Professional Documents
Culture Documents
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
April 2021
1 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
A typical enterprise’s
infrastructure started simply,
but has grown increasingly
complex
VPN
Corporate Network
(Old Perimeter)
2 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Trust Zone
Apps are now on multiple Global remote work / WFA Global mobile workforce
cloud environments to continue growth
Zero Trust approach is primarily focused on protecting data and services… Enter Zero Trust
Eliminates the idea of a trusted
network inside a defined perimeter
Mitigate risks
5 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
• Subject needs access to an enterprise resource • Trustworthiness should not be implied where a subject
• Access is granted through a PDP and associated PEP has met a basic authentication level and is deemed
equally valid for all subsequent resource requests
• Must ensure the subject is authentic and their request
valid • PDP / PDP applies controls so all traffic beyond the PEP
has a common level of trust
• PDP/PEP passes judgment to allow subject to access
the resource • PDP/PEP cannot apply additional policies beyond its
location in the traffic flow
• Zero trust is applied to two basic areas: authentication
and authorization • Implicit trust zone must be as small as possible
• Need to develop and maintain dynamic risk-based • Zero Trust is a set of principles and concepts on moving
policies for resource access and a system to ensure the PDP / PEP closer to the resource
policies are enforced correctly and consistently for • Zero Trust explicitly authenticates and authorize all
individual resource access request subjects, assets, and workflows
8 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
• What is the level of confidence about subject’s • An area where all entities are trusted to at least the
identity for this unique request? level of the last PDP/PEP gateway
• Is access to the resource allowable given the • It’s like the passenger screening model in an airport
level of confidence in the identity? • All passengers pass through the airport security
• Does the device used for the request have checkpoint (PDP/PEP) to access the boarding gates
proper security posture? • Passengers, airport employees, aircraft crew, etc.,
• Are there other factors that should be gather in the terminal area
considered and that change the confidence • All individuals are considered trusted
level (e.g., time, location of subject, subject’s
• In this example, the implicit trust zone is the
security posture)?
boarding area
9 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Foreign governments
10 | ©2021 F5 Others (dams, etc.)
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Network
Comprised of multiple classes of devices
Software-as-a-Service (SaaS)
Zero Trust Tenets – Overview F5 and Zero Trust Tenets Location on network = Trust
Trust not automatically granted to Communications are secured
F5
assets requesting access from regardless of location
enterprise network infrastructure • Encrypts access between user /
device and application, regardless of
location
Communicate in most secure • Continuously assesses device
manner available integrity, user identity, and application
integrity
• Continuously checks context of
application access
Protect confidentiality and
integrity • Enables customizable actions if
Solution: assessments and checks find
• Encrypt communications integrity or contextual issues
Provide source • Continuously assess integrity • Centralizes encryption, decryption,
authentication • Continuously check access and re-encryption of traffic with
context dynamic service chaining and
13 | ©2021 F5
intelligent routing and bypass
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Zero Trust Tenets – Overview F5 and Zero Trust Tenets Secure access with limits
Zero Trust Tenets – Overview F5 and Zero Trust Tenets Dynamic contextual policy-based access
Access to resources determined by
Resource access and policies vary based on F5
dynamic policy and other behavioral
resource / data sensitivity; least privilege restricts
and environmental attributes • Creates dynamic policies for access
visibility and accessibility
to assets / resources based on
Policy is set of access rules based on attributes
assigned a subject, data, or application according identity, context, state, behaviors,
to business process and acceptable level of risk environment, and least privilege
Define available resources, members, and • Continuously monitors, assesses,
required resource access and validates app access based on
Identity includes user account (or service identity) identity, context, state, behaviors,
and associated attributes or artifacts for environment, and privilege
authenticating automated tasks
• Centralizes and consistently applies
Asset state includes device characteristics
(installed software versions, network location, Solution: dynamic access policies for any app,
request time/date, installed credentials, etc.) • Grant access to assets / anywhere based on per-application
Behavioral attributes include automated subject resources based on access request
analytics, device analytics, and deviations from continuous assessment and • Integrates effortlessly with third-party
usage patterns validation of identity, context,
user behavior and endpoint analytics
Environmental attributes include requestor state, behaviors,
