Zero Trust

The traditional ‘castle and moat’ approach to security establishes a perimeter around the organization’s network and trusts all devices and users within it. However, this approach is highly susceptible to attacks from within the network.

Rather than protecting the perimeter, the zero trust approach is to ‘never trust, always verify’.

  • Default is to trust nobody, inside or outside the network perimeter.

  • Assume that all users, devices, applications, and data are potentially malicious.

  • Only grant ‘least privilege’ access – the minimum level required to perform a specific task.

ViewDS Access Sentinel

With policy definition and enforcement at its core, ViewDS Access Sentinel delivers critical components of a zero trust architecture.

These are in addition to several other capabilities that either fulfil or support zero trust.

This illustration shows NIST’s zero trust architecture with Access Sentinel’s capabilities in dark blue (full capability) and light blue (supporting capability).

Each capability is described below.

NIST zero trust architecture

Access Sentinel provides the Policy Engine in a zero trust architecture.

Support for attribute-based access control, in the form of XACML, allows Access Sentinel to make policy decisions based on data from the following components:

  • CDM System (Continuous Diagnostics and Mitigation)
  • Threat Intelligence
  • Activity Logs
  • SIEM System (Security Information and Event Management)

Access Sentinel includes a user interface for policy administration.

The interface allows you to create and maintain Data Access Policy, including policy rules required for Industry Compliance.

Using decisions from the Policy Engine, the Policy Administrator along with the Policy Enforcement Point are responsible for establishing, monitoring and breaking sessions between clients and Enterprise Resources.

ViewDS provides libraries to simplify integration between the Policy Administrator and Policy Engine. Other ViewDS products can also be implemented to support session-specific authentication and authentication token generation by the Policy Administrator.

The Policy Administrator only applies access control at the level of sessions (course-grained). A user is either prohibited or allowed to access an Enterprise Resource – the Policy Administrator has no say in what the user can do with the resource.

Access Sentinel can also provide fine-grained access control to Enterprise Resources. This is through an embedded XACML Policy Enforcement Points*, either provided as plug-ins or integrated using Access Sentinel’s libraries, enforcing decisions using the full range of inputs available to the Policy Engine.

* The Policy Enforcement Point in the XACML use of the term resides in the Policy Administrator and possibly in Enterprise Resources. It is not the same component as the Policy Enforcement Point in a zero trust architecture.

Access Sentinel is a fully compliant LDAP directory, which delivers the ID Management component in a zero trust architecture.

Extensive support for storing, filtering and indexing of structured data, including digital certificates and certificate revocation lists, makes Access Sentinel a suitable repository for PKI artefacts.