Zero Trust Secure Access to On-Premises Web Applications with VMware

Introduction: What Is Zero Trust?

Zero Trust has been a hot topic for a while and over the past years, respected agencies such National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA), and National Cyber Security Centre (NCSC) published extensive guidelines on the use and implementation of Zero Trust Architecture. Most experts agree that with Zero Trust, we should not default to trusting someone or something just because it is plugged in to a certain network. But if we are not going to place our trust in the local network, we must establish trust using other methods.

Another issue with the traditional security architecture is that the local network usually encompasses a large perimeter, which is difficult to secure. After a large perimeter is penetrated, it is very difficult to contain the attack. The ability of threats to move laterally (east-west traffic) is often a result of having a large perimeter, as illustrated in the following figure.

Figure 1: Traditional Perimeter-Based Security Model

With Zero Trust, we shrink the perimeter to include only the backend system for a particular application and its data. All user access is treated the same. From a security standpoint, there is no difference between using a traditional, internally connected device versus using a device that connects over the Internet. All requests are validated by using the same stringent requirements.

With multiple, much smaller perimeters, an attack is much easier to contain within one area.

Figure 2: Zero Trust Security Model with Perimeters Around Each Application

If we cannot, by default, trust everything inside the perimeter of the local network, where can we place our trust? At VMware, our Zero Trust solution is based on developing five pillars of trust. These pillars are device trust, user trust, transport/session trust, application trust, and data trust. A full implementation requires all five pillars, and you need a system that gives you visibility by logging all traffic, that will work as a foundation to enable automation and orchestration.

Figure 3: Five Pillars of Zero Trust

Another key component of Zero Trust is the concept of least-privilege access. The idea is that a user or system should have access to only those resources that are specifically required to perform the task at hand. No more, no less. This concept is discussed in detail later in this guide, in Principle of Least-Privilege Access.

Although companies are interested in moving to a Zero Trust Architecture because it offers more security than traditional models, most companies will not be able to implement Zero Trust principles and technologies throughout their organization all at once. Most organizations start implementing Zero Trust with only one application or a small number of applications.

Purpose of This Guide

This guide addresses only one-use case: securing on-premises web applications. This guide in no way presents a complete Zero Trust model. However, the foundational principles used in this guide will be used for future Zero Trust use cases that VMware documents. Reading this guide will therefore familiarize you with the core principles and architecture described in other use cases.

Intended Audience

This guide helps IT architects, consultants, and information security administrators involved in planning, designing, and implementing a Zero Trust security solution for the VMware Workspace ONE® in their organization. Readers should have:

• A solid understanding of the mobile device landscape
• A solid understanding of device and application management
• Knowledge of identity solutions and standards, such as SAML federation
• A good understanding of mobile and desktop threats and the remediation process
• A solid understanding of VPN architecture and firewall policy
• A good working knowledge of networking and infrastructure, covering topics such as Active Directory, DNS, and DHCP

Use Case: Securing Internal Web Applications

The Zero Trust methodology can be applied to protect any application, but the implementation might look different, depending on the use case. In this document, we focus on one specific use case: protecting internally hosted web applications.

By internally hosted application we mean an application that is not necessarily designed for external access. Such an application typically:

• Relies heavily on Microsoft Active Directory or an internal Identity Provider
• uses HTTP for communication
• is a self-hosted web application not published on the Internet

Data and access to those applications are often deemed critical, and many times there is no access path other than a full device VPN.

Workspace ONE Tunnel as least privilege secure access to resources

To isolate and modernize access to internal web applications, we must use a technology that allows us to create a bridge between the traditional architecture and the future based on Zero Trust. In our solution, that technology is VMware Tunnel to securely access those internal applications.

Traditional VPN vs Tunnel approach

Traditional VPN setups create a device-wide connection to the enterprise network and enable access to internal apps this way. The device itself becomes a member of the network and with that provides blanket trust and access to all applications. Without special rules, Internet traffic also uses the corporate outbound proxy, which usually has a set access control list (ACL) to define what can be accessed on the Internet.

One caveat of this approach is personal web browsing goes through the corporate network, creating a privacy issue. And sending all traffic through the corporate network, including large downloads like updates is taxing for the corporate network and VPN gateway. The recent Covid pandemic showed that existing VPN installations were unable to cope with the increased number of VPN users.

With the Modern Tunnel approach, the VPN traffic is restricted to the specified managed applications and only those applications can communicate through the Tunnel client app. The Tunnel client then filters the traffic based on the domains, allowing authorized domains to go through the Tunnel Gateway and for all other domains either block or bypass them directly to the internet. In the data center, the traffic can be segmented further by leveraging the integration with VMware’s Network Virtualization & Security (NSX) to define policies restricting the access of applications on specific application servers in the data center. With this model, we achieve least privileged access while honoring user privacy and only transporting traffic intended for application workloads in contrast to sending everything with the Traditional VPN.

Alignment of Workspace ONE with the Trust Pillars

The following diagram shows how the VMware Workspace ONE® products and solutions for this use case can help establish each applicable trust pillar. Note that some products span multiple pillars.

Figure 4: Product Alignment to Trust Pillars

Later in this guide, we discuss each product in more detail and describe which features you can use to achieve trust in each pillar.

In our design, we focused on device-agnostic solutions. Although platform-specific features are available and can enhance the solution, for simplicity, we have focused on broad device support. You may decide to add platform-specific features and third-party solutions into the mix, but these options are outside the scope of this document.

Logical Architecture of the VMware Zero Trust Solution

For the use case covered in this document, the following diagram shows the relationship and interaction of the various products used. More detail on product features and integration points is given later in this document.

Figure 5: Logical Architecture

Now that you have an overview of the system you can build for a Zero Trust solution, we delve into the details and rationale for each pillar of trust, starting with device trust.

Device Trust

In the Zero Trust model, device and user trust are two pillars of trust that people often begin with. In general, these two domains are where you find the most products and vendors offering solutions. For Zero Trust, as an IT administrator, you need to know your devices before you can trust them. You must have an inventory specifying which devices are owned and thereby controlled by your company. You must have a solution that monitors, manages, and controls these devices.

Note: When it comes to supporting BYOD (bring your own device), you might simply have to relax your trust level on the device. End users are not often eager to let their personal devices be managed by their employer.

To secure a strong level of trust in end users’ devices, you might need to know, for example, whether the local disk is encrypted properly, what the antivirus status is, what versions of the OS and applications are installed, and more. Knowing all these properties adds to your overall trust in the device.

Included in this pillar is the capability for automatic remediation. For example, if a device does not have the correct version of the OS or an application, the system should be able to remediate by pushing out the correct version or by guiding the user on how to upgrade.

The rest of the sections in this chapter provide more detail about the various elements of device trust:

• Device Management
• Device Inventory
• Device Compliance Check and Remediation
• Real-Time Device Threat Detection and Response
• Certificate Management
• Device Trust with Workspace ONE Tunnel

Device Management

Device management means having control over the device to achieve the desired goals, including control over what software is installed, which versions, and under what conditions a given application may be used. For example:

• To achieve certain privacy goals, the camera app on hospital employees’ managed phones might need to be turned off when employees enter the hospital where they work.
• To avoid data theft, the OS on the device needs to be kept up to date, and the storage disk might need to be encrypted.

To achieve these goals, device management includes determining security policies such as how to identify the device, often using multiple authentication and authorization methods. To address constantly changing circumstances, device management includes continuously monitoring the state of the device and its attributes so that at any time, security policies can be updated and applied. For example, if an employee suddenly quits and goes to work for a competitor, you might want to lock the now-former employee out of the device and perform a device wipe.

Table 1: VMware Products for Device Management

The device can be managed by going through a quick and easy VMware Workspace ONE® Unified Endpoint Management (UEM) enrollment process. After enrollment, the system manages the device. The following steps outline the process:

1. The device sends device attribute information to Workspace ONE UEM.
2. Workspace ONE UEM issues a device certificate to the enrolled device, which is used to establish trust between Workspace ONE UEM instance and the device.
3. The server issues device management profiles and other over-the-air configurations to the device.
4. Workspace ONE UEM also runs periodic compliance checks to ensure that the device complies with the organization’s compliance policies.
5. If the device is found to be out of compliance, enforcement or remediation occurs according to the organization’s policies.