network location, time, reported active attacks, etc. environment, and (UEBA), risk management, and
least privilege conditional access
15 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Zero Trust Tenets – Overview F5 and Zero Trust Tenets Ensure device integrity and security
Trust no asset Monitor and measure integrity and security
posture of owned and associated assets F5
• Continuous monitoring and validation
Evaluate asset security posture of integrity and security posture for
while appraising resource request ALL assets, at time of access
request and beyond
Monitor device and application • Continuous monitoring and
state, and mitigate, if needed assessment of app state and security
• Supports mitigation of devices and
Access attempts by unstable, Solution: apps if vulnerable or that do not meet
vulnerable enterprise owned or • Continuously monitor asset posture levels
managed assets, or assets not integrity and posture,
• Monitors, compiles, and reports
enterprise managed (including regardless of ownership or
personally-owned devices) can be management usable info on resource state and
treated differently • Continuously check app state access
Requires a monitoring and reporting • Mitigate • Seamlessly integrates with third-party
system to gather actionable data on • Monitor and report on resource device management, monitoring, and
current enterprise resource state state
16 | ©2021 F5
mitigation solutions
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Zero Trust Tenets – Overview F5 and Zero Trust Tenets Continuous security improvements
Collect info on current asset, network
infrastructure, and communications F5
Security posture, network traffic,
and access request data state to improve security posture • Continuous review and assessment
collection of access, threats, and trust
• Provides visibility into application
access and traffic trends, aggregate
Analyze captured data data for long-term forensics,
accelerate incident responses, and
identify issues and unanticipated
problems before they can occur
Solution:
Leverage data analysis and • Collects significant data on • Initiates quick action, if required,
insight to improve policy creation security, traffic, and access including the termination of specific
and enforcement
• Performs data analysis on access sessions
collected info
• Delivers a fast overview of access
• Continuously strengthens
policy creation and health
enforcement based on captured
data 18 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
NIST ZTA Components F5 in NIST ZTA F5 and Core Components F5 and Other Components F5 & Trust Algorithm
Threat ID
Intelligence Management
Untrusted Policy Trusted
Subject System Enforcement Enterprise
Activity Logs Point (PEP) Resource SIEM System
Data Plane
NIST ZTA Components F5 in NIST ZTA F5 and Core Components F5 and Other Components F5 & Trust Algorithm
20 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
NIST ZTA Components F5 in NIST ZTA F5 and Core Components F5 and Other Components F5 & Trust Algorithm
21 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
NIST ZTA Components F5 in NIST ZTA F5 and Core Components F5 and Other Components F5 & Trust Algorithm
NIST ZTA Components F5 in NIST ZTA F5 and Core Components F5 and Other Components F5 & Trust Algorithm
F5 in the NIST Zero Trust Architecture: • BIG-IP APM checks user device security
CDM System posture via F5 Access Guard, a browser
extension that coordinates with APM
Control Plane • BIG-IP APM and F5 Access Guard check
device integrity at authentication AND
CDM Policy Engine continuous, ongoing device posture checks
System Policy throughout application access
Decision • If any change in device integrity is detected,
Point
Policy APM and Access Guard can either limit or
(PDP)
Administrator stop application access, halting potential
attacks before they launch
• Shape DeviceID+ with APM identifies and
distinguishes between enterprise- and non-
enterprise-owned devices
23 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
NIST ZTA Components F5 in NIST ZTA F5 and Core Components F5 and Other Components F5 & Trust Algorithm
24 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
NIST ZTA Components F5 in NIST ZTA F5 and Core Components F5 and Other Components F5 & Trust Algorithm
F5 in the NIST Zero Trust Architecture: • BIG-IP APM’s HTTP Connector enables
unified integration with third-party user and
Threat Intelligence entity behavior analytics (UEBA) and other
API-driven risk engines
Control Plane • Seamlessly adds another level of security
Policy Engine and application access control
CDM
System Policy • Leverages risk assessment via REST APIs
Decision as part of its policy-based access controls
Point • Enables risk-based access to networks,
Policy (PDP)
Industry Administrator clouds, apps, and APIs, enhancing BIG-IP
Compliance APM’s Zero Trust IAP solution
Acts as the
PDP and PEP • HTTP Connector leverages user group,
domain, and network-based triggers to
Threat
increase enforceability of risk-based access
Intelligence
providing greater visibility and increased
Untrusted Policy Trusted analytics to determine whether or not to
Subject System Enforcement Enterprise grant or deny access to networks, cloud,
Point (PEP) Resource applications, and APIs
• Data from HTTP Connector also enables
Data Plane
integration with Microsoft Azure Active
Directory’s Conditional Access, increasing
breadth of coverage
