SECURE NETWORK ACCESS

Greg Shields|June 23, 2022 | 5 minute read

Looking at Risk Through a Zero Trust Lens

Zero Trust security demands integrated, dynamic policy enforcement with a seamless user experience; Appgate’s new risk model delivers this, advancing Zero Trust and improving security effectiveness.

Since 2005, I have been a remote employee. I recognize how fortunate I am to have worked that way for as long as I have. I have been able to reside in a city with a low cost of living while working in the tech sector. I have avoided the commute through which so many of my peers suffer. My family and I live in a home that we could certainly not afford if it was in San Francisco or Washington, D.C.

Pivoting to working through COVID was relatively easy for me (besides the general concern for me and my family’s health). The two things that have been constant for me throughout the entirety of my “remote worker” status have been my reliance on the internet as my corporate network and the need for secure access to applications and resources to do my job.

For a long time, that “secure” access was via an old-school VPN. Now you all have heard repeatedly from us at Appgate, and frankly many others, including the Executive Branch of the federal government, that you need to ditch the VPN and move to a Zero Trust framework for secure remote access.

I won’t rehash all the reasons for this again. You have heard them and have hopefully embraced Zero Trust as the way to secure access to your applications and resources. What I would like to share with you is how Appgate is taking Zero Trust Network Access (ZTNA) to new levels with the 6.0 release of our Appgate SDP software and introduction of a new risk model capability. We announced earlier this month that we were previewing the solution at RSA Conference, and it is now generally available.

Device posture checks are, in my opinion, table stakes if you want to be in the secure access business. The problem inherent in posture checks is that they are binary: if you pass the check, you gain access to your applications and resources and if you fail the check, you are locked out.

When I became a remote employee, my company’s help desk had a portal reached via the corporate internet which required being in an office or on the VPN. If you had an issue, you could call the help desk, but you sat on hold forever and really could only leave a message for a call back to then open a ticket. If you had portal, you could enter details about your issue and the ticket would proceed to resolution faster than calling in. Of course, when you called, an auto attendant implored you to open your ticket through the portal. Well, what would happen when the VPN wasn’t workingand you couldn’t get to the portal? You were dead in the water waiting for someone to listen to your message, call you back and open the ticket on your behalf. Frustrating, right?

ZTNA, implemented properly, not only dramatically enhances your application security, it also can provide a much better user experience. We have improved both security and experience with the new risk model capability in Appgate SDP 6.0.

Let’s play this out with an example scenario. You are a salesperson, working for a company that manufactures widgets. As a salesperson, there are three internal applications you need to access remotely: a financial application with all your corporate sales numbers and customer billing information; an application that tracks the number of widgets in the warehouse available for fulfilling customer orders; and the help desk portal. If your company is using posture checks to make sure you are running anti-virus software and have updated your OS to an approved version, and you do not pass those checks, you would not be able to access those three critical applications. I suppose that is secure, but secure at the cost of not being able to do your job.

But imagine this: what if your company could do those two posture checks, as well as check geo-location, media access control (MAC) address and information from a third-party endpoint protection tool like CrowdStrike and give you and your machine a score based on your unique risk? Then based on that score, your Appgate collective could dynamically change access to resources.

If everything checked out perfectly, then you would have unfettered access to all three of the applications you need to do your job. If two of the checks failed, resulting in a poorer risk score, you might lose access to the financial app (which is deemed highly sensitive) and have to go through an additional action such as multi-factor authentication (MFA) to gain access to the inventory app. You would continue be able to access the help desk app normally because it is a low-risk application. Finally, if many checks failed, you might not be able to access anything other than the help desk app, and then only after an additional action.

Sample risk model matrix for Appgate SDP 6.0

Sample risk model matrix for Appgate SDP 6.0


The new risk model enables the network administrator to look closely at their apps and easily set dynamic security policies based on the risk sensitivity of the resource and then match that sensitivity to a user’s risk score and provide access appropriately. So now we are taking the context of the user and device looking to connect, making it far more granular than was previously possible with posture checks AND are considering the sensitivity of the resource the user is looking to access. Access can be dynamically changed based on both factors.

At Appgate we see this as a giant leap forward in how Zero Trust remote access is deployed—both in terms of the end user experience (far fewer interruptions to productivity) and in securing the enterprise applications.

When I think back to my early days as a remote employee, I can only imagine how much more productive I could have been, and let’s be honest, much less frustrated, if when I had a problem, I could still open my ticket in the portal. I know the folks responsible for the security of our assets would have slept better knowing that every access connection had been thoroughly examined contextually, and had its access modified based on its risk score and resource sensitivity. Like they say on Mandalore, “This is the way.”

Additional Resources:
Appgate SDP Overview
Press Release: Appgate Previews New Version of Industry-leading Zero Trust Network Access Solution
Blog: Implementing your Zero Trust security journey
Ebook: Zero Trust Network Access: Everything you need to know

Receive News and Updates From Appgate