VMware Zero Trust Networking and Architecture Whitepaper

Executive Summary

VMware’s Zero Trust Networking and Architecture Whitepaper lays out actionable recommendations for the adoption of Zero Trust Architecture (ZTA). We provide this set or recommendations in response to Section 3 of the Cyber Executive Order (EO) 14028, which directs agency heads to develop a ZTA implementation plan. Use this document while designing your network security to ensure it aligns with the existing NIST, DoD & DHS/CISA guidance.

VMware Zero Trust Framework & Compliance

VMware’s products and solutions align with the Zero Trust pillars described by a number of the industry’s leading advisories and councils. Keep reading to learn how VMware’s products support the Zero Trust frameworks laid out by the ACT-IAC, NIST, and DHS CDM.

VMware alignment with the ACT-IAC Zero Trust framework

VMware’s products and solutions align with the Zero Trust pillars described in the ACT-IAC Zero Trust whitepaper, dated April 18, 2019.

ACT-IAC Zero Trust Pillar

VMware Solution

Description

User- People/Identity Security

Workspace ONE

Enable ongoing authentication of trusted users. Using Identity and Access Management tools embedded in the platform.

Devices - Device Security

Workspace ONE, Carbon Black, Mobile Threat Defense (MTD)

Reduce the attack surface by enabling least-privilege access to applications after establishing trust. Real-time security posture, use of MDM solutions to perform device-trust assessments.  Continuous verification of endpoint compliance.

Network - Network Security

NSX, Avi Networks, VeloCloud

Move from perimeter-based to segmented and isolated assets on a granular level. Drive firewall capabilities down to the smallest IT asset. Build in capability to protect east/west traffic within a datacenter, and ability to stretch to secondary locations, including cloud service providers in hybrid and/or multi-cloud environments.

Applications

Workspace ONE, Horizon, NSX Carbon Black

Secure and manage application to control technology stack and ensure proper use of authentication. Satisfies the requirements of Zero Trust in an integrated digital workspace solution that is compatible with all types of endpoints and all types of applications. Conditional access control to all applications, data, and endpoints.

Automation

Workspace ONE, Carbon Black, vRealize Suite, VMware Cloud Foundation

Automate the management of user and device interaction. Remove human error element from Cybersecurity given the ability to push out standardized configurations across an environment

Analytics

Workspace ONE, vRealize Suite, NSX, CloudHealth

 

Capture and analyze device and user behaviors. Combined with automation to drive rapid incident response. Uses analytics and machine learning to give you insights into your organization’s dynamic security environment. Is open and extensible, and able to integrate with partner security solutions such as Security Information & Event Management (SIEM).

 

VMware alignment with NIST Special Publication 800-207: Zero Trust Architecture

VMware’s products and solutions align with the Zero Trust tenants cited inside of NIST Special Publication 800-207: Zero Trust Architecture. The following list explains how. Expand the dropdown menu items for more details.

I. All data sources and computing services are considered resources.

A unified endpoint management system looks at the endpoint (desktop/laptop, mobile, or IoT) and determines if that endpoint is a compliant resource Also, the ownership and management scope of the endpoint resource must be considered individually. If the endpoint is trusted, then user identity is checked and access to the resource is granted. Examples of endpoint resources can be devices, specific blocks of structured or unstructured data, identity objects and systems including Workspace One, applications or the transport zones that connect them.

II. All communication is secured regardless of network location. Network location does not imply trust. Access to individual enterprise resources is granted on a per-session basis.

Unified Access Gateway is a component within a Workspace ONE and VMware Horizon deployment that enables secure remote access from an external network to a variety of internal resources per dynamic access policies regardless of network location.