25 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
NIST ZTA Components F5 in NIST ZTA F5 and Core Components F5 and Other Components F5 & Trust Algorithm
F5 in the NIST Zero Trust Architecture: • BIG-IP APM integrates with BIG-IQ Centralized
Management to provide enhanced visibility
Activity Logs •
through access reports and logs
Delivers analytical reports and logs based on
devices and groups to increase insight into user
Control Plane access and analysis
NIST ZTA Components F5 in NIST ZTA F5 and Core Components F5 and Other Components F5 & Trust Algorithm
F5 in the NIST Zero Trust Architecture: • BIG-IP APM enables creation, enforcement, and
centralization of simple, dynamic, intelligent access policies
NIST ZTA Components F5 in NIST ZTA F5 and Core Components F5 and Other Components F5 & Trust Algorithm
Data Plane
28 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
NIST ZTA Components F5 in NIST ZTA F5 and Core Components F5 and Other Components F5 & Trust Algorithm
29 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
NIST ZTA Components F5 in NIST ZTA F5 and Core Components F5 and Other Components F5 & Trust Algorithm
• BIG-IQ and APM deliver greater visibility into
application access and traffic trends, aggregate
F5 in the NIST Zero Trust Architecture: data for long-term forensics, accelerate incident
response, and identify issues and unanticipated
SIEM System problems
NIST ZTA Components F5 in NIST ZTA F5 and Core Components F5 and Other Components F5 & Trust Algorithm
Threat ID
Intelligence Management
Untrusted Policy Trusted
Subject System Enforcement Enterprise
Activity Logs Point (PEP) Resource SIEM System
Data Plane
31 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
NIST ZTA Components F5 in NIST ZTA F5 and Core Components F5 and Other Components F5 & Trust Algorithm
Variations of NIST ZTA Enhanced Identity Governance Micro-Segmentation Net Infrastructure and SDP
Each approach
2. Communications are secured
implements all the
regardless of location tenets of Zero Trust, Enhanced identity governance
6. Dynamic resource authentication but may use one or
and authorization strictly enforced
before access allowed two (or one
component) as the
3. Access to individual resources
granted on per-session basis
main policy driver Logical micro-segmentation
Variations of NIST ZTA Enhanced Identity Governance Micro-Segmentation Net Infrastructure and SDP
When is it used:
• With an open network model
• Enterprise networks with visitor
access or frequent non-enterprise
• Access policies are based on user (actor) devices on the network • APM creates and enforces dynamic
identity and assigned attributes identity-based, context-aware policies
Pros and Cons: • APM identity-based policies also leverage
• Granted access privileges are primary attributes assigned the user and their
requirement for resource access • Access initially granted to all assets
identity
• But access to enterprise resources
restricted to identities with
• APM continuously monitors and assesses
• Device used, asset status, and environmental user’s device integrity, asset status and
factors can affect access privileges granted appropriate access privileges
security, and environmental factors,
(i.e., granting only partial access based on • Malicious actors could attempt including location, network security, and
network location) network reconnaissance more prior to granting access and
• Attackers can use the network to throughout the app session
• PEP must forward requests to a policy engine launch denial of service (DoS)
service or authenticate the subject and • APM leverages Identity Aware Proxy to
attacks internally or against a third
approve the request before granting access ensure identity and context prior to granting
party
resource access, and throughout access
34 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Variations of NIST ZTA Enhanced Identity Governance Micro-Segmentation Net Infrastructure and SDP
Micro-segmentation
Placing resources on a unique network segment
When is it used:
• Enterprises wanting to
leverage intelligent switches or
• Place individual or groups of resources on a unique • APM, as an access management gateway, shields
network segment protected by a gateway security
routers, NGFWs, or special individual resources or resource groups on a
component purpose gateways as PEPs; or unique network segment from unauthorized or
• Infrastructure devices serve as PEPs shielding software agents or endpoint inappropriate access and / or discovery
resources from unauthorized access and / or discovery firewalls for host-based micro- • APM serves as the combined PEP and PDP to
• segmentation help ensure authorized access to users from
Can also use software agents or endpoint firewalls to
implement host-based micro-segmentation anywhere on a per-app basis
• APM can work in concert with F5 clients and
• PEPs are managed and should react and reconfigure Pros and Cons: agents (Access Guard, Edge Client, F5 Access) to
as needed to respond to threats or workflow changes
stop access to individual resources or resource
• Gateway may be the only PEP or may be part of a • Less advanced gateway groups from unauthorized or inappropriate devices
multipart PEP consisting of the gateway and a client- devices and stateless firewalls or devices that do not meet a device security
side agent can implement some features baseline
• Gateways dynamically grant access to individual of a micro-segmented • APM’s policies are dynamic and adaptive, able to