Note: The compliance engine is described in detail in the section Device Compliance Check and Remediation.

Device Inventory

Because credentials can be stolen and servers exploited, in a Zero Trust model, IT must also catalog all hardware devices to verify that each device is a known secure endpoint. IT can then use inventory-based access controls and allow access only from devices registered to authenticated users.

Table 2: VMware Products for Device Inventory

When the device is registered or managed with Workspace ONE UEM, it gets added to the device inventory list. Only devices included on this inventory list can progress to the following stages:

• From Workspace ONE UEM, receive configuration profiles and policies that allow access to protected resources.
• From VMware Workspace ONE Access™ control conditional access to the apps.

Device Compliance Check and Remediation

After IT determines what security policies are required, the next step is to make sure devices comply with these policies, which might include, for example, determining whether the device:

• Is included in the current inventory list
• Has the required OS version
• Has the required agents installed
• Is running the latest software patches
• Uses strong PIN/unlock methods

Compliance checks must be performed by collecting information from devices at both scheduled and unscheduled times. In addition, IT must determine the consequences for noncompliance, which might include, for example, denying access to corporate resources. Determining that the device is out of compliance is helpful only if the system can also respond and remediate to quickly bring the device into compliance.

Table 3: VMware Products for Device Compliance Checks and Remediation

Compliance

There are two methods by which Workspace ONE can measure compliance.

• Engine compliance – The compliance engine, a software algorithm that receives and measures scheduled samples, primarily determines the compliance of a device. The time intervals for running the scheduler are defined in the console by the administrator.
• Real-time compliance (RTC) – Unscheduled samples received from the device are used to determine whether or not the device is compliant. The samples are requested on demand by the administrator.

The compliance engine is an automated tool by Workspace ONE UEM that ensures all devices abide by your organization’s policies. These policies can include basic security settings such as requiring a passcode and having a minimum device lock period. For certain OS platforms, you can also set and enforce precautions such as setting password strength, deny listing certain apps, and requiring device check-in intervals to ensure that devices are safe and are in regular contact with Workspace ONE UEM.

The Workspace ONE Access component connects the Workspace ONE UEM device compliance knowledge to the flow of authentication. To make use of the device compliance status, you must chain two authentication methods in your access policies. First, you validate the user using a certificate-based authentication method. Next, you require the check for device compliance. The authentication process goes like this:

1. Because the device uses certificate-based authentication and UEM controls the role as well as the attributes in the certificates, the device’s unique identifier (UUID) can be retrieved by Workspace ONE Access.
2. Workspace ONE Access uses an API integration with Workspace ONE UEM to send the device’s UUID for validation and to check compliance status in real time.

Detection of Compromised Devices

In deployments of both BYOD and corporate-owned devices, it is important to verify that devices are healthy before letting them access corporate resources. Workspace ONE UEM leverages the VMware Workspace ONE® Intelligent Hub agent, which is installed on the device, to detect if the device is compromised; that is, rooted or jailbroken.

• On iOS devices, Intelligent Hub can dynamically update its detection algorithms over-the-air.
• On Android devices, Workspace ONE UEM leverages SafetyNet Attestation, which is a Google API, to validate software and hardware information to determine if a particular device has been tampered with or modified.
• On Windows devices, the Windows Health Attestation Service accesses device boot information from the cloud. This information is measured and checked against related data points to ensure that the device boots up as intended and is not a victim of security vulnerabilities or threats. Measurements include Secure Boot, Code Integrity, BitLocker, and Boot Manager.
• On macOS devices, Intelligent Hub detects the status of the macOS proprietary protection of system-owned files and directories against modifications by processes without a specific "entitlement", even when run by the root user or a user with root privileges.

Workspace ONE UEM enables you to configure the Windows Health Attestation service to ensure device compliance. For Windows guidelines, see Configure the Health Attestation for Windows Desktop Compliance Policies and Compliance Policies, in the Workspace ONE UEM Product documentation. Because Workspace ONE UEM pulls the necessary information from the device hardware and not the OS, compromised devices are detected even though the OS kernel might be compromised.

Remediation

After devices are determined to be out of compliance, the compliance engine warns users to address compliance errors to prevent disciplinary action on the device. For example, the compliance engine can trigger a message to notify the user that their device is out of compliance.

Devices not in compliance cannot have device profiles assigned to them and will not be trusted. If corrections are not made in the amount of time specified, the device loses access to certain content and functions that you define. The available compliance policies and actions vary by platform.

You can automate escalations when corrections are not made, for example, by locking down the device and notifying the user to contact you to unlock the device. These escalation steps, disciplinary actions, grace periods, and messages are all customizable with the Unified Endpoint Management Console.

In addition to the built-in compliance engine, administrators can leverage the VMware Workspace ONE® Intelligence™ automation engine to identify changes to any of more than 250 attributes from devices, applications, and OS updates. If any of these changes require immediate action, they can trigger automated workflows involving the devices and third-party solutions.

Real-Time Device Threat Detection and Response

Traditionally, threats evolve as quickly as security researchers release patches for the vulnerabilities they find. The ability to detect malware, viruses, behavioral anomalies, and many other types of threats is essential, as is the ability to provide real-time remediation.

Table 4: VMware Products for Real-Time Threat Detection and Response

VMware Carbon Black Defense is a next-generation antivirus (NGAV) and endpoint remediation (EDR) solution that provides advanced protection and visibility to defend against malware and non-malware attacks, allowing IT administrators to:

• Respond to an attack as soon as it is identified.
• Visualize every stage of the attack with easy-to-follow attack chain details to uncover root causes in minutes.
• Immediately triage alerts by isolating endpoints, deny listing applications, or terminating processes.
• Open a secure shell into any endpoint on or off the network to investigate and neutralize threats remotely.

Workspace ONE Intelligence integrates with VMware Carbon Black Defense to obtain threat activities in real time from Windows and macOS endpoints, allowing IT administrators to define automated actions against managed devices when a threat is identified.

On mobile endpoints, we use Workspace ONE Mobile Threat Defense (MTD) which delivers advanced endpoint security for iOS, Android, and Chrome OS devices. Mobile Threat Defense is powered by Lookout but is enhanced by our deep integration of Lookout SDK with Workspace ONE Intelligent Hub, which eliminates the need to launch a standalone app to activate MTD and therefore simplifies the deployment.

Additional security solutions like Wandera, Zimperium, Pradeo, Better Mobile on the MTD side, or Netskope on Cloud Security Broker (CSB) can be leveraged to enhance endpoint and data protection. All products are part of the VMware Workspace ONE® Trust Network and integrate with Workspace ONE Intelligence. Workspace ONE Intelligence consolidates all threat data to provide visibility into the threat landscape and to enable the automation engine to take additional remediation actions on devices under attack.

Certificate Management

As the mobility of sensitive corporate content becomes the norm, the probability of unauthorized access and malicious threats increases. Even if you protect your corporate email, Wi-Fi, and virtual private network (VPN) using strong passwords, your infrastructure remains vulnerable to brute force attacks, dictionary attacks, and employee error.

Digital certificates provide optimal protection for securing your corporate assets. Certificates offer a level of stability, security, and sophistication with which passwords cannot compete. Certificate management by Workspace ONE UEM ensures security throughout the lifecycle of a device.

Table 5: VMware Products for Certificate Management

Workspace ONE UEM installs a device certificate on the device and uses the certificate to establish trust between the Workspace ONE UEM server instance and the device. The certificate can be generated and signed by the default digital certificate authority, Workspace ONE UEM CA, or you can use a trusted third-party CA. Workspace ONE UEM supports many third-party certificate authorities and techniques to provide certificates either as credential payload or through SCEP onto the device.

