Matt Brandom (Customer Success Executive), David Januchowski (Sr. Solutions Architect), Manny Khadilkar (Sr. Solutions Engineer) and Dirk Carey (Sr. Solutions Engineer)

Let’s start with the basics. So what is Zero Trust? It has many connotations.

First, it’s important to define what Zero Trust isn’t. Zero Trust isn’t a single technology. It isn’t a single product. Rather, it’s an organization’s mindset and strategic, architectural approach to minimize uncertainty, enforce least-privilege access, and provide contextual and continuous authentication for access to your ecosystem of IT and services. Authentication and authorization in a Zero Trust framework looks like this: Never trust and constantly verify…Who are you and do we trust you? Where are you coming from and is this location known and logical? What device endpoint are you coming from and is this trusted, secure and compliant? Are you entitled to that resource? What is the scope of your entitlement? 

Okay, maybe you’re like “I already know what a Zero Trust Architecture (ZTA) is, so how will I benefit from attending this webinar”. This joint, virtual webinar will outline a zero trust architecture approach leveraging Okta, CrowdStrike, Zscaler and AWS as an option for organizations to consider implementing in your enterprise/security architecture.

Remote access is the new norm, and organizations must design their systems such that different personas can collaborate from anywhere, and across legacy, on-prem, and cloud apps.

Zero Trust is an investment that protects organizations from the downsides of data breach, and maximizes the impact of strategic digital initiatives. 

With a Zero Trust framework, your security control plane (think of this as the brain) shares signals between devices, network, and identity to collectively make a decision every time a resource is accessed. This approach will contextually evaluate the identity, network, device, and resource to ensure that the access is always trusted in real time. If at any time one of these signals provides data that access is not to be trusted, the solutions work together to remediate the situation. This type of approach is a defense-in-depth strategy, where an ecosystem of security controls (rather than a single platform or tool) are leveraged to protect your applications and infrastructure. This can only be achieved when you have an identity provider, a network security provider, and device/endpoint security provider working together in an integrated ecosystem to deliver user and device context, and inform remediation action.

As an example, here is a policy screenshot to tie it all together. The logic is simple, this policy applies to one (or more) resources or applications and can be triggered with rules. If the user characteristics, device characteristics, and risk signals from Okta and CrowdStrike match a defined value/threshold, then we choose how we want to verify the identity in the 2nd part of the policy described below. This framework allows your team to ingest signals into Okta and decide how to proceed with step-up authentication as required by policies. Okta authenticates users to  Zscaler, which can decide if an employee should be allowed the network level access to the application. For example, Okta can provision the user in real time to a “deny” group based on the risk in Okta and Zscaler will terminate network access. Compare this with the world today where you may be forced to MFA for every resource OR you may never have to authenticate once you are on the VPN. 

The 2nd part of the example policy simply defines what assurance level you want to enforce for the resource the user is accessing based on the user and device characteristics and risk signals that we are seeing. 

Okta, CrowdStrike, Zscaler and AWS are technology partners working together to provide a holistic, integrated architecture for customers to adopt for a more secure environment.

Let’s take a look at the detailed capabilities that we will cover in the webinar. The device, identity, and application risk assessment require a number of capabilities to provide you with the control needed for this architecture:

Identity (Okta)

• User and policy management: Okta is the central view of all identities with a context-based policy engine. It uses this context combined with CrowdStrike input for its access decisions. It also shares access decisions with Zscaler secure network access. 
• Authentication: Okta delivers secure, flexible multi-factor authentication options that secure accounts from fraud and credential theft
• Authorization: Okta provides an at-a-glance view of user permissions to easily grant and revoke access to resources according to your policy
• Device context: Okta leverages context like user location, external risk signals, and insight from its broad customer base to block identity attacks

Device (CrowdStrike)

• Risk score: Calculated based on threat status, user behavior, and device context. CrowdStrike shares this data with Okta to consider in its policy engine and authentication decisions.
• Threat status: CrowdStrike identifies and stops threats like malware and ransomware detected on devices or workloads from spreading and affecting other resources
• Risk-based conditional access: CrowdStrike detects and stops identity-based attacks in real-time, including suspicious activity including protocol mismatches, privileged credential misuse, unauthorized access attempts, and more
• Device context: CrowdStrike gathers vital device information like OS version, MDM status, location, jailbroken status, and more

Network/Environment (Zscaler)

• Least privilege access: Zscaler Zero Trust Exchange (ZTE) combines its device, app, and content context with CrowdStrike info and Okta identity context to determine appropriate levels of access
• Zscaler Private Access (ZPA): provides secure access to private apps in the pubic cloud or your data center without VPNs
• Zscaler Internet Access (ZIA): provides safe and secure internet access for your workforce, protecting devices from threats and protecting against data loss
• Device context: Zscaler Client Connector automatically routes traffic to the correct zero trust service - Internet access or Private access

Cloud Infrastructure (AWS)

AWS provides building blocks that you can assemble quickly to support virtually any workload. With AWS, you’ll find a complete set of highly available services that are designed to work together to build sophisticated scalable applications. You have access to highly durable storage, low-cost compute, high-performance databases, management tools, and more. All this is available without up-front cost, and you pay for only what you use. These services help organizations move faster, lower IT costs, and scale. AWS is trusted by the largest enterprises and the hottest start-ups to power a wide variety of workloads, including web and mobile applications, game development, data processing and warehousing, storage, archive, and many others. 

If you have comments or feedback on this topic please comment on this blog post. This is a Community forum and we love input from the Okta Community, so please share your thoughts!

Sign up for our joint, virtual webinar on August 17th to learn how these technology partners can integrate together to provide a best-of-breed, defense-in-depth strategy to mature and bolster your zero trust architecture.