requests from a client, asset, or service enterprise react to changes in workflow and are responsive to
• May require an identity governance program threats
• Admin costs and difficulty to • BIG-IP LTM works with third-party vendors, such
quickly adapt to changes make as Illumio, to better control traffic management and
them a poor choice availability services
35 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Variations of NIST ZTA Enhanced Identity Governance Micro-Segmentation Net Infrastructure and SDP
• Leverages network infrastructure to enable Zero Trust • APM establishes a secure channel between the
• Can be achieved by using an overlay network client (user) and the resource to which access has
been requested
• Sometimes referred to as software defined perimeter
(SDP) • The secure channel is protected via HTTPS,
leveraging AES128 encryption standards
• Policy Agent (PA) acts as the network controller that sets
up and reconfigures the network based on decisions • If APM determines that the user, their identity,
made by the Policy Engine (PE) device, context, state, behavior, environment, or
privilege has changed and / or no longer meets
• Clients request access via PEPs, which are managed by policy, access to any app to which the user has been
the PA granted access may be affected, including ending
• When implemented at the application network layer (layer app access, limiting it, or just logging the change and
7) usually deployed in the agent / gateway environment not affecting access, through communication
between the PA and PE, both part of APM
• Agent and gateway (acting as a single PEP and
configured by PA) establish a secure channel used for • APM also supports the implementation of the agent /
communication between a client and resource gateway environment
36 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Deployment Variations F5 & Agent / Gateway F5 & Enclave-based F5 & Resource Portal F5 & Device App Sandbox
• A single asset may perform the duties of multiple • Multiple Zero Trust Architecture deployment
logical components… models may be used for different business
• …And a logical component may consist of multiple processes within a single enterprise
hardware or software elements to perform tasks • Several variations on deployment of ZTA
• For instance, some Zero Trust offerings today components:
combine the Policy Engine (PE) and Policy Agent o Device agent / gateway-based deployment
(PA) in a single service
o Enclave-based deployment
o Resource portal-based deployment
o Device application sandboxing
37 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Deployment Variations F5 & Agent / Gateway F5 & Enclave-based F5 & Resource Portal F5 & Device App Sandbox
Deployment Variations F5 & Agent / Gateway F5 & Enclave-based F5 & Resource Portal F5 & Device App Sandbox
Policy Administrator and Policy engine APM serves as the Policy Engine and 1 User (subject) with an enterprise-issued
could be an enterprise local asset or a Policy Administrator, a single asset laptop wants to connect to an enterprise
resource
cloud-hosted service. performing the duties of multiple logical
components 2 Access request is taken by the local agent
and is forwarded to the Policy
Administrator (APM)
5 (Gateway) (Resource)
4 (Policy Admin) 3 Policy Administrator (APM) forwards the
request to the Policy Engine (also APM) for
2 (Policy Engine) evaluation
User
4 If request is authorized, the Policy
5 Administrator (APM) configures a
communication channel between the agent
4 3
1 and the gateway via the control plane
2 This may include information such as an
(Gateway) (Resource)
(Subject)(Enterprise System) internet protocol (IP) address, port
Deployment Variations F5 & Agent / Gateway F5 & Enclave-based F5 & Resource Portal F5 & Device App Sandbox
Deployment Variations F5 & Agent / Gateway F5 & Enclave-based F5 & Resource Portal F5 & Device App Sandbox
Deployment Variations F5 & Agent / Gateway F5 & Enclave-based F5 & Resource Portal F5 & Device App Sandbox
Deployment Variations F5 & Agent / Gateway F5 & Enclave-based F5 & Resource Portal F5 & Device App Sandbox
Deployment Variations F5 & Agent / Gateway F5 & Enclave-based F5 & Resource Portal F5 & Device App Sandbox
Deployment Variations F5 & Agent / Gateway F5 & Enclave-based F5 & Resource Portal F5 & Device App Sandbox
45 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Not all resources are on Remote users and Assets and workflows moving
enterprise-owned assets can’t trust local between enterprise and non-
infrastructure network connections enterprise infrastructure need
consistent security policies
and posture
46 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Remote users and assets can’t trust Consistent security policies and
local network connections posture are necessary
• Remote enterprise users should assume • Assets (apps, devices, etc.) and
that a local, non-enterprise-owned or - workflows traversing enterprise and non-
managed network is dangerous enterprise infrastructure require
consistent security policies and posture
• Apps, devices, etc. should assume that all
traffic is being monitored and can • They should retain security posture when
potentially be modified moving to or from enterprise-owned
infrastructure
• All connection requests should be
authenticated and authorized • Includes devices used by remote users
moving from enterprise networks to non-
