they have Users’ identity, device, Users’ device, location,
been granted access location, and other network access, and other
through (what’s left of) contextual parameters variables at app access and
perimeter security to the upon access attempts throughout their app session,
network, or to other apps to every app ensuring security
6 | ©2021 F5
ZTA Use /
NIST ZTA Publication NIST Zero Trust Basics NIST Guidelines
NIST Special Publication 800-207

Zero Trust Architecture
• Contains an abstract definition of a Zero Trust Architecture (ZTA)
• Provides general deployment models and use cases where Zero
Trust might improve an enterprise’s overall information
technology security posture
• The document:
• Intends to describe Zero Trust for enterprise security
architects
• Means to aid understanding of Zero Trust for civilian
unclassified systems
• Offers a road map to migrate and deploy Zero Trust security
concepts to an enterprise environment
7 | ©2021 F5
ZTA Use /
• Goal: Prevent unauthorized access to data • Focus on

and services while making access control authentication,
enforcement as granular as possible
Zero Trust Access authorization,
Untrusted Zone Policy Decision / Implicit Trust Zone and shrinking
Enforcement Point Resource (System,
Data, or Application) zones of implicit
(PDP / PEP)
trust
• Subject needs access to an enterprise resource • Trustworthiness should not be implied where a subject
• Access is granted through a PDP and associated PEP has met a basic authentication level and is deemed
equally valid for all subsequent resource requests
• Must ensure the subject is authentic and their request
valid • PDP / PDP applies controls so all traffic beyond the PEP
has a common level of trust
• PDP/PEP passes judgment to allow subject to access
the resource • PDP/PEP cannot apply additional policies beyond its
location in the traffic flow
• Zero trust is applied to two basic areas: authentication
and authorization • Implicit trust zone must be as small as possible
• Need to develop and maintain dynamic risk-based • Zero Trust is a set of principles and concepts on moving
policies for resource access and a system to ensure the PDP / PEP closer to the resource
policies are enforced correctly and consistently for • Zero Trust explicitly authenticates and authorize all
individual resource access request subjects, assets, and workflows
8 | ©2021 F5
ZTA Use /
• Explicitly authenticate and

authorize all subjects, Zero Trust Access
assets, and workflows
Untrusted Zone Policy Decision / Implicit Trust Zone
Enforcement Point Resource (System,
(PDP / PEP) Data, or Application)
• What is the level of confidence about subject’s • An area where all entities are trusted to at least the
identity for this unique request? level of the last PDP/PEP gateway
• Is access to the resource allowable given the • It’s like the passenger screening model in an airport
level of confidence in the identity? • All passengers pass through the airport security
• Does the device used for the request have checkpoint (PDP/PEP) to access the boarding gates
proper security posture? • Passengers, airport employees, aircraft crew, etc.,
• Are there other factors that should be gather in the terminal area
considered and that change the confidence • All individuals are considered trusted
level (e.g., time, location of subject, subject’s
• In this example, the implicit trust zone is the
security posture)?
boarding area
9 | ©2021 F5
ZTA Use /
NIST guidelines not just for

U.S. government anymore
Utilities Transportation Financial services Communications
U.S. Federal Government Healthcare Food and agriculture Key Emergency

manufacturers services
Foreign governments
10 | ©2021 F5 Others (dams, etc.)
ZTA Use /
Zero Trust Tenets – Overview F5 and Zero Trust Tenets
The NIST Tenets of Zero Trust
7. Collect info on current state of asset,

1. All data sources and computing network infrastructure, and communications
services are “resources” to improve security posture
Zero Trust Achitecture
2. Communications are secured 6. Dynamic resource authentication and

regardless of location authorization strictly enforced before access
allowed
4. Access to resources determined by

3. Access to individual resources dynamic policy and other behavioral and 5. Monitor and measure integrity and
granted on per-session basis environmental attributes
11 | ©2021 F5 security posture of owned and associated
ZTA Use /
Data sources + computing services = “Resources”
Network
Comprised of multiple classes of devices
All data sources and computing Small footprint devices sending

services are “resources” data to aggregators / storage
Software-as-a-Service (SaaS)
Other devices / functions
Personally-owned devices may

be resources if able to access
enterprise-owned resources
12 | ©2021 F5
ZTA Use /
Zero Trust Tenets – Overview F5 and Zero Trust Tenets Location on network = Trust
Trust not automatically granted to Communications are secured
F5
assets requesting access from regardless of location
enterprise network infrastructure • Encrypts access between user /
device and application, regardless of
location
Communicate in most secure • Continuously assesses device
manner available integrity, user identity, and application
integrity
• Continuously checks context of
application access
Protect confidentiality and
integrity • Enables customizable actions if
Solution: assessments and checks find
• Encrypt communications integrity or contextual issues
Provide source • Continuously assess integrity • Centralizes encryption, decryption,
authentication • Continuously check access and re-encryption of traffic with
context dynamic service chaining and
13 | ©2021 F5
intelligent routing and bypass
ZTA Use /
Zero Trust Tenets – Overview F5 and Zero Trust Tenets Secure access with limits
Access to individual resources

Evaluate trust (identity, F5
authentication, authorization) granted on per-session basis • Integrates seamlessly with major
before granting access
trusted identity source, including
Identity-as-a-Service (IDaaS)
Grant access with only • Checks and ensures secure
enough privileges to complete authentication and authorization
task throughout application access
• Enables least privilege access based
on context and task
Authentication and
authorization to a resource Solution: • Applies per-request application
does not grant access to • Trusted source of identity access
other resources
• Check authentication and • Provides Identity Aware Proxy (IAP)
authorization prior to access
• Least privilege access
• Access privileges to one resources
at a time
14 | ©2021 F5
ZTA Use /
Zero Trust Tenets – Overview F5 and Zero Trust Tenets Dynamic contextual policy-based access
Access to resources determined by
Resource access and policies vary based on F5
dynamic policy and other behavioral
resource / data sensitivity; least privilege restricts
and environmental attributes • Creates dynamic policies for access
visibility and accessibility
to assets / resources based on
Policy is set of access rules based on attributes
assigned a subject, data, or application according identity, context, state, behaviors,
to business process and acceptable level of risk environment, and least privilege
Define available resources, members, and • Continuously monitors, assesses,
required resource access and validates app access based on
Identity includes user account (or service identity) identity, context, state, behaviors,
and associated attributes or artifacts for environment, and privilege
authenticating automated tasks
• Centralizes and consistently applies
Asset state includes device characteristics
(installed software versions, network location, Solution: dynamic access policies for any app,
request time/date, installed credentials, etc.) • Grant access to assets / anywhere based on per-application
Behavioral attributes include automated subject resources based on access request
analytics, device analytics, and deviations from continuous assessment and • Integrates effortlessly with third-party
usage patterns validation of identity, context,
user behavior and endpoint analytics
Environmental attributes include requestor state, behaviors,
network location, time, reported active attacks, etc. environment, and (UEBA), risk management, and
least privilege conditional access
15 | ©2021 F5
ZTA Use /
Zero Trust Tenets – Overview F5 and Zero Trust Tenets Ensure device integrity and security
Trust no asset Monitor and measure integrity and security
posture of owned and associated assets F5
• Continuous monitoring and validation
Evaluate asset security posture of integrity and security posture for
while appraising resource request ALL assets, at time of access
request and beyond
Monitor device and application • Continuous monitoring and
state, and mitigate, if needed assessment of app state and security
• Supports mitigation of devices and
Access attempts by unstable, Solution: apps if vulnerable or that do not meet
vulnerable enterprise owned or • Continuously monitor asset posture levels
managed assets, or assets not integrity and posture,
• Monitors, compiles, and reports
enterprise managed (including regardless of ownership or
personally-owned devices) can be management usable info on resource state and
treated differently • Continuously check app state access
Requires a monitoring and reporting • Mitigate • Seamlessly integrates with third-party
system to gather actionable data on • Monitor and report on resource device management, monitoring, and
current enterprise resource state state
16 | ©2021 F5
mitigation solutions
ZTA Use /
Stringently enforce access authentication and