  • Per-application tunneling of native and web applications on mobile and desktop platforms to secure access to internal resources through the VMware Tunnel service. This unique feature helps to reduce the attack surface by enlisting VPN only on the application in use, instead of on the entire endpoint.
  • Access from VMware Workspace ONE Content to internal file shares or SharePoint repositories by running the Content Gateway service.
  • Reverse proxying of web applications.
  • Identity bridging for authentication to on-premises legacy applications that use Kerberos or header-based authentication.
  • Secure external access to desktops and applications on VMware Horizon Cloud Service on Microsoft Azure, and VMware Horizon 7 on premises.

Finally, the communication method must be valid, and encryption must be in place. To reduce the attack surface further, each application can have a single secure tunnel into the data center.

Workspace ONE empowers IT and InfoSec to provide users with Zero Trust access to any application on any endpoint. It combines conditional access, unified endpoint management, and machine-learning-based risk analytics. Workspace ONE continuously verifies user contexts and endpoint compliance prior to granting least-privilege access to cloud-based, on-premises, and virtual applications.

III. Trust in the requester is evaluated before access is granted.

Contextual Policies control authentication with conditional access policies based on device compliance state, user authentication strength, data sensitivity, user location and more.

Workspace ONE Access handles conditional access through a policy engine. After the user selects an application from Workspace ONE Intelligent Hub, Workspace ONE Access verifies the user’s identity, rejects the request, accepts the request, requires multi-factor authentication, or requests remediation before it grants access.

IV. Access to resources is determined by dynamic policy—including the observable state of client identity, application, and the requesting asset—and may include other behavioral attributes.

Continuous verification of endpoint compliance and conditional access to applications serve to reduce the attack surface. With these in place, we can ensure that trust is continuously verified, and access is allowed only when the endpoint, user and connection are fully trusted.

Additionally, VMware provides a Unified Access Gateway, which acts as an enforcement point to control and secure access to applications and resources. Unified Access Gateway can deploy different edge services depending on the type of access requested. These edge services include per-application VPN, Content Gateway, Web Reverse Proxy (WRP), and VMware Horizon Edge Service. Per-application VPN limits access to only the specific application on the endpoint that is requesting data, without exposing enterprise data to anything else on the endpoint. Virtual applications and desktops are more secure.

By supporting secure connections to the virtual infrastructure by means of the Horizon Edge Service, the capabilities of Unified Access Gateway can also extend to applications and data behind the firewall.

V. The enterprise ensures that all owned and associated devices are in the most secure state possible and monitors assets to ensure that they remain in the most secure state possible. No device is inherently trusted.

If the identity of the user, compliance of the endpoint, or deviations from baseline behavior change, then Workspace ONE triggers automated remediation. Instead of cutting off the user completely, Workspace ONE gives the user various options to remediate the situation, such as multi-factor authentication. The user is quarantined only temporarily while the problem is remediated, and then access is restored.

The user’s selection from the Workspace ONE Intelligent Hub triggers a check of endpoint compliance through Workspace ONE Unified Endpoint Management. Workspace ONE Unified Endpoint Management is a cross-platform solution for desktop, virtual, and mobile endpoints, with any operating system.

If a user is at risk, or an endpoint is out of compliance, Workspace ONE Intelligence gives insights to IT and InfoSec and allows the setup of automation rules to remediate the problem so that the user can access the applications and data that they need, in real time. This approach is not just reactive, but proactive. Accreditation

NSX uses micro-segmentation to secure east-west traffic for applications and desktops in the data center and the cloud. NSX thus reduces the attack surface by micro-segmenting the entire architecture.

VI. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. This is a constant cycle of obtaining access, scanning, and assessing threats, adapting, and continually re-evaluating trust in ongoing communication.

To continuously verify trust and allow access, Workspace ONE provides risk analytics and ongoing monitoring of users, endpoints, applications, and transport. The Workspace ONE platform develops contextual risk assessments for endpoints, users, and networks Integrates third-party security products Provides insights, automated remediation, and orchestration. If the identity of the user, compliance of the endpoint, or deviations from baseline behavior change, then Workspace ONE triggers automated remediation. Instead of cutting off the user completely, Workspace ONE gives the user various options to remediate the situation, such as multi-factor authentication. The user is temporarily quarantined while the problem is remediated, and then access is restored.

