SECURE NETWORK ACCESS

Rustin Brown|October 21, 2024

How Direct-Routed ZTNA Enhances Security and Bypasses FedRAMP Certification

Securing sensitive data and networks is paramount for federal agencies. The Federal Risk and Authorization Management Program (FedRAMP) has long been the gold standard for cloud security certification. However, the emergence of Universal Zero Trust Network Access (ZTNA) with direct-routed architecture is revolutionizing how we approach network security, particularly for agencies navigating FedRAMP requirements.

We will delve into the core concepts of direct-routed ZTNA and analyze how this innovative approach to network security enables Federal DOD and civilian agencies to enhance their cybersecurity posture with best-of-breed solutions purpose built to secure critical and complex hybrid network infrastructures.

Understanding FedRAMP Exemption Criteria

ZTNA solutions for Federal agencies may be exempt from FedRAMP certification under specific circumstances, as outlined in the FedRAMP Policy Memorandum. According to the Office of Management and Budget (OMB)-issued Memorandum M-24-15, Modernizing the Federal Risk Authorization Management Program (“the Memo”), certain information systems are exempt from FedRAMP requirements, including those "that are only used for a single agency's operations, hosted on cloud infrastructure or platform, and are not offered as a shared service or do not operate with a shared responsibility model"1

This exemption often applies to direct-routed ZTNA solutions because they are typically deployed for a single agency's use, hosted within the agency's security boundary, and not shared across multiple agencies. However, it is important to note that while potentially exempt from FedRAMP, these ZTNA solutions must still adhere to other federal security standards. FedRAMP operates within a legal framework that includes FISMA, OMB Circular A-130, and the FedRAMP Authorization Act, which collectively establish the requirements for protecting federal information and standardizing security assessments for cloud services. Agencies implementing non-FedRAMP, certified ZTNA solutions should conduct thorough security assessments and risk analyses to ensure compliance with these overarching federal security requirements. By leveraging this exemption when applicable, Federal agencies can potentially implement tailored ZTNA solutions that enhance their cybersecurity posture while still maintaining alignment with federal security standards.

Implementation Timeline

  • Within 180 days of the Memo’s issuance (i.e., by January 21, 2025):
    • Each federal agency is directed to issue an agency-wide policy aligned with the Memo.
    • GSA is directed to update FedRAMP’s continuous monitoring processes to align with the Memo.
  • Within 1 year of the Memo’s issuance (i.e., by July 25, 2025), GSA must create a plan to modify FedRAMP “to encourage the transition of Federal agencies away from the use of Government-specific cloud infrastructure.” GSA is to create this plan in consultation with industry stakeholders and the FedRAMP Board.
  • Within 18 months of the Memo’s issuance (i.e., by January 21, 2026), GSA must implement procedures to receive FedRAMP authorization and continuous monitoring artifacts through “automated, machine-readable means, to the extent possible.”
  • Within 24 months of the Memo’s issuance (i.e., by July 25, 2026), agencies must implement OSCAL compatibility for agency GRC and system-inventory tools.

What is Direct-Routed ZTNA?

Direct-routed ZTNA is a cutting-edge approach to network security that transforms how organizations protect their digital assets. This innovative method enables end-user traffic to flow directly from the user to the data center or cloud where application services reside. Unlike traditional models, there is no intermediary point of presence (POP) or internet-based service applying access rules or encryption. Instead, direct-routed ZTNA establishes a secure, direct connection between the end-user and the protected networks.

How Direct-Routed ZTNA works

The functionality of direct-routed ZTNA is rooted in its unique architecture. When a user requests access to a resource, the system initiates a five-step process:

  1. Authentication: The user's identity is verified using multi-factor authentication.
  2. Context Evaluation: The system checks various contextual factors, including the user's device posture, location and network conditions.
  3. Policy Enforcement: Based on the gathered information, the ZTNA solution applies predefined security policies to determine if access should be granted.
  4. Secure Tunnel Creation: a direct encrypted tunnel is established between the user's device and the protected network or service location.
  5. Least Privilege Access: The user is granted the minimum level of access needed to perform their task, with permissions expiring after a set time or period of inactivity.

This process ensures that every access attempt is thoroughly vetted, regardless of the user's location or previous network history. By implementing these steps, direct-routed ZTNA upholds the core principles of Zero Trust: assume breach, verify explicitly and enforce least privilege access.

