Zero Trust

(Note: this is a blog post I published on my website today, but thought that this audience would be interested in seeing it)

At the end of 2022, AWS announced a preview of a new remote access mechanism, AWS Verified Access. This service follows Zero Trust principles, and gives users secure and precise access to applications. I reviewed this preview service here, if you want a refresher.

AWS has now released this service as Generally Available – you can see their blog on this topic here. 

So, what's new and improved since the preview? 

AWS has expanded the set of integrated Trust Providers (Identity and Device validation partners), to now include Beyond Identity, CrowdStrike, CyberArk, Cisco Duo, Jamf, JumpCloud, Okta, and Ping Identity. 

However, they are still relying on a browser extension to obtain the device context – which I don't love. Getting this from the device management server would be better (granted, that request would need to come from a server-side component, but still, it'd be better).

 More importantly, they are now making user context available to to the applications, pushing it in an HTTP header (see their docs here ) . This is really interesting, and in fact is the same design that Google took with their BeyondCorp implementation. There isn't (yet) a body of work or toolkit around how to use these claims inside of applications to make authorization decisions, but that will be something to look for in the future. 

It also appears that only the identity-provider claims are sent to the application, not device claims – that'll have to wait for an updated release.

Overall, it's great to see major players like AWS putting in the work, and releasing services that their customers can use to make Zero Trust real. 

Questions for the CSA group: Is anyone using this service yet? If so, what do you think? I'm interested in learning about how the pricing model has panned out in real-world usage. And, what about the identity context - is anyone looking at how to use this within their applications?

thanks
jag

(Note: this is a blog post I published on my website today, but thought that this audience would be interested in seeing it)

At the end of 2022, AWS announced a preview of a new remote access mechanism, AWS Verified Access. This service follows Zero Trust principles, and gives users secure and precise access to applications. I reviewed this preview service here, if you want a refresher.

AWS has now released this service as Generally Available – you can see their blog on this topic here. 

So, what's new and improved since the preview? 

AWS has expanded the set of integrated Trust Providers (Identity and Device validation partners), to now include Beyond Identity, CrowdStrike, CyberArk, Cisco Duo, Jamf, JumpCloud, Okta, and Ping Identity. 

However, they are still relying on a browser extension to obtain the device context – which I don't love. Getting this from the device management server would be better (granted, that request would need to come from a server-side component, but still, it'd be better).

 More importantly, they are now making user context available to to the applications, pushing it in an HTTP header (see their docs here ) . This is really interesting, and in fact is the same design that Google took with their BeyondCorp implementation. There isn't (yet) a body of work or toolkit around how to use these claims inside of applications to make authorization decisions, but that will be something to look for in the future. 

It also appears that only the identity-provider claims are sent to the application, not device claims – that'll have to wait for an updated release.

Overall, it's great to see major players like AWS putting in the work, and releasing services that their customers can use to make Zero Trust real. 

Questions for the CSA group: Is anyone using this service yet? If so, what do you think? I'm interested in learning about how the pricing model has panned out in real-world usage. And, what about the identity context - is anyone looking at how to use this within their applications?

thanks
jag

There is lots of negative feedback on Reddit - https://www.reddit.com/r/aws/comments/134wjmy/aws_launches_new_verified_access_service_to/ - regarding the pricing. It really depends on how you cut it; if you have lots of users for a single app, it seems cost-effective. If you have lots of apps and few users, it could be astronomically expensive. 

My personal peeve is how these solutions do not implement, what in my opinion, is table stakes for zero trust network access, using a software-defined perimeter - whether first-packet-authenticate, single-packet-authenticate or authorise/authenticate-before-connect. I tongue-in-cheek wrote a blog which compared these last year using comparisons to Harry Potter - https://netfoundry.io/demystifying-the-magic-of-zero-trust-with-my-daughter-and-opensource/

(Note: this is a blog post I published on my website today, but thought that this audience would be interested in seeing it)

At the end of 2022, AWS announced a preview of a new remote access mechanism, AWS Verified Access. This service follows Zero Trust principles, and gives users secure and precise access to applications. I reviewed this preview service here, if you want a refresher.

AWS has now released this service as Generally Available – you can see their blog on this topic here. 

So, what's new and improved since the preview? 

AWS has expanded the set of integrated Trust Providers (Identity and Device validation partners), to now include Beyond Identity, CrowdStrike, CyberArk, Cisco Duo, Jamf, JumpCloud, Okta, and Ping Identity. 

However, they are still relying on a browser extension to obtain the device context – which I don't love. Getting this from the device management server would be better (granted, that request would need to come from a server-side component, but still, it'd be better).

 More importantly, they are now making user context available to to the applications, pushing it in an HTTP header (see their docs here ) . This is really interesting, and in fact is the same design that Google took with their BeyondCorp implementation. There isn't (yet) a body of work or toolkit around how to use these claims inside of applications to make authorization decisions, but that will be something to look for in the future. 

It also appears that only the identity-provider claims are sent to the application, not device claims – that'll have to wait for an updated release.

Overall, it's great to see major players like AWS putting in the work, and releasing services that their customers can use to make Zero Trust real. 

Questions for the CSA group: Is anyone using this service yet? If so, what do you think? I'm interested in learning about how the pricing model has panned out in real-world usage. And, what about the identity context - is anyone looking at how to use this within their applications?

thanks
jag

(Note: this is a blog post I published on my website today, but thought that this audience would be interested in seeing it)

At the end of 2022, AWS announced a preview of a new remote access mechanism, AWS Verified Access. This service follows Zero Trust principles, and gives users secure and precise access to applications. I reviewed this preview service here, if you want a refresher.

AWS has now released this service as Generally Available – you can see their blog on this topic here. 

So, what's new and improved since the preview? 

AWS has expanded the set of integrated Trust Providers (Identity and Device validation partners), to now include Beyond Identity, CrowdStrike, CyberArk, Cisco Duo, Jamf, JumpCloud, Okta, and Ping Identity. 

However, they are still relying on a browser extension to obtain the device context – which I don't love. Getting this from the device management server would be better (granted, that request would need to come from a server-side component, but still, it'd be better).

 More importantly, they are now making user context available to to the applications, pushing it in an HTTP header (see their docs here ) . This is really interesting, and in fact is the same design that Google took with their BeyondCorp implementation. There isn't (yet) a body of work or toolkit around how to use these claims inside of applications to make authorization decisions, but that will be something to look for in the future. 

It also appears that only the identity-provider claims are sent to the application, not device claims – that'll have to wait for an updated release.

Overall, it's great to see major players like AWS putting in the work, and releasing services that their customers can use to make Zero Trust real. 

Questions for the CSA group: Is anyone using this service yet? If so, what do you think? I'm interested in learning about how the pricing model has panned out in real-world usage. And, what about the identity context - is anyone looking at how to use this within their applications?

thanks
jag

------------------------------
Jason Garbis, CISSP
Co-Chair, Zero Trust Working Group
Principal, Numberline Security
Author: Zero Trust Security: An Enterprise Guide
------------------------------