Besides the main device certificate identifying the device to the device management, we also provide an additional x.509 certificate through UEM that identifies the user and device to the Tunnel Service. Again, we specify the use of a built-in CA within UEM or to configure the integration with an existing CA infrastructure so we can include the unique device identifier in the certificate template.

Device Trust with Workspace ONE Tunnel

Because of the tight integration between the Tunnel Service and UEM, we achieve a high confidence that only compliant devices can access confidential resources.

Table 6: VMware Products for Certificate Management

The Tunnel Service is a service hosted on Unified Access Gateway that provides a secure and effective method for individual applications to access corporate resources hosted in the internal network. The Tunnel Service uses a unique X.509 certificate (delivered to enrolled devices by Workspace ONE) to authenticate and encrypt traffic from applications to the tunnel.

The tunnel client configuration can only be set through Workspace ONE UEM, which does not allow access through compromised credentials. Further, the management and compliance status of the device is signaled and updated from UEM to the Tunnel Service via API. So only managed devices are allowed access, which enables us to check the devices for compromises and link them to other data sources out of the Trust Network to control changes to the compliance state and with that, access to the resources by signaling the Tunnel Service Gateway.

User Trust

To ensure a high level of trust in the user, you must make use of modern and strong authentication methods. Relying on passwords alone is not sufficient. You can chain many authentication methods together, but you also must weigh the security benefits against any possible decline in user experience. The goal with Zero Trust is to enhance both security and user experience.

Certificates are ideal as the foundation of your user authentication method. With certificate-based authentication in place, you can add things like multi-factor authentication (MFA) for critical systems. Today most MFA solutions are user friendly and add minimal inconvenience to the user experience.

Conditional access rules can help determine whether and when to enforce stronger authentication. Conditional access is the foundation of Zero Trust, where you bring together not only the user but also the device posture. You can also decide the amount of time to live (TTL) for the user’s authentication. The lower the TTL of a session, the more often conditional access rules are invoked. But it is a balance. If the time limit is too small, users will be prompted for authentication too often. Offering a seamless, zero-touch authentication method will go a long way toward earning the acceptance of users.

The rest of the sections in this chapter provide more detail about the various elements of user trust:

• Passwordless User Authentication
• Multi-factor Authentication
• Conditional Access

Passwordless User Authentication

Passwordless authentication is a mechanism for determining the identity of the user without requiring the user to enter a password. Some types of passwordless authentication include:

• Biometrics, such as fingerprints or facial scans
• Hardware or software security tokens
• One-time codes or links sent to an email address or a mobile phone number
• Piggybacking on a service that has already authenticated the user
• Certificate-based authentication

The benefits of passwordless authentication include:

• Improved user experience, because users do not need to keep track of passwords
• Faster login times if the system does not need to wait for the user to enter something
• Better security because IT does not need to worry about users sharing or reusing passwords
• Making your environment resilient against phishing attacks
• Reduction in maintenance costs because IT spends less time removing and resetting passwords for users who have forgotten their passwords

Table 7: VMware Products for Passwordless Authentication

Workspace ONE Access performs the act of authenticating users in our solution. Workspace ONE Access supports many types of authentication methods, including RADIUS, FIDO2, RSA SecurID, passwords, OpenID Connect and SAML authentication using external identity providers, and more.

Because in a Zero Trust implementation, we want to use strong authentication but still maintain a good user experience, we rely on different methods of certificate-based authentication. You can easily build and adjust access policies that require different levels of authentication, including multi-factor authentication if needed, but at its foundation, our Zero Trust solution is built on certificate-based authentication.

Workspace ONE Access supports multiple different methods of certificate-based authentication:

• Traditional certificate-based user authentication methods used by PC and Mac devices
• Our own certificate-based user authentication solution for iOS and Android devices, called Mobile Single Sign-On (SSO)
• Certificate-based device authentication, for validating the device itself

Mobile SSO technology provides the ability to sign-into an app on a mobile device once and gain access to all entitled applications, including SaaS apps. VMware leverages open standards such as SAML (Security Assertion Markup Language) and OIDC (OpenID Connect) to authenticate a user between the identity provider, namely, Workspace ONE Access, and the service provider, in our case the internal web apps including SaaS apps in the cloud. For legacy web applications that cannot use modern authentication directly, we can also deploy identity bridging on another Unified Access Gateway translating certificate or SAML authentication to Kerberos via Kerberos Constrained Delegation (KCD). By eliminating the requirement of entering passwords to access a resource, this technology addresses security concerns and password-cracking attempts as well as offering an SSO experience for users.

Multi-factor Authentication

Multi-factor authentication (MFA) involves requiring at least two pieces of evidence (factors) that prove the user’s identity. These pieces of evidence are usually some combination of the following three factor types:

• Something the user knows, such as a password or the answer to a security question
• Something the user has, such as a hardware or software security token or a certificate
• Something the user is, which might mean a scan of the user’s fingerprint, retina, or face

Table 8: VMware Products for Using Multi-factor Authentication

Verify (Intelligent Hub) is a multi-factor authentication (MFA) method integrated with the Workspace ONE Intelligent Hub app that can be configured in Workspace ONE Access. When the Workspace ONE Intelligent Hub app is installed on Workspace ONE UEM managed or registered devices, Verify (Intelligent Hub) can be used as a second authentication method to access a restricted Hub catalog or restricted apps.

To use Verify (Intelligent Hub) authentication, Workspace ONE Access and Workspace ONE UEM must be integrated with Hub Services. You enable the authentication method in the Workspace ONE Access services and then add it as an authentication method in the built-in identity provider. When a request for Verify (Intelligent Hub) authentication is required, Hub Services sends an urgent notification message to the device for the user designated to receive the notification.

Conditional Access

To implement conditional access, IT and/or the security department must decide what the rules will be with regard to allowing a user to access a particular protected service or data source. The idea is to reduce the attack surface by narrowing the conditions under which access is granted. In any given condition, you have a user on a device, in a location, at a particular time, using a certain app, and trying to access a service (or data). All of these parameters can be taken into account to understand the context of the request:

1. User
2. Device
3. Location
4. Type of application being used
5. What is being requested to access
6. Risk score for the user and login event

From these parameters, IT can create rules that, for example, call for authenticating the user, device, and application and then authorizing that user on that device to access only that service.

Table 9: VMware Products for Using Conditional Access

With Workspace ONE Access, all requests for access flow through the conditional access rules engine:

• You can define different conditions such as group membership, device type, location, user or login risk score, and resource requested.
• You can build conditional access for individual applications, Workspace ONE Access itself, or a combination of these. For example, you can allow seamless access to some applications while requiring step-up authentication using MFA for others.
• To validate the user often, you can adjust the time to live for each conditional access rule.
• You can allow for fallback methods of authentication. This hybrid, fallback mode is typically used if some client devices have not yet been enabled for Zero Trust.

With conditional access, you chain multiple authentication methods to build a strong trust level in your user. When you integrate Workspace ONE UEM with Workspace ONE Access, you can leverage the device compliance status collected by Workspace ONE UEM to implement conditional access.

Workspace ONE Access chains user authentication together with the authentication method called Compliance Check, as follows:

1. Workspace ONE UEM distributes and manages the certificate on the device.
2. Workspace ONE Access collects the device’s UDID from the certificate the device presents as a method of authentication.
3. To perform the device compliance check, Workspace ONE Access connects to Workspace ONE UEM through API calls and passes the device’s UDID (unique device ID) to Workspace ONE UEM.
4. Workspace ONE UEM then checks the compliance status and passes the information back to Workspace ONE Access.
5. Workspace ONE Access can then also check with Workspace ONE Intelligence to compare the login event with a baseline of the users’ previous activities calculated through Machine Learning and rating the current event with a low, medium, or high-risk score.
6. Based on the received risk score Workspace ONE access either passes the authentication, requires a step up with a form of multi-factor authentication, or blocks the authentication altogether.

Transport and Session Trust

To secure communication between the user, on their device, and the backend application with its data, we need transport and session trust. This trust pillar is critical in making sure only valid requests are passed to the backend.