Benefits of Direct-Routed ZTNA

Direct-routed ZTNA offers several advantages over traditional security models and cloud-routed ZTNA solutions:

  1. Enhanced Control: Organizations have full control over their network traffic, enabling better visibility and management of data flow.
  2. Universal Access Control: This approach provides consistent security for all users, devices, and workloads, whether they are on-premises, in the cloud, or on air-gapped networks.
  3. Improved Performance: By establishing direct connections, direct-routed ZTNA reduces latency and enhances availability, resulting in a better user experience.
  4. Flexible Deployment: It offers various deployment options, enabling organizations to create a true Zero Trust architecture that fits their specific needs.
  5. Predictable Pricing: Unlike some cloud-based solutions with variable costs, direct-routed ZTNA often comes with more predictable pricing models.
  6. Reduced Attack Surface: Direct-routed ZTNA employs system cloaking and contextual trust verification to significantly minimize the attack surface across diverse environments. The effectiveness of system cloaking and mechanisms for establishing contextual trust can vary based on the specific technology and approach used by different vendors.
  7. Granular Access Control: It allows for more precise control over who can access specific applications and data, aligning with the principle of least privilege.
  8. Simplified Management: Direct-routed ZTNA solutions often provide simplified setup and management, particularly when granting users or groups access to individual protected resources.
  9. Improved Compliance: The detailed access controls and comprehensive logging capabilities inherent in direct-routed ZTNA are instrumental in helping organizations meet and maintain compliance with various regulatory requirements.
  10. Adaptability: This approach works well in multi-cloud environments and can be adapted to provide secure resource access to any device, including personal devices used by employees.

Direct-routed ZTNA offers several benefits that empower Federal agencies to address the complex security challenges of today's digital landscape. By leveraging these advantages, agencies can establish a robust foundation for implementing a comprehensive Zero Trust security strategy, thus enabling a stronger cybersecurity posture.

Why Direct-Routed ZTNA Bypasses FedRAMP Requirements

Direct-routed ZTNA has enabled Federal DOD and civilian agencies to enhance their cybersecurity posture without being tied to a cloud-routed platform vendor that may not adhere to the high standards associated with universal ZTNA.

This innovative method offers several key advantages that allow it to bypass FedRAMP requirements while still maintaining robust security measures:

No cloud infrastructure involved

One of the primary reasons direct-routed ZTNA skips the need for FedRAMP certification is its lack of reliance on cloud infrastructure. Unlike cloud-routed ZTNA solutions, which force network traffic through vendor clouds, direct-routed ZTNA establishes a secure, direct connection between the end-user and the location where services reside. With direct-routed ZTNA, organizations maintain complete control over their network traffic, eliminating reliance on the security, availability, and scalability of a vendor's shared cloud environment.

By avoiding cloud-based intermediaries, direct-routed ZTNA mitigates many of the concerns that FedRAMP certification aims to address. Organizations can maintain their data and applications within their own environments, reducing the risk of data exposure and maintaining compliance with strict data sovereignty requirements.

End-to-end encryption

Direct-routed ZTNA solutions prioritize security by providing end-to-end encryption for all traffic. This aligns with the Zero Trust principle of encrypting and authenticating all traffic as soon as possible, ensuring data remains protected throughout its journey, from the user's device to the application or accessed resource.

Appgate SDP’s direct-routed ZTNA offers end-to-end encryption that surpasses FedRAMP requirements by eliminating potential vulnerabilities associated with decryption and re-encryption at intermediate points often required in cloud-routed solutions.

Beyond castle and moat perimeter-based security

The Zero Trust model at the core of direct-routed ZTNA fundamentally changes the approach to security, moving away from traditional perimeter-based defenses. This shift aligns with the Federal Government's recognition that conventional perimeter-based defenses are no longer sufficient to protect critical systems and data in the current threat environment.

In a Zero Trust architecture, no network is inherently trusted. This foundational principle, while potentially challenging to agencies accustomed to traditional perimeter-based security, is crucial for creating a more secure environment in today's complex and distributed IT landscape.

Direct-routed ZTNA implements several key tenets of Zero Trust:

  1. Assume breach: The system treats every access attempt as potentially malicious, regardless of its origin.
  2. Verify explicitly: Each access request is thoroughly vetted, considering factors such as user identity, device health, and contextual information.
  3. Least privilege access: Users are granted only the minimum level of access needed to perform their tasks, with permissions expiring after a set time or period of inactivity.

By adhering to these principles, direct-routed ZTNA creates a security model that goes beyond the scope of FedRAMP certification. It provides a more comprehensive and adaptive approach to security that can respond to the evolving threat landscape.

Conclusion

Universal Direct-routed ZTNA, as implemented by Appgate SDP, ensures consistent security for all users, devices, and workloads, regardless of their location (on-premises, air-gapped, or in the cloud). This universality eliminates the need for separate security measures for different environments, reducing reliance on FedRAMP-certified cloud services. Appgate enables agencies to strengthen their cybersecurity posture without the complexities associated with traditional compliance processes. With Appgate SDP, organizations can enhance their security measures while maintaining the flexibility and control necessary to manage their specific security needs. This solution empowers agencies to focus on securing their digital environments effectively and adapting to their unique requirements without compromise.

Receive News and Updates From Appgate