VII. The enterprise collects as much information as possible about the current state of network infrastructure and communications and uses it to improve its security posture.

Workspace ONE Intelligence provides integrated insights into threat data, device compliance, and risk analytics. Use these analytics to identify and mitigate security issues in real-time.

  • Enable continuous verification with user risk score based on device context and user behavior.
  • Use real-time and continuous monitoring of your entire digital workspace to proactively secure the known and unknown
  • Automate remediation using the powerful decision engine.

Workspace ONE can enable a full Zero Trust architecture. In addition, the open, flexible, extensible platform allows you to integrate your current third-party security and IT service management (ITSM) investments. VMware has an extensive partner ecosystem for the Workspace ONE platform called the Workspace ONE Trust Network. 

Zero Trust Logical Architecture

VMware’s products and solutions also fit into the logical design of a Zero Trust Architecture as documented in the latest NIST SP 800-207: Zero Trust Architecture. The tenets of Zero Trust Architecture, as defined by this publication, include the following:

All data and services are considered resources
•All communication is secure regardless of network location
•Access to enterprise resources is granted on a per-connection basis
•Access is determined by policy, state of user identity and the requesting system, and may include other behavioral attributes
•User authentication is dynamic and strictly enforced

NIST Zero Trust Architecture maps with VMware products

 

Expand for more details:

Architecture Component

Product Action

Vendor Response

Vendor Comments

Policy Engine

Implements/ Enforces

Workspace ONE

Workspace ONE Access handles conditional access through a policy engine. After the user selects an application from Workspace ONE Intelligent Hub, Workspace ONE Access verifies the user’s identity, rejects the request, accepts the request, requires multi-factor authentication, or requests remediation before it grants access.
The solution allows dozens of access policy combinations that leverage device enrollment, network, SSO, automated device remediation and third-party information to establish levels of trust, enabling intelligent access decisions.
 

Policy Admin

Implements/ Enforces

Workspace ONE

Workspace ONE Access performs the act of authenticating users in our solution. Workspace ONE Access supports many types of authentication, including RADIUS, RSA SecurID, passwords, SAML authentication using external identity providers, and more.
Organizations can easily build and adjust access policies that require different levels of authentication, including multi-factor authentication if needed, but at its foundation, our Zero Trust solution is built on certificate-based authentication.
Workspace ONE Access supports multiple different methods of certificate-based authentication:
Traditional certificate-based user authentication methods used by PC and Mac devices
Our own certificate-based user authentication solution for iOS and Android devices, called Mobile SSO
Certificate-based device authentication, for validating the device itself
Mobile SSO technology provides the ability to sign in to an app on a mobile device once and gain access to all entitled applications, including SaaS apps. VMware leverages open standards such as SAML (Security Assertion Markup Language) and OIDC (OpenID Connect) to authenticate a user between the identity provider, namely, Workspace ONE Access, and the service provider, such as SaaS apps in the cloud. By eliminating the requirement of entering passwords to access a resource, this technology addresses security concerns and password-cracking attempts as well as offering an SSO experience for users.