In an ideal situation, you could interact with an existing session and terminate it immediately when a change in trust level occurs. But today only a few solutions have this capability, and their support for applications is limited. The best we can probably do today is to make sure the backend is protected as much as possible.

A minimum requirement in Zero Trust is the encryption of communication between the user’s device and the backend application data. Most internal Web applications already use HTTPS instead of unencrypted HTTP to transport the data to the user client or browser. Whether or not the web application uses HTTPS, with Tunnel the communication is wrapped in a TLS-encrypted communication channel for transport through the Internet.

The rest of the sections in this chapter provide more detail about the various elements of transport and session trust:

• Principle of Least-Privilege Access
• Session Protection

Principle of Least-Privilege Access

As you might have already learned, the principles of Zero Trust are, “never trust, always verify, enforce least privilege.” Least-privilege access means giving users or applications only as much access as they need, which minimizes each user’s exposure to sensitive parts of the network.

The idea of least-privilege access is to provide granular role-based access to privileged resources. For example, users who belong to the HR department would get access to only the HR applications and only the servers and data required for HR job functions. Conversely, users who belong to the Finance department would get access to only the Finance applications and only the Finance servers and data. Neither group of users would get access to the other group’s applications, servers, or data.

Table 10: VMware Products for Least-Privilege Access

Segmentation of Traffic into Multiple Networks

Managing data flow requests, which might be coming from anywhere to the backend zone, as well as controlling privileged network access are essential tasks for a Zero Trust implementation.

VMware Unified Access Gateway™ and the Tunnel Service act as the gateway, or enforcement point, to control access to the internal web applications. The Tunnel Service on the Unified Access Gateway ensures that connections to those web apps are always from managed and compliant devices. Any unauthorized traffic is blocked and is prevented from accessing any backend resources.

Unified Access Gateway supports segmentation of network traffic through a multiple-Network Interface Card (NIC) configuration. The three-NIC configuration allows for the segmentation of traffic in (1) the public or corporate network, (2) the management network, and (3) the backend network. Routing capabilities allow users to access backend data in separated networks.

Figure 6: Network Segmentation Using the Three-NIC Configuration of Unified Access Gateway

Contextual Granularity Through Distributed Firewall Rules

At the transport and network layer, the principle of least privilege can be achieved by using VMware NSX-T™ Data Center. The distributed firewall feature allows for the definition of network security policies and firewall rules that can be applied granularly based on context. This allows for:

• Micro-segmentation – Enables micro-segmentation to protect virtual machines from the lateral spread of threats. The security policy is defined based on context and is enforced individually. Each VM can have individual firewalls and individual security policies.

Figure 7: Micro-segmentation Enforcing Network Security Policy at the Individual VM Level

The use of micro-segmentation allows for the definition of network policies that will be applied to every resource in the data center.

• Servers can be secured so that only required sources are allowed to communicate and only over the necessary network ports.

With the VMware Tunnel integration, Tunnel can filter down the traffic coming from actual devices and identify the application the traffic originates from as well as the domains being accessed and then route it to specific Security Groups, which are synced with NSX Manager.

Encryption of the Transport Protocol

In a Zero Trust model, the goal is to encrypt all data transmitted between devices and data stored in the data center. This end-to-end certificate-based encryption is used to avoid any data theft during transit. When every packet is encrypted, even within the same data center, you do not need to take into consideration which packets traverse the Internet, and which do not.

Table 11: VMware Products for Encryption of Transport Protocol

Tunnel Service uses a main TLS channel to encapsulate traffic destined for internal resources, best practice is to enable TLS for that tunneled connection between the application and internal web service as well.

Tunnel Service supports TCP and UDP traffic, and the Workspace ONE Tunnel app seamlessly sends the UDP traffic over DTLS and TCP over TLS. After the TLS channel is established, the Workspace ONE Tunnel app establishes a secondary DTLS channel if the UDP port is open on the firewall. Otherwise, UDP traffic is sent over the TCP channel.

TLS 1.2 is the cryptographic protocol recommended to protect data being transferred between endpoints by verifying connection security and performing “handshake” authentication between a client and the appliance. For cryptographic algorithms, the use of the following cipher suites significantly increases security over TLS communication:

• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-GCM-SHA256

When performing scanning tests against Unified Access Gateway Tunnel communication over TLS (TCP 443) using the combination of TLS 1.2 and the above ciphers, Unified Access Gateway achieves a score of A+ and compliance with the following:

• PCI DSS requirements:
  • Finance Industry (Payment Card Industry Data Security Standard)
  • PCI DSS 3.2.1 - Requirements 2.3 and 4.1
• HIPAA guidance:
  • Healthcare Industry (Health Insurance Portability and Accountability Act of 1996)
  • HIPAA of 1996, Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals
• NIST guidelines:
  • Federal Agencies (National Institute of Standards and Technology)
  •  Reference: NIST Special Publication 800-52 Revision 2 - Section 3.

Figure 8: Unified Access Gateway 2701.1 Scan Rating Report Compiled by ImmuniWeb

Session Protection

A session is a temporary connection between two devices or between a user and a computer during which information is communicated and exchanged. To avoid having a session hijacked, several security measures can be used:

• You must have an effective authentication system and only allow sessions from authenticated users and compliant devices.
• Communication must be encrypted so that even after the user is authenticated, no one will be able to steal the session ID used to pass subsequent communications back and forth.
• An expiration period must be defined, limiting the amount of time malicious actors have to make their hijack attempts.

Table 12: VMware Products for Session Protection

Session Expiration with Unified Access Gateway

Tunnel Service will only establish connections for correctly configured Tunnel Clients which can provide the correct unique x.509 certificate during TLS mutual authentication. A session for an application will be kept alive by default for 300ms but can be configured to lower values.

Intrusion Detection and Prevention

NSX Data Center allows for the insertion of advanced third-party security services that are permitted to inspect the network traffic of a virtual machine. The services typically provide advanced security features such as an intrusion detection system (IDS) or an intrusion prevention system (IPS).

Advanced service insertion allows the third-party solution to examine the traffic for behavior that breaches policy and take appropriate action if necessary.

Application Trust

In the best of worlds, applications would be designed from the ground up with Zero Trust in mind. This is a very rare occurrence today. We must do the best with what we have. We can enhance the security posture of an application using the transport and session trust enhancements discussed in the previous chapter and add to that a change in the way we authenticate into the applications.

In this use case, where we are focusing on traditional web-based applications, we must address the most common authentication method used, on-premises Microsoft Active Directory (AD) login. The traditional AD login system does not translate to a Zero Trust design very well. It is hard for users to perform an AD login when they are not connected to a traditional internal LAN.

We need a passwordless authentication method and federation that is designed for the Internet and the cloud. The most common federation protocols used include SAML and OpenID Connect, together with OAuth2.

For this use case, we enhance the flow of user authentication by enabling modern SAML federation for internal Web applications if supported or leveraging Identity Bridging for legacy Web applications using Kerberos by combining SAML and Kerberos Constrained Delegation (KCD). This allows for a greater flexibility of authentication methods to be used. With the federation, the user will gain seamless access to the Web application no matter which authentication method we have chosen.

The rest of the sections in this chapter provide more detail about the various elements of application trust:

• Single Sign-On
• Application Access from Any Device

Single Sign-On

Single sign-on (SSO) means that a user authenticates to a system once and then can access many related but separate systems without having to re-authenticate for the duration of the session. SSO has many benefits, including improving the user experience, reducing helpdesk requests, and improving compliance through using a centralized database.

One means of providing SSO is by using SAML (Security Assertion Markup Language), an XML-based standard. SAML passes information about users between identity providers and service providers in XML documents called SAML assertions. It has been around for a long time and many enterprise applications support it, with a slow change to Open ID Connect as the more modern JSON Web Token (JWT) based form of authentication built on top of the OAuth authorization standard.

Table 13: VMware Products for Single Sign-On

For a long time, the default method to access internal web applications was using AD credentials leveraging Kerberos authentication. But with the rise of SaaS applications new methods needed to be developed. As mentioned, SAML is the standard with the largest support amongst enterprise applications and allows us to centrally provide the authentication of a user to a Web Service across network boundaries. For that, we establish trust between Web Service (SP or Service Provider) and the IdP (Identity Provider) by exchanging metadata information on where a user should do the authentication, receive a signed assertion for it, and where to deliver that assertion to.