authorization
Dynamic resource authentication and authorization
strictly enforced before access allowed
Continuously obtain access; scan and F5

assess threats; adapt; and constantly • Continuous review and assessment
(re)evaluate trust of access, threats, and trust
• Instantly enforces policy actions if
Employ identity, credential, access, and change in identity, context, state,
asset management, including multi-factor behavior, environment, and / or
authentication (MFA)
Solution:
privilege attempted is detected
• Constant, vigilant monitoring of • Seamless integration with major third-
Constantly monitor possible access, threat assessment, and party identity providers, MFA vendors,
reauthentication and reauthorization trust
defined and enforced in policy-based
and credential management tools
• Immediately adapt to threats
transactions • Works effortlessly with credential
and changes in trust
assessment solutions and services
• Manage identity, credentials,
Strive to balance security, availability, and access • Enforces access policies consistently
usability, and cost-efficiency • Consistent policy enforcement across applications and environments
17 | ©2021 F5
ZTA Use /
Zero Trust Tenets – Overview F5 and Zero Trust Tenets Continuous security improvements
Collect info on current asset, network
infrastructure, and communications F5
Security posture, network traffic,
and access request data state to improve security posture • Continuous review and assessment
collection of access, threats, and trust
• Provides visibility into application
access and traffic trends, aggregate
Analyze captured data data for long-term forensics,
accelerate incident responses, and
identify issues and unanticipated
problems before they can occur
Solution:
Leverage data analysis and • Collects significant data on • Initiates quick action, if required,
insight to improve policy creation security, traffic, and access including the termination of specific
and enforcement
• Performs data analysis on access sessions
collected info
• Delivers a fast overview of access
• Continuously strengthens
policy creation and health
enforcement based on captured
data 18 | ©2021 F5
ZTA Use /
NIST ZTA Components F5 in NIST ZTA F5 and Core Components F5 and Other Components F5 & Trust Algorithm
Logical components of NIST Zero Trust Architecture

Control Plane
CDM Policy Engine Data Access

System (PE) Policy Policy
Decision
Point
Policy (PDP)
Industry Administrator Enterprise
Compliance PKI
Threat ID
Intelligence Management
Untrusted Policy Trusted
Subject System Enforcement Enterprise
Activity Logs Point (PEP) Resource SIEM System
Data Plane
Policy Engine: Policy Administrator: Policy Enforcement Point (PEP):

Responsible for the ultimate decision to grant Responsible for establishing and/or shutting Responsible for enabling, monitoring, and
access to a resource for a given subject down the communication path between a eventually terminating connections between a
subject and a| resource
19 ©2021 F5
subject and an enterprise resource
ZTA Use /
F5 in the NIST Zero Trust Architecture

F5 Access Guard; Control Plane
BIG-IP APM:
Shape DeviceID+; dynamic, identity-,
Third-party EMM / context-based
System Policy Policy
MDM policies
Decision
Point
FIPS compliant Policy (PDP) BIG-IQ; Third-
hardware; HSMs; Industry Administrator Enterprise party enterprise
ICSA labs certified Compliance PKI PKI providers
Acts as the
PDP and PEP
HTTP Connector: Integrates with
Conditional Threat ID major IDaaS,
Access; third-party Intelligence Management identity service
UEBA, risk providers
engines; LCC Subject System Enforcement Enterprise Integration with
Integration with Point (PEP) SIEM System F5 BIG-IQ, third-
F5 BIG-IQ, F5 Activity Logs Resource
BIG-IP LTM, F5 party SIEM
Beacon Data Plane vendors (Dell /
RSA, Exabeam,
Splunk, etc.)
20 | ©2021 F5
ZTA Use /
BIG-IP APM as Policy Decision Point (PDP)

• BIG-IP APM serves as Policy Decision Point (PDP),
Control Plane incorporating both the Policy Engine (PE) and Policy
Administrator (PA)
Policy Engine
Policy • The ultimate decision-maker on whether or not to
Decision grant access to a resource for a given subject
Point
Policy (PDP)
Administrator • Uses dynamic identity- and context-based enterprise
policies, and input from external and third-party
sources to grant, deny, or revoke resource access
• Makes and logs access decisions
Untrusted Policy Trusted • As Policy Administrator, executes access decisions
Subject System Enforcement Enterprise Responsible for establishing and/or shutting down the
Point (PEP) Resource
communication path between a user and a resource
Data Plane • Generates authentication and authentication tokens
or credentials used to access enterprise resources
21 | ©2021 F5
ZTA Use /
• BIG-IP APM also serves as Policy Enforcement

BIG-IP APM as Policy Enforcement Point (PEP) Point (PEP)
• If a session is authorized and request

Control Plane
authenticated, as the PEP, APM allows a session to
Policy Engine start
Policy
Decision • However, if session is denied or a prior approval
Policy
Point overruled because of a lack of policy adherence,
(PDP) APM shuts the connection down
Administrator
Acts as the
PDP and PEP • APM is also responsible for enabling, monitoring,
and terminating connections between users and
enterprise resources
Untrusted Policy Trusted • APM is split into 2 logical components

Subject System Enforcement Enterprise o The client or agent, which in APM’s case, is F5
Access Guard, in addition to BIG-IP Edge Client for
computing devices and F5 Access for mobile devices
Data Plane o The resource side with APM is secure, flexible, high-
performance access management proxy solution that
manages global access to networks, the cloud,
22 | ©2021 F5 applications, and APIs
ZTA Use /
F5 in the NIST Zero Trust Architecture: • BIG-IP APM checks user device security
CDM System posture via F5 Access Guard, a browser
extension that coordinates with APM
Control Plane • BIG-IP APM and F5 Access Guard check
device integrity at authentication AND
CDM Policy Engine continuous, ongoing device posture checks
System Policy throughout application access
Decision • If any change in device integrity is detected,
Point
Policy APM and Access Guard can either limit or
(PDP)
Administrator stop application access, halting potential
attacks before they launch
• Shape DeviceID+ with APM identifies and
distinguishes between enterprise- and non-
enterprise-owned devices
Untrusted Policy • APM and BIG-IP Edge and F5 Access