Subject

Implements /Enforces

Workspace ONE

See Above

System

Implements/ Enforces

Workspace ONE

See Above

Policy Enforcement Point

Implements/ Enforces

Workspace ONE

VMware Unified Access Gateway (UAG) is a security platform that provides edge services and access to defined resources that reside in the internal network. It acts as the security gateway for VMware Workspace ONE and VMware Horizon deployments, enabling secure remote access from an external network to a variety of internal resources.
UAG supports additional use cases, including
Per-application tunneling of native and web applications on mobile and desktop platforms to secure access to internal resources through the VMware Tunnel service. This unique feature helps to reduce the attack surface by enlisting VPN only on the application in use, instead of on the entire endpoint.
Access from VMware Workspace ONE Content to internal file shares or SharePoint repositories by running the Content Gateway service.
Reverse proxying of web applications.
Identity bridging for authentication to on-premises legacy applications that use Kerberos or header-based authentication.
Workspace ONE Intelligent Hub is the portal for users to access applications to accomplish their daily work. Each of the user’s endpoints can have the portal agent installed, customized with the items the user has permission to access. The user signs in once with secure single sign-on (SSO) and may use whatever items are offered on their portal. And the applications can be integrated through SSO so that data flows from one application to another. The user’s selections from Workspace ONE Intelligent Hub trigger security checks by Workspace ONE Access and Workspace ONE Unified Endpoint Management.

Enterprise Resource

Implements/ Enforces

NSX

NSX uses micro-segmentation to secure east-west traffic for applications and desktops in the data center and the cloud. NSX thus reduces the attack surface by micro segmenting the entire architecture.

CDM System

Supports/ Enforces

Workspace ONE

This gathers information about the enterprise asset’s current state and applies updates to configuration and software components.

Industry Compliance

Implements/ Enforces

Workspace ONE

The user’s resource selection from the Workspace ONE Intelligent Hub triggers a check of endpoint compliance through Workspace ONE Unified Endpoint Management. Workspace ONE Unified Endpoint Management is a cross-platform solution for desktop, virtual, and mobile endpoints, with any operating system.
Workspace ONE Intelligence is a cloud service that provides risk analytics, insights, and automated remediation and orchestration. Workspace ONE Intelligence •  Continuously verifies risk through machine learning •  Detects user behavior anomalies in context, such as a rapid jump from one geographical area to another •  Creates user and endpoint risk scores •  Uses security algorithms that are dynamic, not static •  Reduces security-alert fatigue by gathering data from many sources and enforcing endpoint compliance in the cloud, in real time If a user is at risk, or an endpoint is out of compliance, Workspace ONE Intelligence gives insights to IT and InfoSec and allows the setup of automation rules to remediate the problem so that the user can access the applications and data that they need, in real time. This approach is not just reactive, but proactive.

Threat Intelligence

Implements/ Enforces

Workspace ONE, Carbon Black

Workspace ONE Trust Network provides a framework of trust by taking advantage of APIs built on the Workspace ONE platform. These APIs allow a rich ecosystem of security solutions to communicate with Workspace ONE and ultimately provide the aggregated view that administrators want for simplifying security and management. By connecting security solution silos, organizations can leverage their existing investments to exponentially improve continuous monitoring and risk analysis for faster response times. This results in a predictive security strategy, based on trends and patterns, which can scale with the deployment.

Activity Logs

Implements/ Enforces

Workspace ONE, vRealize Suite

By aggregating, correlating, and analyzing data from multiple internal and external sources, VMware Workspace ONE Intelligence delivers out-of-the-box as well as advanced customer dashboard and reports to help organizations visualize the state of the digital workspace. It provides insights into the security posture, impact of new security threats, in context risk analytics, device and OS compliance, and the state digital
employee experience.

Data Access Policy

Implements/ Enforces

Workspace ONE

By aggregating, correlating, and analyzing data from multiple internal and external sources, VMware Workspace ONE Intelligence delivers out-of-the-box as well as advanced customer dashboard and reports to help organizations visualize the state of the digital workspace. It provides insights into the security posture, impact of new security threats, in context risk analytics, device and OS compliance, and the state digital employee experience.

PKI

Supports/ Enforces

Workspace ONE integration w/third party PKI

Workspace ONE UEM can act as a SaaS certificate authority (CA) for customers without an existing PKI. For customers with an existing PKI, Workspace ONE UEM can also act as a subordinate CA. Acting as a CA allows customers to take advantage of advanced mobile security features supported by both Workspace ONE UEM and mobile device platforms, such as VPN on-demand, certificate-based Wi-Fi authentication, and certificate-based Exchange ActiveSync authentication – all without the need to set up and manage an in-house PKI.
Workspace ONE UEM also integrates directly with certificate authorities, public key infrastructure (PKI) or third-party providers, in both cloud and on-premises deployment models. Administrators can configure certificates for several systems, including Wi-Fi, VPN and Microsoft EAS, and can automatically distribute certificates to devices without user interaction.