The IdP in this case is Workspace ONE Access which allows the user to sign in once and get access to all web applications we exchanged metadata with. It can also be configured with specific policies, requiring secure authentication methods like certificates or MFA for defined user groups and applications providing granular access control.

For some applications, it might not be possible to incorporate libraries to enable SAML authentication and they use either Header-based or Kerberos forms of authentication. In this case, an additional Unified Access Gateway can be used to front the service requiring secure SAML authentication with conditional access. The connection is bridged to the Web service itself by using the required Header authentication or Kerberos ticket using Kerberos Constrained Delegation. This provides seamless single sign-on, using modern federation protocols, without the need to recoding the legacy web applications.

Figure 9: Identity Bridging

Application Access from Any Device

Enabling employees to securely and seamlessly access any application, including traditional and on-premises web-based applications, from any device is key to creating a digital workspace and enforcing Zero Trust. With the flexibility of work tools and freedom of access from anywhere at any time, digitally empowered employees become more engaged and productive. They can collaborate with team members more easily and make faster decisions.

Table 14: VMware Products for Application Access from Any Device

Using the Unified App Catalog within the Intelligent Hub allows it to configure a workspace for users predefining all the required tools, be it native applications, VDIs, or in our case, web applications in an easily searchable and accessible catalog on their managed or registered device. Without the need to search for tools and sources or build their own bookmark collection, it is also assured that users connect to the correct resources and do not fall for phishing or MITM attacks for the resources IT provides them with.

For IT, it also provides a chance to decouple the service for users from specific addresses and endpoints, allowing them to migrate or move service offerings in the background without interruption or the need to educate users. A business app can be moved from On-Premises to SaaS or be provided as a published app through VDI without causing interruption for the user.

VMware Workspace ONE Intelligent Hub is available for Windows, macOS, and Linux desktops and laptops; iOS and Android phones and tablets; and as a Web Portal, allowing users to access applications from any device.

Figure 10: Unified App Catalog on Any Device

Data Trust

At the end of the day, it is the data that is of utmost importance—the whole reason we need strong security. We must protect against data breaches and leaks, and make sure it is the correct, unmodified data that our users are interacting with. Although data classification and integrity is, for the most part, handled by the application itself, we should enhance the trust level wherever we can when building a Zero Trust Architecture.

We need to apply policies that make it as difficult as possible for users to perform prohibited actions. For example, to prevent users from accidentally leaking sensitive data, we might set a policy that removes their ability to copy and paste text and graphics from managed applications into unmanaged apps on their device.

Protection of Data at Rest

Data at Rest (DaR), as compared with Data in Transit (DiT), is data that is stored on a stable medium such as a hard drive, laptop, flash drive, or some other storage medium. Previously, using antivirus software and firewalls was thought to do an adequate job of protecting data at rest. With the Zero Trust model, however, software-defined perimeters are increasingly being used to create a protective casing around data access.

Security teams must of course continue to implement security practices that keep unauthorized users out of the data center and away from the data stored there. But because data must now also be protected from lateral attacks inside the corporate network, data must be segmented and isolated from other data using micro-segmentation. Network segments can then serve as micro-trust boundaries.

Other elements of protection include using strong encryption for sensitive files or even the entire storage drive. IT must also take into consideration whether to allow end users to attach a flash drive or other removable device and get data in an unencrypted form.

Table 15: VMware Products for Protection of Data at Rest

With internal web applications, we need to use several methods to ensure secure data at rest on devices. On most device platforms we can configure full device encryption and set a required password or passcode settings to control access to the device itself.

Especially on mobile devices, applications are sandboxed by default and it is possible to configure Data Loss Prevention (DLP) settings through MDM management APIs to only allow copy and paste between managed applications. To provide even more DLP controls on mobile we offer a set of productivity apps and an SDK (Software Development Kit) to separately encrypt the data in the app sandbox and granularly control copy/paste and screenshots inside the app.

On desktops similarly, we leverage available device management APIs to enforce DLP rules. On Windows, we set up Enterprise Data Protection which is encrypting data from internal sources and allows copy and paste only to defined applications. Alternatively, we use tools like the Dynamic Environment Manager (DEM) on Windows or Carbon Black App Control on macOS and Windows to restrict what actions are allowed on an endpoint and how data can be moved to attached devices.

Visibility and Analytics

To implement a solution that follows the Zero Trust tenet, “never trust, always verify, enforce least privilege,” you need a system that gives you visibility by logging all traffic. This information can then be used to learn and monitor network patterns. The resulting analytics help you make effective dynamic policy and trust decisions.

Figure 11: By Establishing Trust Across the Five Pillars, You Gain Visibility and Analytics

The sections that follow describe, for each product, the features that give you visibility and help you analyze behavior.

Unified Access Gateway

Unified Access Gateway provides a collection of logs that cover all the services available on the appliance. The logs are available through the administration console or REST API.

Unified Access Gateway also offers Syslog integration for log retention and centralized analyses. Administrators can configure one Syslog server to collect administration events and a second one to monitor the overall activity of the Unified Access Gateway appliance, including information from each edge service. All these types of logs can be integrated and replicated to a Syslog server for auditing purposes.

Monitoring information regarding current active sessions is provided in real-time through the Unified Access Gateway Administration Console. This console shows the number of active sessions per edge service. A REST API is also available and can provide additional information from each edge service as well as the overall appliance.

Unified Access Gateway also integrates with Workspace ONE Intelligence and provides the traffic and session information to enable further analysis and feedback to administrators by building dashboards, reports, and automations.

Workspace ONE Access

Within Workspace ONE Access, administrators can quickly get an overview of the number of logins, application adoption, and more using the user engagement dashboard.

Figure 12: Workspace ONE Access Engagement Dashboard

From within the same console, you can search and view audit and event logs. These help with troubleshooting and validating the overall health of your implementation.

You can add an external Syslog server to collect logs in a central location and analyze events that occur on the Workspace ONE Access Connector, which is the on-premises component.

Workspace ONE UEM

The Console Monitor in Workspace ONE UEM is your central portal for access to critical information. Its bar charts and donut graphs help you quickly identify important issues and act.

The Monitor > Overview page from the Workspace ONE UEM console provides summary graphs and detailed views for the following:

• Devices – Number of devices, broken down by status, platform, and enrollment history.
• Compliance – List of devices that violate compliance policies, with policy details, and list of top violated policies and application groups; for example, deny listed apps, and required apps.
• Profiles – Latest profile version, list of profiles that are out of date, and devices that have old versions of each profile.
• Apps – Latest application version, list of most installed apps, and list of devices that have old versions of each app.
• Content – Latest content version and list of devices with content that is out of date.
• Email – List of devices blocked from email, including devices blocked by default, deny listed, or unenrolled from Workspace ONE UEM.
• Certificates – List of expired certificates and certificates expiring soon, along with the expiration periods.

After you create device profiles, compliance policies, managed applications, and other managed content, you can leverage dedicated dashboards and configuration screens to manage these settings one at a time and remotely from a single source.

Figure 13: Device Profiles List in the Workspace ONE UEM Console

This screenshot shows the Devices > Profiles & Resources > Profiles page from the Workspace ONE UEM console. Similar pages exist for Application, Content, Email, and Telecom Management with features like filters, layout, and column sorting.

Workspace ONE UEM records administrative and device actions in terms of console events and device events:

• Console events show actions taken from the Workspace ONE UEM console, including login sessions, failed login attempts, admin actions, system settings changes, and user preferences.
• Device events show the commands sent from the Workspace ONE UEM console to devices, device responses, and device user actions.

For more information, see Use Console Events and Use Device Events in the Workspace ONE UEM documentation.

Workspace ONE Intelligence

Workspace ONE Intelligence provides a rich set of capabilities across devices and users. Administrators receive real-time analytics and visibility through reports and dashboards on device posture, user engagement, application deployment and utilization, and threats.