Trusted
Subject System Enforcement integrate with leading mobile device
Enterprise
Point (PEP) Resource management (MDM) and enterprise mobility
management (EMM) solutions—including
VMware Horizon ONE (AirWatch), Microsoft
Data Plane
Intune, and IBM MaaS360—to perform
device security and integrity checks
23 | ©2021 F5
ZTA Use /
F5 in the NIST Zero Trust Architecture:

Industry Compliance
Control Plane • F5 offers the following
solutions to meet even the
CDM Policy Engine
System
most rigorous compliance
Policy
Decision requirements and
Point architectures:
Policy (PDP)
Industry Administrator
Compliance
o Virtual editions (VEs)
Acts as the
PDP and PEP o Full-box FIPS platforms
o Integrated hardware
security module (HSM) PCI
Untrusted Policy Trusted cards
Subject System Enforcement Enterprise o External (network HSM)
FIPS solutions
Data Plane
24 | ©2021 F5
ZTA Use /
F5 in the NIST Zero Trust Architecture: • BIG-IP APM’s HTTP Connector enables
unified integration with third-party user and
Threat Intelligence entity behavior analytics (UEBA) and other
API-driven risk engines
Control Plane • Seamlessly adds another level of security
Policy Engine and application access control
CDM
System Policy • Leverages risk assessment via REST APIs
Decision as part of its policy-based access controls
Point • Enables risk-based access to networks,
Policy (PDP)
Industry Administrator clouds, apps, and APIs, enhancing BIG-IP
Compliance APM’s Zero Trust IAP solution
Acts as the
PDP and PEP • HTTP Connector leverages user group,
domain, and network-based triggers to
Threat
increase enforceability of risk-based access
Intelligence
providing greater visibility and increased
Untrusted Policy Trusted analytics to determine whether or not to
Subject System Enforcement Enterprise grant or deny access to networks, cloud,
Point (PEP) Resource applications, and APIs
• Data from HTTP Connector also enables
Data Plane
integration with Microsoft Azure Active
Directory’s Conditional Access, increasing
breadth of coverage
25 | ©2021 F5
ZTA Use /
F5 in the NIST Zero Trust Architecture: • BIG-IP APM integrates with BIG-IQ Centralized
Management to provide enhanced visibility
Activity Logs •
through access reports and logs
Delivers analytical reports and logs based on
devices and groups to increase insight into user
Control Plane access and analysis
Policy Engine • Helps take quick action if required, including

CDM terminating specific access sessions
System Policy
Decision • Reports available through BIG-IQ for APM
Point provides greater visibility into application access
Policy (PDP) and traffic trends, aggregates data for long-term
Industry Administrator forensics, accelerates incident responses, and
Compliance
Acts as the identifies issues and unanticipated problems
PDP and PEP before users experience them
• BIG-IQ’s holistic view of app and network access
Threat
provides a better understanding of access policy
Intelligence
effectiveness, locates and addresses weak
Untrusted Policy Trusted points, and enhances responses to issues and
Subject System Enforcement concerns
Enterprise
Activity Logs Point (PEP) Resource • F5 Beacon, a SaaS solution, empowers end-to-
end visibility across the application portfolio,
Data Plane offering anomaly detection, root cause analysis,
and security compliance assurance
driving better-informed decisions and improves
customer experience
26 | ©2021 F5
ZTA Use /
F5 in the NIST Zero Trust Architecture: • BIG-IP APM enables creation, enforcement, and
centralization of simple, dynamic, intelligent access policies
Data Access Policy

for all apps
• Enables customized access policies to be applied across
many app and their data
Control Plane • Gains centralized visibility of the authorization environment

• APM’s Identity Aware Proxy (IAP) enables creation and
Policy Engine Data Access enforcement of granular app access policies based on
Policy contextual attributes, such as user identity, device integrity,
Policy user location, and more
Decision
• IAP relies on application-level access controls, not network-
Point
Policy (PDP)
layer rules
Administrator • Configured policies reflect user and application intent and
context
Acts as the
PDP and PEP • Context-aware policies may also be assigned based on a
device’s security state, enabling, modifying, or disabling
access from the device
• Hardware attributes may be mapped to a user’s role to
enable additional access control decision points
Subject System • Protects APIs with consistent, flexible authentication and
Enforcement Enterprise authorization policies
Point (PEP) Resource • Visual Policy Editor (VPE) makes designing and managing
granular access control policies on an individual or group
Data Plane basis fast and simple
• Designs access policies for authentication and
authorization, also based on endpoint security checks,
enforcing user compliance with corporate policies and
industry regulations
27 | ©2021 F5
ZTA Use /

Enterprise PKI
Control Plane
• BIG-IQ delivers a level of
Policy Engine Data Access
Policy
certificate management
Policy
Decision
Point • BIG-IP supports automated
Policy
Administrator
(PDP)
Enterprise
certificate renewal
Acts as the PKI
PDP and PEP
• For enterprise-level PKI, F5
predominantly relies on
third-party providers and
partners, such as Venafi
Data Plane
28 | ©2021 F5
ZTA Use /

• APM supports identity federation and
ID Management SSO options by supporting connections
initiated by SAML 2.0 for both identity
Control Plane providers (IdP) and service providers
(SP)
Policy Engine Data Access • Enables local and remote user SSO via
Policy Policy
SAML, OIDC / OAuth, or FIDO2 (U2F) to
Decision on-premises apps
Point
Policy (PDP) • Integrates with leading IAM vendor
Administrator Enterprise products (Microsoft, Okta, Ping Identity)
Acts as the PKI
• Supports Identity-as-a-Service (IDaaS),
PDP and PEP
including Microsoft Azure Active
ID Directory and Okta
Management
• Can create a bridge or identity provider
Untrusted Policy Trusted chain between cloud-based IAM or
Subject System Enforcement Enterprise IDaaS offerings and local authentication
Point (PEP) Resource services leveraging SAML to federate
user identity for organizations that won’t
Data Plane replicate their credential store in the
cloud and want to maintain control of on-
premises user credentials
29 | ©2021 F5
ZTA Use /
• BIG-IQ and APM deliver greater visibility into
application access and traffic trends, aggregate
F5 in the NIST Zero Trust Architecture: data for long-term forensics, accelerate incident
response, and identify issues and unanticipated
SIEM System problems
• APM integrates with BIG-IQ providing enhanced

Control Plane visibility through analytical reports and logs based
on devices and groups, increasing insight into
Policy Engine Data Access user access and analysis
Policy Policy
• Provides a CSV export of APM report data,
Decision making it accessible for customized reports and
Point for integration with SIEM systems
Policy (PDP)
Administrator Enterprise
PKI • APM integrates with leading SIEM solutions,
Acts as the including those from Dell / RSA (NetWitness),
PDP and PEP Exabeam, and Splunk, to name a few
ID
• Access policy dashboard on BIG-IP provides a
Management
fast overview of access health
Subject System Enforcement • View a default template of active sessions,
Enterprise
Point (PEP) Resource SIEM System network access throughput, new sessions, and
network access connections, or create customized
views using the dashboard windows chooser
Data Plane
• Drag-and-drop desired statistics onto the
windowpane to gain a real-time understanding of
30 | ©2021 F5 access health
ZTA Use /
F5 in the NIST Zero Trust Architecture