ID Mgt.

Supports/ Enforces

Workspace ONE

Workspace ONE Access acts as a broker to other identity stores and providers—including Active Directory (AD), Active Directory Federation Services (ADFS), Azure AD, Okta and Ping Identity— that your organization may already be using to enable authentication across on-premises,
software-as-a-service (SaaS), web and native applications without the need to rearchitect the identity environment.

SIEM System

Supports/ Enforces

Workspace ONE

Logs collected in intelligence and Log Insight.

Zero Trust Operationalization

VMware’s products and solutions can be implemented and operationalized for Zero Trust as referenced in sections 3.1 and 3.2 of NIST SP 800-207: Zero Trust Architecture.

 

Device Agent/ Gateway Based

Enclave-Based

Resource-Portal Based

Device Application Sandboxing

Identity Governance

Workspace ONE

Workspace ONE

Workspace ONE

VMs, Containers, NSX, VMware SDDC, Workspace ONE

Micro-Segmentation

NSX

NSX

NSX

VMs, Containers, NSX, VMware SDDC, Workspace ONE

Network & SDN Perimeters

NSX

NSX

NSX

VMs, Containers, NSX, VMware SDDC, Workspace ONE

Implement NIST 800-53 security controls with VMware

VMware has taken a programmatic approach to standards compliance by publishing prescriptive documentation that delivers to agencies data center-level designs to deploy and configure our complete Software Defined Data Center (SDDC) and End User Computing (EUC) software in a wide range of scenarios, with detailed operational specifications. We call these blueprints VMware Validated Designs (VVDs) and freely publish them for our customers’ use. These VVDs can be deployed by agencies themselves, by VMware Professional Services Organization (PSO), or by VVD-accredited partners. We work with acknowledged compliance partners such as Coalfire Systems, Inc. and Tevora to publish applicability guides to assess compliance of the VMware stacks to multiple standards such as CJIS, HIPAA, and NIST 800-53. These documents are available to agencies and their partners to assist in achieving and maintaining compliance of your systems. With our VMware Cloud Foundation (VCF) offering, VMware has carried this farther, by enabling the automation of deployment, management, and maintenance of these systems to both public and private clouds.

The specific mapping of the VMware SDDC and EUC products to NIST 800-53 can be requested through engagement with a VMware sales representative or from a Federalized cloud-hosting standpoint through the GSA FedRAMP front door request tool for federal agency ATO portal and the security package which includes this extensive detail regarding the Security Assessment Results/Report and Readiness Assessment Report:

VMware alignment with Zero Trust pillars mapped to DHS CDM capabilities

VMware’s products and solutions align with the Zero Trust pillars when mapped with the DHS Continuous Diagnostics and Mitigation (CDM) capabilities.

VMware products map to DHS CDM capabilities

Expand for more details:

Zero Trust Pillars

CDM Capabilities

Description

Vendor Product

Users

Manage Trust in People Granted Access

Assess the inherent risk to an agency from insider attacks for the purposes of granting trust to users and authorizing each user for certain attributes

Workspace ONE, NSX, Carbon Black, vSphere

Manage Security-Related Behavior

Ensures that authorized users with or without special security responsibilities exhibit the appropriate behavior for their role

Workspace ONE, vSphere

Devices

Hardware management

Discover unauthorized or unmanaged software on a network

Workspace ONE

Software management

Discover unauthorized or unmanaged software on a network

Workspace ONE

Configuration Settings Management

Ensures that authorized security config benchmarks exist and certain acceptable value for each relevant configurable setting for each IT asset type

Workspace ONE

Vulnerability Management

Discover and support remediation of vulnerability in IT assets on a network as defined in NIST SP 800-53 controls