Trust Network integration in Workspace ONE Intelligence brings together threat data from different security solutions such as Mobile Threat Defense (MTD), end-point protection and remediation (EDP/EDR) and Cloud Access Security Broker (CASB) in a single console. Trust Network insights allow IT and information security (InfoSec) teams to observe in real time what is happening in the environment so that they can make the best remediation decisions.

Figure 14: Security Risk Dashboard in the Workspace ONE Intelligence Console

Within the Workspace ONE Intelligence console, administrators can easily customize dashboards to:

• Identify anomalous behavior related to the authentication process through Workspace ONE Access.
• Analyze application utilization.
• Perform real-time troubleshooting without requiring access to server logs, and so on.

Figure 15: Workspace ONE Catalog Adoption and Anomalous Behavior Dashboard

Workspace ONE Intelligence correlates daily OS update data from managed Windows devices and correlates that data to CVEs, allowing administrators to easily identify all vulnerable devices and prioritize patch management based on the CVSS score.

Note: Syslog integration is also available for Workspace ONE Intelligence.

Workspace ONE Mobile Threat Defense

VMware’s mobile device security Workspace ONE Mobile Threat Defense (MTD), powered by Lookout uniquely integrates with Workspace ONE with the key services of the suite, Unified Endpoint Management (UEM), Intelligence and most importantly, embedded within the Intelligence Hub agent to form a robust endpoint protection suite onto these managed devices. This lightweight mobile app activates security via Hub and provides mobile security in an easy to deploy and manage way while offering integrated management of the device and the ability to provide actions on alerts and threats on the device without user interaction.  

One of the highlights of VMware’s MTD solution over others in the industry is within the embedded threat Software Development Kit (SDK) from Lookout; end users do not have to install and activate a separate security app. The Hub option can detect device, application, and rogue network threats immediately upon activation and does not require end-user interaction. This eases organization-wide mobile security compliance by activating applications, devices, and network-based threat detection within the Workspace ONE Intelligent Hub with no separate apps or agents to deploy or activate.   

Figure 16: Unified Experience for the end-user with the integration of Lookout SDK into Intelligent Hub

On the MTD Management console, administrators can define security policies and their respective risk level, in addition to the type of alert the end-user should receive when a threat is detected. All the threats are reported back and available on the management console for evaluation by the security team.

Figure 17: List of Active Threats on Workspace ONE Mobile Threat Defense Management Console

The vulnerability page on MTD Management Console presents known vulnerabilities and shows which security updates (for Android) or OS versions (for iOS) are active in your fleet of devices.

Figure 18: Vulnerability page on Workspace ONE Mobile Threat Defense Management Console

The integration of Workspace ONE UEM and MTD allows UEM administrators to have visibility on the current state of the device from the UEM console and automate remediation actions, such as removing access to corporate resources through managed resources on the device.

Figure 19: Device Risk information from MTD into the Workspace ONE UEM Management Console

For more information, see the Workspace ONE Mobile Threat Defense Documentation and Workspace ONE Mobile Threat Defense Architecture and Integrations.

VMware Carbon Black

The VMware Carbon Black Cloud™  is a cloud-native endpoint protection platform (EPP) that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using an easy-to-use console and single lightweight agent available for Windows, Mac, and Linux.

VMware Carbon Black Cloud thwarts attacks by making it easier to:

• Analyze billions of system events to understand what is normal in your environment
• Prevent attackers from abusing legitimate tools
• Automate your investigation workflow to respond efficiently

In today’s environment, merely blocking known malware is obsolete. Cybercriminals continually learn how to obscure their actions amid the ever-growing activity within your organization. Polymorphic ransomware and file-less attacks are growing in prevalence, so legacy approaches to prevention leave you vulnerable. VMware Carbon Black Cloud spans the system hardening and threat prevention workflow to accelerate responses and defend against a variety of threats.

VMware Carbon Black brings key capabilities to enhance security, such as:

• Next-generation antivirus and behavioral EDR that analyze attacker behavior patterns over time to detect and stop never-seen-before attacks, whether they are malware, fileless or living-off-the-land attacks.
• Managed alert monitoring and triage, provides 24-hour visibility from VMware security operations center of expert analysts, who provide validation, context into the root cause, and automated monthly executive reporting.
• Real-time device assessment and remediation that easily audit the current system state to track and harden the security posture of all your protected devices.
• Threat hunting and containment that proactively hunt for abnormal activity using threat intelligence and customizable detections.

Figure 20: Administrators can see attacks were stopped, attack vectors, and a summary of overall endpoint health from the Carbon Black Management Console

Figure 21: Investigating threat details on VMware Carbon Black Management Console

The integration between Workspace ONE Intelligence and VMware Carbon Black allows the administrators to obtain threat insights and extend threat remediation with Custom Connector and the Workspace ONE Intelligence Automation engine.

Figure 22: Security Insights from Trust Network including Carbon Black for a unified view of all threats on the environment through Workspace ONE Intelligence

Automation and Orchestration

With visibility and analytics, as described in the previous chapter, we can build automation and orchestration. Workspace ONE platform services allow us to collect contextual information from across the entire environment. This contextual awareness feeds intelligence, allowing us to make just-in-time decisions, and use automation for threat remediation.

The sections that follow describe the automation features for Workspace ONE UEM, VMware Workspace ONE Mobile Threat Defense (MTD), and Workspace ONE Intelligence.

Workspace ONE UEM

The compliance engine is an automated tool by Workspace ONE UEM that ensures all devices abide by your company’s policies. These policies can include basic security settings such as requiring a passcode and having a minimum device lock period.

For certain platforms, you can also enforce certain precautions. For example, you can set password strength, deny list certain apps, and configure device check-in intervals to ensure that devices are safe and in regular contact with Workspace ONE UEM.

Further, we can automatically react to changes in the configuration or state of the device, for example, if MTD recognizes a threat on the device it will tag the device as risky inside UEM which leads to a temporary removal of access to corporate resources including the tunnel connection to internal Web applications.

How the Compliance Engine Works

If devices are found to be out of compliance, the compliance engine warns users to address compliance errors to prevent disciplinary action on the device. For example,

the compliance engine can trigger a message to notify the user that their device is out of compliance.

In addition, a device that is not in compliance cannot have device profiles assigned to it and cannot have apps installed. If corrections are not made in the amount of time specified, the device loses access to certain content and functions that the admin defines. The available compliance policies and actions vary by platform.

You can automate escalations when corrections are not made, for example, by locking down the device and notifying the user to contact IT to unlock the device. These escalation steps, disciplinary actions, grace periods, and messages are all customizable with the Workspace ONE UEM console.

REST APIs for Integration with External Programs

Workspace ONE UEM provides a collection of RESTful APIs that allow external programs to use the core product functionality by integrating the APIs with existing IT infrastructures and third-party applications. Leveraging the simplified REST style of software architecture, Workspace ONE UEM REST APIs currently support a multitude of functionalities, including organization group, console administration, mobile application, mobile device, email, user enrollment, profile, smart group, and user group management.

Workspace ONE UEM offers event notifications so that you can configure settings to capture specific device-related events in real time. It uses Webhooks, which are HTTP callbacks to send event-specific information to the configured URL in JSON or XML format. This eliminates the need to constantly poll the API server for a specific event or attribute.

You can leverage REST APIs and event notifications to build a customized automation flow. For example, by subscribing to event notifications for Device Compliance Status Change, you can invoke automatic corrective actions on non-compliant devices.

Remove Access to Corporate Resources from High-Risk Mobile Devices

The integration of Workspace ONE UEM with MTD synchronizes the device risk level from MTD into UEM, that synchronization enables UEM to automatically remove managed resources (Profiles, Apps, etc.) from the mobile devices, for example when a high-risk threat is identified, MTD will tag the device on UEM as High Risk, administrators can create an exclusion smart group that contains only high-risk tagged devices and associated to corporate resources, such as apps like Workspace ONE Tunnel and Boxer, profiles such Tunnel and Email profiles, and so on. As soon the threats are resolved, devices will be tagged as secure and those resources will be pushed back to the device by Workspace ONE UEM.

