F5 BIG-IP Zero Trust Access, formerly Access Policy Manager, enables zero trust application access through it’s support of identity-aware proxy (IAP).
Securing virtual private networks
With remote working now the norm, organizations must provide secure, authorized access to applications and resources, regardless of where their application or user is located. Many organizations have relied on virtual private networks (VPNs) to secure remote user access to applications and resources. But while VPNs enable secure user access, they can also be unwieldly.
If a user accesses an application on your network via VPN, then accesses a public cloud or Software-as-a-Service (SaaS) application, the data and code for the native cloud or SaaS app passes through your network, then to the user. This can create a bottleneck within the VPN. And that can increase latency, negatively affecting user experience and productivity. Plus, VPNs can be hacked. There have been many cases where a VPN has fallen victim to an insidious man-in-the-middle (MitM) attack, particularly if the user is accessing resources and applications in a remote location over public Wi-Fi. It can even happen to home workers, as their home router can be infected, enabling MitM attacks and data theft. VPN access also uses the now outdated “castle and moat” approach to security: If the user has the correct credentials, they are able to access any application and resource to which they are authorized within your network. While convenient, this sort of access can be problematic for your organization. Even a trusted, known user can unknowingly and inadvertently become an insider threat.
Attackers can initiate credential stuffing attacks on your organization’s VPN login to gain access to your network, applications, and data. They can steal data, drop additional malware on your network, and take over a user’s account and launch attacks. They can even move horizontally within your network to infect other users or pilfer more data. They can move upstream or downstream within your network and attack your supply chain. It can be damaging for your organization, users, and even your partners and suppliers.
The benefits of a zero trust architecture
Many organizations are adopting a Zero Trust architecture. Zero Trust encourages approaching security as if attackers have already infiltrated the network and are lurking, waiting for the opportunity to launch an attack. A Zero Trust approach to security eliminates the idea of a trusted insider within a defined network perimeter. It assumes that there is a limited, or even no, secure network perimeter, unlike the “castle and moat” security approach that has been employed for decades. And with applications having migrated to public clouds or replaced by SaaS applications, and now with AI Agents and Non-Human Identities (NHIs), a Zero Trust approach is more relevant, applicable, and urgent than ever.
The Zero Trust axiom is, “Never trust, always verify.” Never trust users, even if they’ve already been authenticated, authorized, and granted access to applications and resources. Always verify and scrutinize user identity, device type and integrity, location, the applications and resources to which access is being requested, and more. And verify not just at the time a user requests access, but throughout the entire time they have access to an application or resource, and upon every subsequent access request and attempt. A Zero Trust approach means applying least privilege rights to user access; that is, allowing users access only to the applications and resources to which they are authorized, and restricting their access to a single application or resource at a time.
The core tenets of a Zero Trust architecture are identity and context. Always ensure that a user is who they claim to be by leveraging a trusted, verifiable source of identity. And ensure that only the right user securely accesses the right app, at the right time, with the right device, with the right configuration, from the right place.
“The core tenets of a Zero Trust architecture are identity and context.”
Identity-Aware Proxy: A gateway to zero trust
Identity- and context-awareness are also what Identity Aware Proxy (IAP) enables and delivers. Identity Aware Proxy provides secure access to specific applications leveraging a fine-grained approach to user authentication and authorization. IAP enables only per request application access, which is very different than the broad access approach of VPNs, which apply session-based access. The difference is between limiting user access to a specific application or resource to which they are authorized access, versus enabling them to access every application or resource that they are authorized to access. Centralizing authorization enables application-level access controls to be created.
Context is vital within IAP. It enables the creation and enforcement of granular application access policies based on contextual attributes, such as user identity, device integrity, and user location, to name only a few. IAP relies on application-level access controls, not network-layer imposed rules. Configured policies reflect user and application intent and context, not ports and IP addresses. Finally, IAP requires a strong root of trusted identity to verify users and their devices, and to stringently enforce what they are authorized to access.
Identity Aware Proxy is foundational in F5 BIG-IP Zero Trust Access (formerly BIG-IP Access Policy Manager (APM)). BIG-IP Zero Trust Access leverages Identity Aware Proxy, enabling a Zero Trust model validation for every application access request. Providing authenticated and authorized secure access to specific applications, it leverages F5’s best-in-class access proxy. BIG-IP Zero Trust Access centralizes user identity and authorization. Authorization is based on the principles of least privileged access. With its IAP approach, BIG-IP Zero Trust Access can examine, terminate, and authorize application access requests. The context-awareness required for a Zero Trust environment compels the development and enforcement of extremely granular authorization policies. BIG-IP Zero Trust Access, through its support of IAP, delivers just that. Policies within BIG-IP Zero Trust Access may be created to verify user identity, check device appropriateness and posture, and validate user authorization.