Control Plane

System Policy Policy
Decision
Point
Policy (PDP)
Industry Administrator Enterprise
Compliance PKI
Acts as the
PDP and PEP
Threat ID
Intelligence Management
Activity Logs Point (PEP) Resource SIEM System
Data Plane
31 | ©2021 F5
ZTA Use /
Trust • Criteria- vs. score-based TA

o Criteria-based assumes a set of qualified attributes
Algorithm must be met before resource access or an action is
Access Request allowed
The Policy o Score-based computes a confidence level based on
The actual request from the subject and can include Engine (PE) values for every data source and enterprise-
device integrity data is ZTA’s brain, configured weights
and the PE’s • Singular versus contextual TA
Subject Database & History Trust o Singular TA treats each request individually and
Algorithm is doesn’t consider subject history evaluating access,
The “who” requesting access; a set of subjects (human and
processes) and assigned attributes / privileges that drive
its primary allowing for faster, but higher-risk evaluations as an
resource access policies thought attack can go undetected if it stays within a subject’s
process allowed role
Asset Database o Contextual TA considers the subject or network
The process agent’s recent history when evaluating access
Database of status for each company-owned and (maybe) requests, maintaining some state info on all subjects
known BYOD asset (physical or virtual), compared to observed used by the
and apps, and is more likely to detect an attacker
status of requesting asset, including OS version, integrity, policy engine using subverted access credentials
location, and more

to grant or o Subject behavior can be used to enable an acceptable
Resource Policy Requirements deny use model, with deviations triggering additional
resource authentication checks or resource request denials
Set of policies that defines minimal requirements for resource
access, including authenticator assurance (i.e., MFA), access o Ideally, a ZTA trust algorithm should be contextual
network location, data sensitivity, and requests for asset
configuration
Threat Intelligence & Logs BIG-IP APM uses a criteria-based,

Feed(s) on threats and malware; can include info about suspect
contextual trust algorithm to deliver
device communications; can be external services or internal scans robust Zero Trust app access
and discoveries and can include attack signatures and mitigations 32 | ©2021 F5
ZTA Use /
Variations of NIST ZTA Enhanced Identity Governance Micro-Segmentation Net Infrastructure and SDP
Variations of Zero Trust Architecture Approaches
1. All data sources and computing 5. Monitor and measure integrity

services are “resources” and security posture of owned Zero Trust Architecture approaches include:
and associated assets
Each approach
2. Communications are secured
implements all the
regardless of location tenets of Zero Trust, Enhanced identity governance
6. Dynamic resource authentication but may use one or
and authorization strictly enforced
before access allowed two (or one
component) as the
3. Access to individual resources
granted on per-session basis
main policy driver Logical micro-segmentation
7. Collect info on current state of

4. Access to resources determined by asset, network infrastructure, Network-based segmentation
dynamic policy and other behavioral and communications to improve
and environmental attributes security posture A full Zero Trust solution will include elements of all three approaches.
33 | ©2021 F5
ZTA Use /
Enhanced identity governance

Uses identity as key component for policy creation
When is it used:
• With an open network model
• Enterprise networks with visitor
access or frequent non-enterprise
• Access policies are based on user (actor) devices on the network • APM creates and enforces dynamic
identity and assigned attributes identity-based, context-aware policies
Pros and Cons: • APM identity-based policies also leverage
• Granted access privileges are primary attributes assigned the user and their
requirement for resource access • Access initially granted to all assets
identity
• But access to enterprise resources
restricted to identities with
• APM continuously monitors and assesses
• Device used, asset status, and environmental user’s device integrity, asset status and
factors can affect access privileges granted appropriate access privileges
security, and environmental factors,
(i.e., granting only partial access based on • Malicious actors could attempt including location, network security, and
network location) network reconnaissance more prior to granting access and
• Attackers can use the network to throughout the app session
• PEP must forward requests to a policy engine launch denial of service (DoS)
service or authenticate the subject and • APM leverages Identity Aware Proxy to
attacks internally or against a third
approve the request before granting access ensure identity and context prior to granting
party
resource access, and throughout access
34 | ©2021 F5
ZTA Use /
Micro-segmentation
Placing resources on a unique network segment
When is it used:
• Enterprises wanting to
leverage intelligent switches or
• Place individual or groups of resources on a unique • APM, as an access management gateway, shields
network segment protected by a gateway security
routers, NGFWs, or special individual resources or resource groups on a
component purpose gateways as PEPs; or unique network segment from unauthorized or
• Infrastructure devices serve as PEPs shielding software agents or endpoint inappropriate access and / or discovery
resources from unauthorized access and / or discovery firewalls for host-based micro- • APM serves as the combined PEP and PDP to
• segmentation help ensure authorized access to users from
Can also use software agents or endpoint firewalls to
implement host-based micro-segmentation anywhere on a per-app basis
• APM can work in concert with F5 clients and
• PEPs are managed and should react and reconfigure Pros and Cons: agents (Access Guard, Edge Client, F5 Access) to
as needed to respond to threats or workflow changes
stop access to individual resources or resource
• Gateway may be the only PEP or may be part of a • Less advanced gateway groups from unauthorized or inappropriate devices
multipart PEP consisting of the gateway and a client- devices and stateless firewalls or devices that do not meet a device security
side agent can implement some features baseline
• Gateways dynamically grant access to individual of a micro-segmented • APM’s policies are dynamic and adaptive, able to
requests from a client, asset, or service enterprise react to changes in workflow and are responsive to
• May require an identity governance program threats
• Admin costs and difficulty to • BIG-IP LTM works with third-party vendors, such
quickly adapt to changes make as Illumio, to better control traffic management and
them a poor choice availability services
35 | ©2021 F5
ZTA Use /
Network Infrastructure and Software Defined Perimeters (SDP)

Using network infrastructure to deliver Zero Trust
• Leverages network infrastructure to enable Zero Trust • APM establishes a secure channel between the
• Can be achieved by using an overlay network client (user) and the resource to which access has
been requested
• Sometimes referred to as software defined perimeter
(SDP) • The secure channel is protected via HTTPS,
leveraging AES128 encryption standards
• Policy Agent (PA) acts as the network controller that sets
up and reconfigures the network based on decisions • If APM determines that the user, their identity,
made by the Policy Engine (PE) device, context, state, behavior, environment, or
privilege has changed and / or no longer meets
• Clients request access via PEPs, which are managed by policy, access to any app to which the user has been
the PA granted access may be affected, including ending
• When implemented at the application network layer (layer app access, limiting it, or just logging the change and
7) usually deployed in the agent / gateway environment not affecting access, through communication
between the PA and PE, both part of APM
• Agent and gateway (acting as a single PEP and
configured by PA) establish a secure channel used for • APM also supports the implementation of the agent /
communication between a client and resource gateway environment
36 | ©2021 F5
ZTA Use /
Deployment Variations F5 & Agent / Gateway F5 & Enclave-based F5 & Resource Portal F5 & Device App Sandbox
Abstract architecture deployment variations
• A single asset may perform the duties of multiple • Multiple Zero Trust Architecture deployment
logical components… models may be used for different business
• …And a logical component may consist of multiple processes within a single enterprise
hardware or software elements to perform tasks • Several variations on deployment of ZTA
• For instance, some Zero Trust offerings today components:
combine the Policy Engine (PE) and Policy Agent o Device agent / gateway-based deployment
(PA) in a single service
o Enclave-based deployment
o Resource portal-based deployment
o Device application sandboxing
37 | ©2021 F5
ZTA Use /
NIST Device Agent / Gateway-based Deployment

