Zafehouze defined ‘Prevent & Protect’.
Here is why we created it and what it consists of!
Just a starting remark. Not all Zafepass features and functions are addressed. Many new features and elements have been implemented since our first patent. A full technical disclosure of how Zafepass works require a Non-disclosure Agreement.
First a short inflight to where Zafepass originates from?
Back in 2002, we designed the first platform, which was patented in 2005. When the Jericho Forum in the UK defined deperimeterization – it was very much aligned with our thoughts and ideas.
When zero-trust was defined in 2010, it also matched well with our 1st generation platform.
Then in 2013, Cloud Security Alliance defined Software Defined Perimeter – and again, the elements defined in SDP – equally matched our original design.
The following years the second generation of the platform was developed, designed to scale the way infrastructure does with the combinations of public/private cloud, private datacenters and virtualization becoming the norm.
Then in 2019 – two people from the old team got together, creating Zafepass as a 3rd generation of the platform, as some significant changes and differences were included in the updated design. Not only in terms of scalability, others were ephemeral connectivity, null-state extended through-out, improved policy engine, direct support for CMMC 2.0 (NIST 800-172r2 and 800-172) - and continued our strict policy of NOT having any dependency for 3rd party security products.
If you want true zero-trust - that dependency has to be eliminated as well.
Now landing safely – let's introduce the design-ideas behind Zafepass.
Mixing deperimeterization, software defined perimeter (SDP), and embedding zero-trust principles would result in a more secure network architecture, where traditional network perimeter defenses are replaced, with a focus on verifying the identity and trustworthiness of devices, users, and applications before allowing access to resources.
The deperimeterization concept involves removing the traditional boundary of the network and SDP allows for dynamic control of network access, based on identity and trust. The zero-trust model goes further by assuming that all devices and users are untrusted, until proven otherwise. Together, these three concepts can help to protect against threats such as advanced persistent threats, insider attacks and a lot more touched upon later.
The reult is a security architecture that excel, even when traditional network perimeter are removed (or you don’t rely on them holding up) and is moved towards a dynamic and risk-based approach, to securing IT/OT and IoT environments and resources.
Deperimeterization refers to breaking down traditional network boundaries and allowing more fluid communication between devices and networks.
Software Defined Perimeter (SDP) is a technology that dynamically controls access to resources based on risk and identity, rather than location - and embedding zero-trust principles, means that all access is treated as untrusted and must be verified and authenticated before being granted, including assuming compromise of everything and enforcement of least privileged access.
As the world move to 'digital', these concepts can help create a more secure and adaptive environment.
Layer 7 - why?
Zafepass Prevent & Protect is a holistic easy way to implement a Layer 7 based solution. Layer 7 security refers to security measures, that are applied at the application layer of the OSI model.
The application layer is the topmost layer of the OSI model and is responsible for interface with the software applications that run on a network. Layer 7 security measures include things like web application firewalls, application-level encryption, and authentication and access control systems.
These measures are designed to protect the application and its data from various types of cyberattacks, such as SQL injection, cross-site scripting, lateral movement, brute-force, man-in-the-middle and denial of service attacks, among other things.
Why reverse proxy?
A port forwarding reverse proxy is a type of reverse proxy that forwards client requests to specific ports on the backend servers, rather than directing all requests to a single server. This allows for better control over how client requests are handled and can be used to direct and balance load among multiple servers, or to provide access to multiple services or cloud services seamlessly.
What is micro-perimeter-based security?
Micro-perimeter-based security is a method of securing networks and applications, by creating smaller, more specific security boundaries, rather than relying on a single, large perimeter.
This approach involves breaking down a network into smaller segments, or micro-perimeters, and then applying security measures to each segment. This can include things like micro-firewalls, micro-intrusion detection systems, and granular access controls.
The goal of micro-perimeter security is to make it much more difficult for attackers to compromise what Zafepass manage, thereby limiting access to a smaller area and making it easier to detect and respond to security breaches if they will even happen.
In simple terms, it's like having many small gates instead of one big gate to protect your house. It makes it harder for intruders to enter, and easier to detect if someone does.
What is ABAC good for?
Therefor Zafepass use Attribute-based Access Control (ABAC). This is a more advanced method of regulating access to resources, services or operations by evaluating one or more attributes or characteristics of a user or device associated with the subject, device, resource, service or action.
These attributes can include things like the Active-Directory group association, user location, the time of day, MAC addresses, patches installed etc.
The evaluation is typically done using a set of rules, policy-engines, attribute repositories and decision points to determine whether the request should be granted or denied based on the values of the attributes.
Essentially, ABAC allows for a more fine-grained access control and can be used to enforce complex security policies across a wide range of resources and users, by looking at certain characteristics of the
user, resource, or action rather than just the user's identity.
You can argue that ABAC require more advanced knowledge of security and access control concepts, as well as the ability to configure and manage these systems – but this is one of the unique Zafepass features included in our “automated simplicity design”.
ABAC in Zafepass Prevent & Protect is fairly easy. Once you’ve created the policies for one element, it can easily be replicated to other resources and adjusted to fit the required policies over and over again.
What is the difference between state-full, stateless and null-state
In computing, a stateful system is one in which the state of the system is retained and can be referenced at a later time. This means that the system keeps track of information or data, such as user sessions or previous interactions.
A stateless system, on the other hand, does not retain any information or state and treats each request or interaction as if it is the first.
A null-state means that the system is in a neutral or undefined state, it does not contain any data or information. It can be considered as the initial state of the system.
In simple terms, stateful systems remember things, stateless systems don't, and null-state systems are empty.
Zafepass Prevent & Protect is a null-state based solution. Why? How do you compromise "nothing".
Here it’s also important to look into what ‘ephemeral connectivity’ is.
Ephemeral connectivity refers to a temporary and fleeting connection between devices or networks. This type of connectivity is often used in situations where a device or network only needs to connect for a short period of time, such as in the case of mobile devices or IoT (Internet of Things) devices that move in and out of range of a network. Examples of ephemeral connectivity include Wi-Fi hotspots, cellular networks, and Bluetooth connections.
Zafepass Prevent & Protect is a null-state based solution with ephemeral connectivity support.
Users (can take several forms) - use a 'host' (a device of some kind) - connects to any available network. The Zafepass Logon Gateway can be placed in public or with virtually any cloud or service provider. ABAC verifies the "environment fingerprint" then the "user-fingerprint". Whatever has been decided Zafepass should control, is now controlled and in a state where any outsiders have no idea about what is going on.
Managing Zafepass is easily done via the provisioning console. Access follow 'Zafepass guidelines'.
Parking at the gate!
Maybe much of the above doesn't mean much to you. The take-away is that Zafepass is designed in such a way, users or adversaries (internal or external) cannot subvert Zafepass - whether by malice, accident or trickery.
Our mission is to let users be users. Users shouldn't worry about cyber-threats and shouldn't be security experts. It's the security experts job, and with Zafepass they get a platform providing the ultimate level of security for their business operation.
Try a hassle-free – 'zafe', efficient and effective solution, both improving productivity as well as provide automated simplicity. It will take away many of todays cyber-security frustrations and requiring a lot less resources and deliver lower cost of operation - guaranteed.
Want to test Zafepass Prevent & Protect?
Get in touch. We're here to help!