Workspace ONE, Carbon Black

Network

Credentials and Authentication Management

Ensures that only proper credentials are authenticated to systems services and facilities

Workspace ONE, NSX

Managing Priv user access (E.g. PAM) capability

Provides an agency the assurance that users and systems have access to and control of only the appropriate resources the capability identifies access beyond what is needed to meet business requirements

Workspace ONE, NSX

Network Protection

Limits, prevents, and/or allows the removal of unauthorized network connections/access via devices such as firewalls that sit at a boundary and regulate the flow of network traffic. It also includes the use of encryption to protect traffic that must cross logical boundaries and addresses physical access systems that limit unauthorized user physical access to Federal Government Systems

Workspace ONE, NSX

Applications

Credentials and Authentication Management

Ensures that only proper credentials are authenticated to systems services and facilities

Workspace ONE

Managing Account Access Capability

Provides an agency the assurance that users and systems have access to and control of only the appropriate resources the capability identifies access beyond what is needed to meet business requirements

Workspace ONE, NSX

Design and Build Security

Describes preventing exploitable vulnerabilities from being effective in the software/system while in development or deployment

Workspace ONE, NSX

Automation

Manage Events

Describes preparing for events/incidents, gathering appropriate data from appropriate sources, and identifying incidents through analysis of data

Workspace ONE, NSX, vRealize Suite

Operate, Monitor, and Improve

Describes the audit data collection and analysis, incident prioritization and response and post-incident activities (e.g. information sharing)

Workspace ONE, NSX, vRealize Suite

Analytics

Data Protection

Provides data protection functions through crypto, masking, obfuscation, or access control, the CDM capability includes user and entity behavioral analytics that support detection of suspected compromised accounts (people or application) endpoint devices, data exfiltration and insider access abuse (including excessive or unauthorized access to data, functions and priv abuse) and provide context for security investigations

vSAN, NSX, Workspace ONE

Data

Data Discovery and Classification

Supports data protection functions through data identification, data classification and data tagging

Workspace ONE, vSAN

Data Loss Prevention

Provides data protection functions through data loss prevention capabilities, to include data protection policy management and data protection security orchestration

Workspace ONE, vSAN, Carbon Black

Data Protection

Provides data protection functions through crypto, masking, obfuscation, or access control, the CDM capability includes user and entity behavioral analytics that support detection of suspected compromised accounts (people or application) endpoint devices, data exfiltration and insider access abuse (including excessive or unauthorized access to data, functions and priv abuse) and provide context for security investigations

Workspace ONE, Carbon Black

Data Spillage

Provides data breach/spillage response actions

Workspace ONE, Carbon Black

 

Summary and Additional Resources

This whitepaper provides details about how VMware products and solutions align with the tenants and architecture of Zero Trust, as defined by industry-leading publications.

For details about controls, refer to the following appendices:

About the Author and Contributors

Andrew Osborn is serving in a role at VMware as a dedicated ‘Staff Technical Marketing Architect’ for all things End-User Computing (EUC) compliance / regulatory. He has over 20 years’ experience in the IT Industry, including the last 8 years within Public Sector, with roles spanning Cybersecurity, Networking, Enterprise Ops, Mobility & Telco solutions, encompassing numerous technologies and architectures. Andrew received an MIS degree from University of Oklahoma with certs from ISC2 CISSP & GIAC GSLC and is based out of San Antonio, TX. He'll be contributing to VMware’s Tech Zone to provide more tailored messaging for Federal, State, Local & Education (SLED) solutions from VMware EUC.

Changelog

The following updates were made to this guide:

Date

Description of Changes

2021/09/09

  • Guide was published.

Feedback

Your feedback is valuable. To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

Horizon Workspace ONE Carbon Black Cloud Horizon Unified Access Gateway Workspace ONE Access Workspace ONE Intelligence Workspace ONE UEM Document Overview Intermediate Design Secure Remote Access Zero Trust Public Sector