Workspace ONE Intelligence

Workspace ONE Intelligence leverages the Workspace ONE UEM compliance engine, which allows for continuous monitoring of all ingested data. This data includes information from all managed devices, applications, device sensors, OS updates, identity authentication requests, and threats.

Workspace ONE Intelligence adds an automated process capability across the environment by defining rules and actions based on a wide range of parameters. This allows administrators to create contextual workflows that will take automated remediation actions based on ongoing or recent security threats. Compliance requirements are similarly met through automated access control.

For example, administrators can create an automation based on high-severity threat events that identify suspicious behavior across devices and users. Impacted devices can be automatically placed in quarantine in the Workspace ONE UEM system. Workspace ONE Intelligence can notify IT and InfoSec through Slack and create a Service Now incident ticket to initiate an investigation on the impacted devices.

Figure 23: Example of an Automation to Detect and Respond to Real-Time Threats

Administrators can also leverage automation to identify all managed Windows devices that are missing critical Common Vulnerabilities and Exposures (CVEs) based on (Common Vulnerability Scoring System (CVSS) and automate the installation of the correlated patches (for example, Microsoft KBs).

Zero Trust Solution for accessing On-Premises Web Applications

The following diagram shows how the various Workspace ONE and VMware security components interact to build an end-to-end solution that incorporates the following Zero Trust elements:

• Verification of device compliance
• Conditional, least-privilege access (LPA)
• Certificate-based and multi-factor authentication (MFA)
• Single sign-on (SSO)
• Micro-segmentation of networks
• Automated real-time threat detection and remediation
• Encryption
• Session protection
• Protection of Data-at-Rest
• Data-in-Transit

Figure 24: Logical Flow

The numbers in this diagram correspond to the following actions:

1. The device enrolls in the management system by using Workspace ONE Intelligent Hub. After the device is enrolled, Workspace ONE UEM sends management profiles, device certificates, user certificates and applications to the device, including the Workspace ONE Tunnel app and profile with the configuration to access the Tunnel Service on the backend. The device periodically reports its device posture so that Workspace ONE UEM can validate the device against the configured compliance rules.
2. Workspace ONE UEM sends device information to Workspace ONE Intelligence. Intelligence can now use this device data to detect threats and instruct Workspace ONE UEM to carry out remediation and response actions.
3. Trust Network agents (Carbon Black Sensor and MTD integrated into Intelligent Hub) are deployed to protect endpoint devices and remediate threats. When a threat is identified, the agent sends and stores the related threat information in the Trust Network Cloud repository.
4. Workspace ONE Intelligence queries the Trust Network repository every 30 seconds for any newly reported threats on the device. Workspace ONE Intelligence then stores threat information on the Intelligence Cloud Service for unified visibility and automation. In this step, automation actions are triggered if the incoming threat data matches the condition defined for an automation.
5. When the user tries to access anything protected by our Zero Trust solution, the Workspace ONE Tunnel app (Tunnel Client) on the device evaluates against the Device Traffic Rules policy on the device if the traffic must go through the device internet channel or via the tunnel.
6. Workspace ONE Tunnel will establish a single TCP connection (encrypted with TLS 1.2) to the Tunnel Service on Unified Access Gateway to secure the requests that match the Device Traffic Rules, even for unencrypted HTTP requests.
7. Tunnel Service receives the request, authenticates the device, and performs a compliance check. The request contains the device UUID sent by the Tunnel Client that is used to query Workspace ONE UEM using REST API. Based on the compliance status traffic will go through, otherwise traffic will be blocked at the Unified Access Gateway level.
8. When the user hits the web application that must be federated with Workspace ONE Access, the user must first authenticate and pass through the conditional access mechanism of Workspace ONE Access. When Workspace ONE Access authenticates the user, the process is seamless because we use certificate-based authentication. For legacy web applications that can’t be federated, Identity Bridge (SAML to Kerberos) can be used as an alternative to secure access and leverage conditional access.
   Note: If required, additional authentication methods can be used to achieve multi-factor authentication by using Push MFA, Time-based One-Time Password (TOTP) or Fast IDentity Online or (FIDO2) authenticators. Also, it is important to configure the session’s time to live to fit your Zero Trust user validation policies.
9. During certificate-based user authentication, Workspace ONE Access also collects the device’s Universally Unique IDentifier (UUID) from the certificate. With this information, Workspace ONE Access can request the status of the device from Workspace ONE UEM.
   For the user to be allowed access, Workspace ONE UEM must report the device as being compliant according to your organization’s policy settings.
10. After the user is authenticated, Workspace ONE Access will make a REST API request to Intelligence to obtain the risk level information of the user, based on that information access can be granted, denied or request additional authentication factor to the user.
11. After the user successfully passes the conditional access rules and launches the application, Workspace ONE Access feeds these audit events to Workspace ONE Intelligence.
12. Workspace ONE Access generates a signed and optionally encrypted SAML assertion as an authentication response. This identifies the user to the web applications in a trusted way. The authentication response is sent to the web applications through Tunnel Service on Unified Access Gateway.
13. NSX-T Data Center applies a micro-segmentation firewall policy based on security groups that are going to be attached to the web applications. This enacts the principle of least-privilege access to the transport level.

Implementation

The VMware Workspace ONE Reference Architecture guide provides a framework and guidance for architecting using Workspace ONE. Design guidance is given for the products used in this Zero Trust use case, with each product having a chapter.

• Workspace ONE UEM Architecture
• Workspace ONE Mobile Threat Defense
• Workspace ONE Access Architecture
• Workspace ONE Intelligence Architecture
• Unified Access Gateway Architecture

Our primary driver for utilizing NSX-T Data Center is to enable the principle of least-privilege access at the transport level by using identity-based firewalls. For details on how to configure the integration of NSX and VMware Tunnel see the Integrating VMware Tunnel with NSX topic in the Workspace ONE UEM documentation.

Several integration and configuration points need to be considered to make the separate products deliver the desired Zero Trust architecture and to provide a complete platform. The integration points are covered in the Platform Integration chapter of the VMware Workspace ONE Reference Architecture guide.

The following diagram, along with the remainder of this chapter, covers the necessary points of integration that need to be set up.

Figure 25: Integration and Configuration Points

The circled numbers in the preceding diagram correspond to the rest of the sections in this chapter:

1. Workspace ONE Intelligence and Workspace ONE UEM
2. Workspace ONE Intelligence and Workspace ONE Access
3. Workspace ONE Intelligence and Unified Access Gateway
4. Workspace ONE Intelligence and Trust Network
5. Workspace ONE UEM and Workspace ONE Mobile Threat Defense
6. Workspace ONE UEM and Workspace ONE Access
7. Unified Access Gateway and Workspace ONE UEM

Workspace ONE Intelligence and Workspace ONE UEM

Core integration of Workspace ONE Intelligence involves enabling endpoint analytics. This feature provides capabilities that are crucial for device trust. Endpoint analytics use automated workflows involving the devices and can offer insights on all managed devices by generating reports and dashboards.

The reference architecture guide provides details on Workspace ONE UEM and Workspace ONE Intelligence Integration, which includes using the Workspace ONE Intelligence Connector service. This service collects data related to devices, apps, sensors, and OS updates from your Workspace ONE UEM database and pushes this data to the cloud-based Intelligence service.

Note: For this use case, we used cloud-based Workspace ONE UEM, which is enabled by default.

To allow Workspace ONE UEM to access Workspace ONE Intelligence you must opt into the Workspace ONE Intelligence Cloud Service. See Access Workspace ONE Intelligence, in the VMware Workspace ONE Intelligence Products documentation.

Another important integration point is the Automation Connector, which enables the platform to take actions based on automation conditions. Enabling integration with Workspace ONE UEM is key to automating remediation actions on managed devices. For instructions, see the video VMware Workspace ONE Intelligence: Automation Connectors - Feature Walk-through.