• In this deployment model, • In this deployment model, BIG-
the PEP is divided into two IP APM serves as the Policy
components that reside on Engine and Policy
the resource or as a Administrator, a single asset
component directly in front of performing the duties of
Policy Engine multiple logical components
a resource
• While APM does not require an
• The agent is a software agent to be installed on the
component that directs some subject (e.g., enterprise-issued
(or all) traffic to the laptop) when utilizing per-app-
appropriate PEP in order for Policy request access, APM can
requests to be evaluated Administrator utilize agents (F5 Edge Client,
F5 Access) to initiate an
• The gateway, essentially Control Plane encrypted channel
serving as a proxy for the
resource, is responsible for • While not required as a
Data Plane gateway in front of a data
communicating with the
Policy Administrator (PA) and resource, APM can serve in
that capacity for individual
allowing only approved resources or multiple resources
Enterprise Agent Gateway Data
communication paths Subject
System Resource
configured by the PA • APM ensures secure,
authenticated access for users
to resources that they’re
entitled to access based on
identity, granular context, and
more
38 | ©2021 F5
ZTA Use /
Policy Administrator and Policy engine APM serves as the Policy Engine and 1 User (subject) with an enterprise-issued
could be an enterprise local asset or a Policy Administrator, a single asset laptop wants to connect to an enterprise
resource
cloud-hosted service. performing the duties of multiple logical
components 2 Access request is taken by the local agent
and is forwarded to the Policy
Administrator (APM)
5 (Gateway) (Resource)
4 (Policy Admin) 3 Policy Administrator (APM) forwards the
request to the Policy Engine (also APM) for
2 (Policy Engine) evaluation
User
4 If request is authorized, the Policy
5 Administrator (APM) configures a
communication channel between the agent
4 3
1 and the gateway via the control plane
2 This may include information such as an
(Gateway) (Resource)
(Subject)(Enterprise System) internet protocol (IP) address, port
(Agent) (Policy Admin) information, session key, or similar security

artifacts
(Policy Engine)
5 Agent and gateway then connect, and
• APM does not require an agent encrypted data flows begin
for per-app-request access APM is not required as a Connection between the agent and
gateway (APM) terminates when the
• APM can use agents (F5 Edge gateway in front of a resource, workflow is complete or if triggered by the
Client, F5 Access) to initiate an but can serve as one for Policy Administrator (APM) due to a
encrypted channel individual or multiple resources security event
39 | ©2021 F5
ZTA Use /
NIST Enclave-based Deployment

• A variation of the device agent / • In this deployment model, BIG-
gateway deployment model IP APM serves as the
combined Policy Engine and
• Gateway components reside at Policy Engine Policy Administrator
the boundary of a resource • APM works with Identity-as-a-
enclave
Service (IDaaS) vendors such
as Microsoft (Azure AD) or
• Resources serve a single
Okta, to authenticate users all
business function or may not
apps – including classic and
be able to communicate directly Policy custom apps – regardless of
to a gateway Administrator where they are located (cloud-
based – native cloud or SaaS,
• Enclave-based deployment
private cloud, on-premises) or
model may be useful for Control Plane authentication used (modern
enterprises that use cloud-
or classic)
based micro-services for a Data Plane
single business process • APM, as the gateway
protecting a collection of
• A useful deployment model for resources, can protect each
enterprises with legacy Subject Enterprise Agent resource (app) individually via
System Gateway
applications or on-premises Resource Identity Aware Proxy’s per-
data centers that can’t support app-request access
individual gateways • APM’s IAP per-app-request
Resource Enclave access also shields resources
from users to which they do
not have access privileges
40 | ©2021 F5
ZTA Use /
1 User (subject) with an enterprise-

issued laptop wants to connect to
APM serves as the Policy Engine and an enterprise resource
Policy Administrator, a single asset
performing the duties of multiple logical 2 Access request is forwarded to the
Policy Administrator (APM) either
5 components
directly or via agent
5 (Gateway) (Resource) 3 Policy Administrator (APM)

4 (Policy Admin) forwards the request to the Policy
(Policy Engine) Engine (also APM) for evaluation
User 2
4 If request is authorized, the Policy
5 5 Administrator (APM) configures a
4 communication channel between
1 3
the gateway and the device (or
2 agent) via the control plane
(Gateway) (Resources)
(Subject)(Enterprise System)
(Agent) (Policy Admin)
5 Device (or agent) and gateway /
(Policy Engine) resource enclave connect, and
APM does not require an agent for encrypted data flows commence
per-app-request access between the appropriate,
APM can serve as gateway for accessed resource (app) and
individual or multiple resources device / user
41 | ©2021 F5
ZTA Use /
• The Policy Enforcement Point • In this deployment model, BIG-IP

(PEP) is a single component
that acts as a gateway for
NIST Resource Portal-based Deployment APM would act as the Policy
Engine and Policy Administrator
subject access requests • APM does not require any agents
• The gateway portal can address to be installed on any client devices
an individual resource or a before authorizing access to apps
Policy Engine
secure resource enclave used • APM inspects and assesses users’
for a single business function endpoint devices before
• A software component does not authentication and continuously
need to be installed on all client throughout the user’s access of the
devices application with F5 Access Guard
Policy • APM and Access Guard include
• May only be able to scan and
analyze assets and devices
Administrator preconfigured, integrated endpoint
inspection checks, including checks
once they connect to the PEP
for OS type, antivirus software,
portal and may not be able to Control Plane firewall, etc.
continuously monitor them for
malware, unpatched • APM also creates a resource portal
Data Plane
vulnerabilities, and appropriate (webtop) showing only the apps
configurations that the user (subject) is authorized
to access
• Model could also allow
attackers to discover and Subject System Gateway Data • APM’s portal is well-protected to
attempt to access the portal or Resource defend against a DoS attack or
attempt a denial-of-service network disruption
(DoS) attack against the portal • If additional DoS attack protection
is required, F5 Advanced WAF may
also be deployed
42 | ©2021 F5
ZTA Use /
APM creates a resource