• All communications should be done in the
enterprise networks
most secure manner possible (i.e.,
provide confidentiality, integrity protection, • Also includes workloads migrating from
and source authentication) on-premises data centers to non-
enterprise cloud environments (i.e., public
clouds)
48 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Enterprise assets Distinguish between Enterprise observes Resources unreachable Logically separate data
have basic network enterprise owned / all network traffic without first accessing plane and control plane
connectivity managed assets and their Policy Enforcement
current security posture Point (PEP)
Enterprise assets can Policy Enforcement Point Remote enterprise assets ZTA access decision Enterprise assets may not
reach the Policy (PEP) is only component to should access enterprise infrastructure must reach PEPs due to policy or
Enforcement Point (PEP) access Policy Administrator resources without first be scalable observable factors
(PA) as part of a business traversing enterprise network
flow
49 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Enterprise owned / managed assets and Resources unreachable without first accessing PEP
• Enterprise resources won’t accept arbitrary incoming
security posture connections from the internet
• Distinguish between enterprise owned / • Resources accept custom-configured connections only
managed assets and their current after a client has been authenticated and authorized
security posture • Communication paths are set up by the PEP
• Determined by enterprise-issued • Resources may not be discoverable without accessing the
credentials and by not using info that PEP, preventing attackers from identifying targets via
cannot be authenticated (e.g., network scanning and/or launching DoS attacks against resources
MAC addresses that can be spoofed) located behind PEPs
• Some network infrastructure components (e.g., DNS
50 | ©2021 F5 servers) must be accessible
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Logically separate data plane and PEP is only component to access PA as part of a
control plane business flow
• PE, PA, and PEPs communicate on a logically separate
network that is not directly accessible by enterprise assets • Each PEP on an enterprise network has a
and resources
connection to the PA to establish communication
• Data plane is used for application / service data traffic paths from clients to resources
• PE, PA, and PEPs use the control plane to communicate • All enterprise business process traffic passes
and manage communication paths between assets through one or more PEPs
• PEPs must be able to send and receive messages from
both the data and control planes
51 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
52 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Overview Enterprises & Branches Multi-cloud Enterprises Contracted Services Collaboration Public-facing Services
Overview Enterprises & Branches Multi-cloud Enterprises Contracted Services Collaboration Public-facing Services
Overview Enterprises & Branches Multi-cloud Enterprises Contracted Services Collaboration Public-facing Services
Multi-cloud / Cloud-to-cloud Enterprises Zero Trust approach to multi-cloud use is placing PEPs
Deployment / Use Case Scenario at access points of each app / service and data source
• A common ZTA use case • BIG-IP APM – as the PE AND PA –
Cloud Provider “A” Cloud Provider “B” can be deployed in a public cloud as a
• Enterprise with 2 or more cloud service Virtual Edition
providers hosting applications / services
• Each device (asset) would use Access
and data
Guard, which checks the device
• Application / service can be hosted on a (asset) integrity prior to access being
cloud service that is separate from the granted, and continuously during
data source application access
Web Front End
• Application hosted in Cloud Provider A Database • Users can also gain access to any
should be able to connect directly to the application they are authorized to
data source hosted in Cloud Provider B access from the APM resource portal
and not be forced to tunnel back to the (webtop)
network. • Policies created in APM on a BIG-IP
• PE and PA services can be located in appliance may be used as is in APM
either cloud or in a third cloud as a VE
• BIG-IQ can manage the APM policies
• Client (via a portal or installed agent)
and push policies out to all APMs
accesses PEPs directly
located on the network
• Challenge: Different cloud providers have • F5 Advanced WAF can also be
unique ways of implementing similar deployed in a public cloud to enhance
functionality; enterprises need to be aware security and eliminate DoS threats
of how to implement enterprise ZTA with
each cloud provider used
Enterprise
55 | ©2021 F5
Network
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Overview Enterprises & Branches Multi-cloud Enterprises Contracted Services Collaboration Public-facing Services
56 | ©2021 F5
F5 / NIST Zero Trust Architecture Technical Sales Playbook
ZTA Use /
Tenets of Zero ZTA Deployment Network View &
Overview NIST ZTA Components & Deployment ZTA Threats
Trust Approaches Variations Requirements
Trust Algorithm Cases
Overview Enterprises & Branches Multi-cloud Enterprises Contracted Services Collaboration Public-facing Services
Overview Enterprises & Branches Multi-cloud Enterprises Contracted Services Collaboration Public-facing Services
60 | ©2021 F5