Workspace ONE Intelligence and Workspace ONE Access

Integration between Workspace ONE Intelligence and Workspace ONE Access enables identity analytics capabilities on Workspace ONE Intelligence. Identity analytics provide insights on the current user login and historic login and application launch events generated by Workspace ONE, this information is used by Workspace ONE Intelligence Risk Analytics to generate the Login User Risk score that is used during the authentication process to determine if a user can access applications with the given authentication method, needs to do step up authentication or is blocked.

The reference architecture guide provides details in the chapter Workspace ONE Access and Workspace ONE Intelligence Integration. For an in-depth understanding of Risk Analytics, watch the Workspace ONE Intelligence: Understanding Risk Analytics - Deep Dive on Tech Zone.

Workspace ONE Intelligence and Unified Access Gateway

The integration of Workspace ONE Intelligence and Unified Access Gateway allows Intelligence to collect analytics data related to the usage of Tunnel Service. These analytics allow the administrator to identify all the upcoming traffic from the device through the Workspace ONE Tunnel app, including application identifier, domains, device information, IP address and their respective users, in addition to the amount of traffic coming in and out through Unified Access Gateway.

These documents provide guidance on how to set up that integration and configure the Endpoint Compliance provider.

• Configure Workspace ONE Intelligence Connection Settings
• Configure Workspace ONE Intelligence Data Setting 

Workspace ONE Intelligence and Trust Network

To enable threat analytics, configure Workspace ONE Intelligence to obtain all threat data reported by each Trust Network solution configured in the environment. With this information, administrators can get insights through dashboards and can create automations based on threat events.

Figure 26: Workspace ONE Intelligence Architecture

The following Workspace ONE Intelligence documentation provides details on registering Trust Network and partner products with Workspace ONE Intelligence:

• Register Carbon Black
• Register Workspace ONE Mobile Threat Defense
• Register Netskope

Workspace ONE UEM and Workspace ONE Mobile Threat Defense

The integration of Workspace ONE UEM with Workspace ONE Mobile Threat Defense enables advanced security protection for iOS, Android, and Chrome devices, allowing Intelligent Hub (iOS and Android) and Lookout for Work (Chrome) to secure the device against device, application, network, and content threats.

Figure 27: Workspace ONE Mobile Threat Defense Architecture

When integrated Mobile Administrators and Security Teams will have visibility of threats being reported and the current device status, the integration also enables auto remediation removing access to manage corporate resources when threats get detected on the device.

The following videos provide instructions for setting up the integration and what you can achieve to protect your devices.

• Workspace ONE Mobile Threat Defense Architecture and Integrations
• Workspace ONE Mobile Threat Defense Technical Overview

Workspace ONE UEM and Workspace ONE Access

Integrating Workspace ONE UEM and Workspace ONE Access enables the enforcement of device trust during the user authentication and authorization process for application access. Workspace ONE UEM provides mobile management services for devices. Workspace ONE Access provides services for single sign-on and identity management for users.

When the components are integrated, Workspace ONE Access can obtain device compliance status directly from Workspace ONE UEM. Integration also enables users to authenticate on their enrolled devices and then SSO to the unified application catalog for a seamless user experience and secure access to their apps.

The reference architecture guide provides detail on Workspace ONE UEM and Workspace ONE Access Integration. The following documents provide instructions for setting up certificate-based authentication in Workspace ONE Access. Be sure to enable a certificate-revocation check to keep certificate authentication up-to-date and secure.

• For certificate-based authentication, see Configuring Certificate Authentication for Use with Workspace ONE Access.
• For mobile SSO for iOS, see Configure Mobile SSO for iOS Authentication in Workspace ONE Access.
• For mobile SSO for Android, see Configure Mobile SSO for Android Authentication in the Built-in Identity Provider.

Workspace ONE SSO offers mobile SSO for iOS and Android devices. The implementation of mobile SSO is based on the features provided by the underlying OS.

• Mobile SSO for iOS – Uses a key distribution center (KDC) without the use of a connector or a third-party system. Kerberos authentication provides users who have successfully signed into their domain with access to their Workspace ONE app catalog without additional credential prompts. For more information, see Implementing Mobile Single Sign-On Authentication for Workspace ONE UEM-Managed iOS Devices.
• Mobile SSO for Android – Uses certificate authentication and the Workspace ONE Tunnel mobile app. The Workspace ONE Tunnel client is configured to access the VMware Workspace ONE Access service for authentication. The tunnel client uses the client certificate to establish a mutually authenticated SSL session, and the Workspace ONE Access service retrieves the client certificate for authentication. For more information, see Implementing Mobile Single Sign-On Authentication for Managed Android Devices.

Unified Access Gateway and Workspace ONE UEM

Integrating Unified Access Gateway and Workspace ONE UEM enables Tunnel Service to provide Per-App VPN and Full VPN connections to the internal web applications, connections are secured, controlled, and validated with a single platform.

• To ensure the complete isolation of different types of network traffic, be sure to deploy Unified Access Gateway using either a two-NIC or three-NIC configuration.
• A two-NIC deployment separates Internet traffic onto its own NIC, while the management and backend network data share a NIC.
  The first NIC is used for Internet-facing unauthenticated access. Traffic going to the internal network through the inner firewall must be authorized by Unified Access Gateway. The backend authenticated traffic and management traffic are separated onto a different network.
• A three-NIC deployment separates the Internet traffic onto its own NIC and separates management and backend network data onto separate dedicated networks.

For deployment instructions, see the operational tutorial Deploying Unified Access Gateway with Two NICs Through PowerShell, and see Configuring the VMware Tunnel Edge Service, in Unified Access Gateway Activity Path.

Because the Zero Trust model should not distinguish between internal and external network perimeters, it is important to specify the proper security protocols and cipher suites that will be used to encrypt communication between Workspace ONE Tunnel clients and the Tunnel Service on Unified Access Gateway appliance. For instructions, see Configure Per-App Tunnel, in the VMware Workspace ONE UEM documentation.

For details on how the primary and secondary channels of a Workspace ONE Tunnel session traverse Unified Access Gateway, see the guide Understand and Troubleshoot Tunnel Connections.

Figure 28: Device to Tunnel Service communication - Primary Channel (TLS) and Secondary Channel (DTLS)

Summary

After you implement and integrate all the products as described in this guide, you will have created the enforcement points shown in the following figure. With these enforcement points, you can control access to your applications.

Figure 29: Device and User Trust Enforcement

As is shown in this diagram, you can insert access decisions anywhere along the flow from the device and user to the application. Each step was described in more detail in earlier sections of this document.

With this implementation, we achieve a Zero Trust security model that protects traditional web applications. Although this implementation makes a very good start on the journey to digital transformation, keep in mind that Zero Trust is a process rather than a product. As VMware and its partner companies develop new functionality, be sure to revisit the solution and consider the latest enhancements.

Additional Resources

To learn more about the Zero Trust model, follow the Zero Trust Activity Path, which contains a curated list of assets to help you master the VMware Zero Trust architecture. This activity path and more resources are available on Digital Workspace Tech Zone. You can also explore the following resources: 

• Activity Path: Understanding Zero Trust
• Digital Workspace Security Tech Zone Focus Page
• Video: VMware Zero Trust: Technical Overview
• Product page: Zero Trust Security for the Digital Workspace
• Guide: Zero Trust Secure Access to Traditional Applications with VMware

Change Log

The following updates were made to this guide:

Authors and Reviewers

The following authors and reviewers collaborated to create this guide:

Authors

• Peter Bjork is a Principal Architect focusing on Zero Trust in the EUC Office of the CTO, VMware.
• Andreano Lanusse is a Staff EUC Architect in End-User-Computing Technical Marketing, VMware.
• Sascha Warno is a Staff EUC Architect in End-User-Computing Technical Marketing, VMware.
• Caroline Arakelian is a Senior Technical Marketing Manager in End-User-Computing Technical Marketing, VMware.

Reviewers

• Gina Daly is a Technical Marketing Manager in End-User-Computing Technical Marketing, VMware.
• Keith Luck is a Principal Engineer in the EUC Subject Matter Expert team, VMware.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.