portal (webtop) showing 1 User (subject) with either an enterprise-
APM serves as the Policy Engine and issued or BYOD laptop wants to connect
only the apps the user is (F5 Advanced
Policy Administrator, a single asset to an enterprise resource or set of
authorized to access WAF)
resources
performing the duties of multiple logical
4 2 User selects the appropriate resource
5 components from the resource portal, which only
3 shows the apps the user is authorized to
(Gateway) (Resource) access
(Policy Admin) 3 Access request is forwarded to the
2 3 (Policy Engine) Policy Administrator (APM)
User 4 Policy Administrator (APM) forwards the
request to the Policy Engine (also APM)
6 5 4
for evaluation
5 5 If request is authorized, the Policy
1 5 5 Administrator (APM) configures a
6 communication channel between the
(Gateway) gateway and the device
(Subject)(Enterprise System)
(Agent) (Policy Admin) 6 Device and gateway / resources
(Policy Engine) connect, and an encrypted data flow
APM does not require an agent for per- (Resources) begins between the appropriate,
accessed resource (app) and device /
app-request access user
APM can serve as gateway for
APM, via integrated Access Guard, individual or multiple resources The connection terminates when the
inspects and assesses device integrity workflow is complete or if triggered by
To halt any potential denial-of-service (DoS) attacks, F5 the Policy Administrator (APM) due to a
before and continuously during app access Advanced WAF can be deployed in front of the portal
43 | ©2021 F5
security event
ZTA Use /
NIST Device Application Sandboxing Deployment

• Another variation of the agent/gateway • In this deployment model, BIG-IP APM
deployment model serves as the PEP
• Vetted apps or processes run in • APM serves as a gateway for virtual
”compartments” on devices (assets) application environments (Microsoft
PEP PEP RDP, native secure web proxy support
• Compartments can be virtual for Citrix XenApp and XenDesktop,
machines, containers, or something Citrix StoreFront, and security proxy
else access for VMware Horizon)
• The subject device runs approved, • APM also support application
vetted applications in a sandbox sandboxing by MDM / EMM offerings
• The applications communicate with the (Microsoft Intune, IBM MaaS360,
PEP to request access to resources, VMware One via AirWatch), which also
but the PEP will refuse requests from provide device integrity checks
other applications on the device (asset) Trusted App Trusted App leveraged by APM
• The advantage of this model is the • Identity Aware Proxy (IAP) capability of
segmentation of individual applications BIG-IP APM enables secure access to
from the rest of the device (asset) specific applications based on granular
Sandbox Sandbox contextual attributes
• While sandboxed applications may be
protected from a potential malware • Attributes can be user identity, device
infection on the host device, a integrity, and user location as examples
disadvantage of this model is • This ensures the individual apps will be
enterprises must maintain sandboxed OS
accessed by only the authorized user
applications for all devices (assets) and based on attributes and protects the
may not have full visibility into client Asset/Device individual apps from unauthorized use
devices (assets)
44 | ©2021 F5
ZTA Use /
1 User (subject) with either an enterprise-

issued or BYOD laptop wants to connect to
an enterprise resource or set of resources
2 User selects the appropriate resource

(trusted app) that has been “sandboxed”
(either as a virtual machine or via MDM /
EMM)
3 Device integrity is checked by either F5

Access Guard or via on-board MDM / EMM
source
4 4 5
4 Since resource (application) is already
trusted, access is determined by the Policy
Enforcement Point (APM), as policies
related to user (subject) access has been
Trusted App Trusted App 3 pre-determined
1 5 Resource (applications) that have been
2 deemed trusted and that have been
Sandbox Sandbox
sandboxed or containerized are the only
resources (applications) to which the user
(subject) may access, controlled by the PEP
45 | ©2021 F5
ZTA Use /
NIST ZTA Network View ZTA Network Requirements
NIST’s Zero Trust View of a Network
Enterprise network is Devices on the network No resource should be

not an implicit trust zone may not be enterprise- trusted
owned or -configurable
Not all resources are on Remote users and Assets and workflows moving
enterprise-owned assets can’t trust local between enterprise and non-
infrastructure network connections enterprise infrastructure need
consistent security policies
and posture
46 | ©2021 F5
ZTA Use /

No resource should be trusted
• Every asset must have its security posture
evaluated via a Policy Enforcement Point (PEP)
The enterprise network is not an implicit trust zone before a request is granted to access an
enterprise-owned resource
• Assets should always act as if an attacker is
present on the enterprise network • Evaluation should be continual for as long as the
access session lasts
• Communication should be done in the most
secure manner possible • Enterprise-owned devices may have artifacts
that enable authentication and provide a
• Actions should be taken, such as confidence level higher than a similar request
authenticating all connections and encrypting from non-enterprise-owned devices
all traffic
• User / device credentials alone are insufficient for
device authentication to an enterprise resource
Devices on the network may not be enterprise-
owned or -configurable Not all resources are on enterprise-
• Visitors and/or contracted services may include owned infrastructure
non-enterprise-owned assets that require • Resources can include remote users and
network access to perform their role cloud services
• Includes BYOD policies allowing enterprise users • Enterprise-owned or -managed assets may
to use non-enterprise-owned devices to access need to use a local, non-enterprise-owned
enterprise resources or -managed network for basic connectivity
and network services
47 | ©2021 F5
ZTA Use /
Remote users and assets can’t trust Consistent security policies and
local network connections posture are necessary
• Remote enterprise users should assume • Assets (apps, devices, etc.) and
that a local, non-enterprise-owned or - workflows traversing enterprise and non-
managed network is dangerous enterprise infrastructure require
consistent security policies and posture
• Apps, devices, etc. should assume that all
traffic is being monitored and can • They should retain security posture when
potentially be modified moving to or from enterprise-owned
infrastructure
• All connection requests should be
authenticated and authorized • Includes devices used by remote users
moving from enterprise networks to non-
• All communications should be done in the
enterprise networks
most secure manner possible (i.e.,
provide confidentiality, integrity protection, • Also includes workloads migrating from
and source authentication) on-premises data centers to non-
enterprise cloud environments (i.e., public
clouds)
48 | ©2021 F5
ZTA Use /
Network requirements to support Zero Trust Architecture
Enterprise assets Distinguish between Enterprise observes Resources unreachable Logically separate data
have basic network enterprise owned / all network traffic without first accessing plane and control plane
connectivity managed assets and their Policy Enforcement
current security posture Point (PEP)
Enterprise assets can Policy Enforcement Point Remote enterprise assets ZTA access decision Enterprise assets may not
reach the Policy (PEP) is only component to should access enterprise infrastructure must reach PEPs due to policy or
Enforcement Point (PEP) access Policy Administrator resources without first be scalable observable factors
(PA) as part of a business traversing enterprise network
flow
49 | ©2021 F5
ZTA Use /
Basic connectivity Enterprise observes all network traffic

• The local area network (LAN), enterprise • Enterprise records packets seen on the data plane even if it
controlled or not, provides basic routing and can’t perform application layer (layer 7) inspection on all
infrastructure (e.g., DNS) packets
• Enterprise filters out metadata about the connection (e.g.,
• A remote enterprise asset may not destination, time, device identity), dynamically updating
necessarily use all infrastructure services policies and informing the PE as it evaluates access
requests
Enterprise owned / managed assets and Resources unreachable without first accessing PEP
• Enterprise resources won’t accept arbitrary incoming
security posture connections from the internet
• Distinguish between enterprise owned / • Resources accept custom-configured connections only
managed assets and their current after a client has been authenticated and authorized
security posture • Communication paths are set up by the PEP
• Determined by enterprise-issued • Resources may not be discoverable without accessing the
credentials and by not using info that PEP, preventing attackers from identifying targets via
cannot be authenticated (e.g., network scanning and/or launching DoS attacks against resources
MAC addresses that can be spoofed) located behind PEPs
• Some network infrastructure components (e.g., DNS
50 | ©2021 F5 servers) must be accessible
ZTA Use /
Logically separate data plane and PEP is only component to access PA as part of a
control plane business flow
• PE, PA, and PEPs communicate on a logically separate
network that is not directly accessible by enterprise assets • Each PEP on an enterprise network has a
and resources
connection to the PA to establish communication
• Data plane is used for application / service data traffic paths from clients to resources
• PE, PA, and PEPs use the control plane to communicate • All enterprise business process traffic passes
and manage communication paths between assets through one or more PEPs
• PEPs must be able to send and receive messages from
both the data and control planes
Remote enterprise assets should access enterprise

Enterprise assets can reach the PEP resources without first traversing enterprise network
• Enterprise users (subjects) must be able to access the PEP • For example, a remote user (subject) shouldn’t
for resource access be required to use a link back to the enterprise
• network (i.e., VPN) to access services used by
Could take the form of a web portal, network device, or
the enterprise and hosted by a public cloud
software agent on the enterprise device (asset) that
provider (e.g., email)
enables the connection
51 | ©2021 F5
ZTA Use /
ZTA access decision infrastructure must be scalable

• PE(s), PA(s), and PEPs are the key components in any business
process
• Delay or inability to reach a PEP (or inability of the PEPs to reach the
PA / PE) negatively impacts workflow
• Components need to be provisioned for the expected workload or be
able to rapidly scale to handle increased usage when needed
Enterprise assets may not reach PEPs due to policy or

observable factors
• For example, there may be a policy stating that mobile assets should
not be able to reach certain resources if the requesting asset is located
outside of the enterprise’s home country
• These factors could be based on location (geolocation or network
location), device type, and / or other criteria
52 | ©2021 F5
ZTA Use /
Overview Enterprises & Branches Multi-cloud Enterprises Contracted Services Collaboration Public-facing Services
Zero Trust Architecture deployment scenarios / use cases

Any enterprise environment can be designed with zero trust tenets in mind
• Most organizations already have some elements of zero trust in their
infrastructure or are on their way through implementation of
information security and resiliency policies and best practices
• Several deployment scenarios and use cases lend themselves readily
to a Zero Trust Architecture
• For instance, ZTA’s roots are in organizations that are geographically
distributed and / or have a highly mobile workforce
But ANY organization can benefit from a Zero Trust Architecture

Also, ZTA components and perimeter-based network infrastructure can
and may be in concurrent operation in an enterprise
53 | ©2021 F5
ZTA Use /
Enterprises and Branch Offices

PE(s) / PA(s) can be hosted
Deployment / Use Case Scenario
as a cloud service with
• Remote located employees may not devices (assets) having an • BIG-IP APM – as the PE AND PA –
have a full enterprise-owned LAN but installed agent or accessing a can be deployed in a public cloud as a
still need access to enterprise Branch Office resource portal Virtual Edition
Cloud Services
resources to perform tasks • Each device (asset) would use Access
• Enterprises may not have adequate Guard, which checks the device
bandwidth for all traffic or may not (asset) integrity prior to access being
wish for traffic going to cloud-based granted, and continuously during
apps / services to traverse the application access
enterprise HQ network • Users can also gain access to any
application they are authorized to
• Employees may be working from
access from the APM resource portal
home or remotely and use
(webtop)
enterprise-owned or personally-
owned devices • Policies created in APM on a BIG-IP
appliance may be used as is in APM
• Enterprise may wish to grant access as a VE
to some resources (e.g., calendar, • BIG-IQ can manage the APM policies
email) but deny access or restrict
actions to more sensitive resources
HQ and push policies out to all APMs
located on the network
• F5 Advanced WAF can also be
deployed in a public cloud to enhance
Home / Remote 54 | ©2021 F5
security and eliminate DoS threats
ZTA Use /
Multi-cloud / Cloud-to-cloud Enterprises Zero Trust approach to multi-cloud use is placing PEPs
Deployment / Use Case Scenario at access points of each app / service and data source
• A common ZTA use case • BIG-IP APM – as the PE AND PA –
Cloud Provider “A” Cloud Provider “B” can be deployed in a public cloud as a
• Enterprise with 2 or more cloud service Virtual Edition
providers hosting applications / services
• Each device (asset) would use Access
and data
Guard, which checks the device
• Application / service can be hosted on a (asset) integrity prior to access being
cloud service that is separate from the granted, and continuously during
data source application access
Web Front End
• Application hosted in Cloud Provider A Database • Users can also gain access to any
should be able to connect directly to the application they are authorized to
data source hosted in Cloud Provider B access from the APM resource portal
and not be forced to tunnel back to the (webtop)
network. • Policies created in APM on a BIG-IP
• PE and PA services can be located in appliance may be used as is in APM
either cloud or in a third cloud as a VE
• BIG-IQ can manage the APM policies
• Client (via a portal or installed agent)
and push policies out to all APMs
accesses PEPs directly
located on the network
• Challenge: Different cloud providers have • F5 Advanced WAF can also be
unique ways of implementing similar deployed in a public cloud to enhance
functionality; enterprises need to be aware security and eliminate DoS threats
of how to implement enterprise ZTA with
each cloud provider used

Enterprise
55 | ©2021 F5
Network
ZTA Use /
Enterprise with PA(s) ensure all non-enterprise

contracted services and / assets cannot access resources but
can access internet
or non-employee access Enterprise Campus Network
• Contractors and / or visitors may need • BIG-IP APM – as PE and PA – can be
network connectivity to perform tasks Employee deployed on-premises, or in a private or
Employee
• Zero trust enterprise can enable this by public cloud as a Virtual Edition
allowing contractor and visitor devices • Each device (asset) uses Access
access to the internet, but no access to Guard to check device (asset) integrity
enterprise resources and by obscuring prior to access being granted, and
enterprise resources continuously during application access
Employee
• PE(s) and PA(s) could be hosted as a • Authorized users can access any
cloud service or on the LAN application they are authorized to from
Enterprise assets have an installed Internal Database the APM resource portal (webtop)
agent or access resources via a portal App Server Conference Room
• BIG-IQ can manage the APM policies
• PA(s) ensure that all non-enterprise and push policies out to all APMs
assets (no installed agents or unable to Employee located on the network
access a portal) cannot access
resources but may access the internet
Contractor Visitor
56 | ©2021 F5
ZTA Use /

• Organizations can leverage BIG-IP APM
• Cross-enterprise collaboration
to create policies enabling only specific
• Employees may not be located on users in each enterprise to access only
network infrastructure
Enterprise A Enterprise B
certain resources and data within the
• Resources needed may be within one others environment
enterprise environment or hosted in the • Leveraging F5 Access Guard, a browser
cloud extension, can ensure device integrity
• How access is accomplished depends on and posture throughout users’ access
Database 1 session
technology used User
• Allowing specific employees of both • BIG-IP APM can authenticate users in a
organizations to enroll in a federated ID User federated ID community
management system can be simpler • BIG-IP APM can also be hosted in a
provided both organizations’ PEPs can cloud as a Virtual Edition
authenticate users in a federated ID Database 2 User
community
• A PE and PA hosted as a cloud service
may provide availability to all parties
• Employees may need to install a software
agent on their devices or access the
necessary data resources through a web
gateway
57 | ©2021 F5
ZTA Use / ZTA Use /
Overview NIST ZTA Components & Deployment Deployment
ZTA Threats
Trust Algorithm Cases Cases

• May or may not include user registration (i.e., users must create or have • If user credentials are created or issued, the user of F5 Leaked Credential
been issued a set of login credentials) Check can help ensure that the credentials have not been compromised
• Could be for the general public, a set of customers with an existing • Shape Recognize provides a persistent and secure login experience, reducing
business relationship, or a special set of non-enterprise users login friction for known good users
• Likely that requesting devices are not enterprise-owned • F5 Device ID+ is a real-time, high-precision device identifier that assigns a
• Constrains the enterprises as to what internal cybersecurity polices can be unique identifier to each visiting device, gathering data about the browser, OS,
hardware, and network configuration
enforced
• Even if a requesting device is not enterprise-owned, BIG-IP APM and Access
• Enterprises may establish policies for registered public users such as
Guard can ensure device integrity and posture is maintained throughout the
customers and special users
user’s access session
• If users are required to produce or are issued credentials, policies regarding
• Policies for registered public users, including customers and special users,
password length, life cycle, and other details may be created and enforced
may be created in and enforced by BIG-IP APM
• MFA may be an option or a requirement
• BIG-IP APM can make the use of MFA an option or a requirement, depending
• Enterprises are limited in the policies they can be implemented on the policy and even the data to which access is being attempted
• Information about incoming requests may be useful in determining the state • BIG-IP APM in conjunction with BIG-IQ can gather information about incoming
of the public service and detecting possible attacks masquerading as requests from users / customers
legitimate users
• The info gathered can be leveraged in updated or new policies
• Enterprises should be aware of any statutes or regulations regarding the
• F5 Advanced WAF can be integrated into the process to protect the
information that can be collected and recorded about the requesting users
applications and data from attacks and exploit
and assets
58 | ©2021 F5
ZTA Use / ZTA Use /
ZTA Threats
F5 & ZTA Threats

Addressed by:
• F5 Advanced WAF with
Leaked Credential Check
Addressed by: • Shape Enterprise Defense
• F5 Advanced WAF Stolen / Leaked • Silverline Shape Defense
• NGINX App Protect Credentials
Addressed by:
• NGINX App Protect L7 DoS
• BIG-IP APM
• Silverline WAF
• F5 Advanced WAF
DoS / DDoS Attack(s) • Silverline DDoS Protection
• Silverline WAF
• Silverline Shape Defense
Storage of System / • NGINX WAF
• BIG-IP AFM Network Info • BIG-IP AFM
Addressed by:
Addressed by: • F5 Advanced WAF
• F5 SSL Orchestrator • Silverline WAF
• NGINX App Protect
Use of Non-person • NGINX Controller
Entities (NPEs) • BIG-IP APM
Network Visibility /
Encrypted Threats • Volterra VoltMesh
• Aspen Mesh
59 | ©2021 F5
ZTA Use / ZTA Use /
ZTA Threats
60 | ©2021 F5

NIST Zero Trust Draft Playbook - Draft1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NIST Zero Trust Draft Playbook - Draft1

Uploaded by

Copyright:

Available Formats

F5 Confidential – Internal Use Only

F5 / NIST Zero Trust Architecture

End of Perimeter Security Enter Zero Trust

Perimeter security approach

Remote / Branch Office

Enterprises are more complex,

End of Perimeter Security Enter Zero Trust

Securing the network perimeter is insufficient because…

81% of enterprises have apps

• IBM MOBILE WORKFORCE REPORT

End of Perimeter Security Enter Zero Trust

THE ZERO TRUST PARADIGM

No environment is any more

Assume no implicit trust

End of Perimeter Security Enter Zero Trust

The Zero Trust proverb

NEVER TRUST ALWAYS VERIFY CONTINUOUSLY MONITOR

NIST ZTA Publication NIST Zero Trust Basics NIST Guidelines

​NIST Special Publication 800-207

NIST ZTA Publication NIST Zero Trust Basics NIST Guidelines

• Goal: Prevent unauthorized access to data • Focus on

NIST ZTA Publication NIST Zero Trust Basics NIST Guidelines

• Explicitly authenticate and

NIST ZTA Publication NIST Zero Trust Basics NIST Guidelines

NIST guidelines not just for

U.S. Federal Government Healthcare Food and agriculture Key Emergency

Zero Trust Tenets – Overview F5 and Zero Trust Tenets

The NIST Tenets of Zero Trust

7. Collect info on current state of asset,

Zero Trust Achitecture

2. Communications are secured 6. Dynamic resource authentication and

4. Access to resources determined by

Zero Trust Tenets – Overview F5 and Zero Trust Tenets

Data sources + computing services = “Resources”

All data sources and computing Small footprint devices sending

Other devices / functions

Personally-owned devices may

Access to individual resources

Stringently enforce access authentication and

Continuously obtain access; scan and F5

Logical components of NIST Zero Trust Architecture

CDM Policy Engine Data Access

Policy Engine: Policy Administrator: Policy Enforcement Point (PEP):

F5 in the NIST Zero Trust Architecture

BIG-IP APM as Policy Decision Point (PDP)

• BIG-IP APM also serves as Policy Enforcement

• If a session is authorized and request

Untrusted Policy Trusted • APM is split into 2 logical components

Untrusted Policy • APM and BIG-IP Edge and F5 Access

F5 in the NIST Zero Trust Architecture:

Policy Engine • Helps take quick action if required, including

Data Access Policy

Control Plane • Gains centralized visibility of the authorization environment

F5 in the NIST Zero Trust Architecture:

F5 in the NIST Zero Trust Architecture:

• APM integrates with BIG-IQ providing enhanced

F5 in the NIST Zero Trust Architecture

CDM Policy Engine Data Access

Trust • Criteria- vs. score-based TA

Threat Intelligence & Logs BIG-IP APM uses a criteria-based,

Variations of Zero Trust Architecture Approaches

1. All data sources and computing 5. Monitor and measure integrity

7. Collect info on current state of

Enhanced identity governance

NIST Special Publication 800-207