Identity- and context-aware policies may also be created that:
- Confirm application integrity and sensitivity
- Confirm time and date accessibility
- Limit or halt access if the user’s location is deemed incorrect, inappropriate, or insecure
- Request additional forms of authentication—including multi-factor authentication (MFA)—if the user’s location or the sensitive nature of the device or the application or files to which access is being requested warrant it, typically referred to as step-up authentication
- Integrate data from other API-driven security and risk sources as part of application access policies for users
To ensure a device is appropriate and secure before the user can be authenticated and their application access authorized, BIG-IP Zero Trust Access can leverage device security posture checks from existing, leading vendor offerings of unified endpoint management (UEM), enterprise mobility management (EMM), mobile threat defense (MTD), extended detection and response (XDR), and more. This can go beyond simply checking device integrity at authentication. Instead, continuous, ongoing device posture checks can be enabled, ensuring that user devices not only meet but continuously adhere to endpoint security policies throughout the user’s application access. And if BIG-IP Zero Trust Access senses any change in the device integrity, it may either limit or stop the user’s application access, preventing or even eliminating potential attacks before they are launched.
Identity Aware Proxy also simplifies application access for remote workers and better enables and secures application accessibility. Since VPN access allows users to access any application or resource to which they’re authorized, it does not adhere to a Zero Trust model. However, BIG-IP Zero Trust Access empowers organizations to limit application access requests from users to a specific application directly and to use encryption to protect their access.
An identity bridge for zero trust
A true Zero Trust security approach, though, requires that access to all applications to which a user may be authorized be secured, including applications that are not native to the public cloud or offered as Software-as-a-Service (SaaS). This must include even classic or custom applications that may not or cannot work with cloud-based identity, such as Identity-as-a-Service (IDaaS), and may support classic authentication methods, such as Kerberos, header-based, and others. They are unable to support modern authentication and authorization protocols like Secure Assertion Markup Language (SAML), or OpenID Connect (OIDC) and OAuth. They can’t support identity federation, single sign-on (SSO), or even MFA.
BIG-IP Zero Trust Access solves this issue. BIG-IP Zero Trust Access, working closely with leading IDaaS providers bridges the identity gap between modern and classic authentication. BIG-IP Zero Trust Access ensures that classic and custom applications support identity federation and SSO. This not only enhances user experience, simplifying application access by centralizing access control, but also ensures a secure, trusted source of identity is in place. By enabling MFA for all applications, BIG-IP Zero Trust Access protects all applications against inappropriate access and enables another layer of security to ensure appropriate application access. BIG-IP Zero Trust Access is a single, centralized control point for managing and securing user access to applications, wherever they may be hosted.
“BIG-IP Zero Trust Access leverages Identity Aware Proxy, enabling a zero trust model validation for every application access request.”
Conclusion
F5 BIG-IP Zero Trust Access, through its support for Identity Aware Proxy, enables deployment of zero trust application access. BIG-IP Zero Trust Access delivers per-request application access, while securing and managing access to all applications, regardless of their location, and authentication and authorization methods. It offers the scalability and reliability synonymous with F5, and leverages F5’s industry-leading full-proxy architecture.
BIG-IP Zero Trust Access with Identity Aware Proxy reduces infrastructure costs, increases application security, and enhances your user and administrative experiences.
“BIG-IP Zero Trust Access delivers per-request application access, while securing and managing access to all applications, regardless of their location, and authentication and authorization methods.”
KEY BENEFITS
Zero Trust Application Access
Identity Aware Proxy (IAP) delivers a zero trust model validation for application access based on identity-awareness and granular context, securing every app access request without the need of a VPN.
Simplify access to any application
Bridge secure access to on-premises and cloud apps with a single login via single sign-on (SSO), even for applications unable to support modern authentication such as Security Assertion Markup Language (SAML), or OAuth and OpenID Connect (OIDC).
Streamline secure authentication and authorization
Adaptive identity federation, SSO, and multi-factor authentication (MFA) that employs SAML, OAuth, and OIDC enables a seamless and secure user experience across all applications.
KEY FEATURES
Identity Aware Proxy (IAP) support
Delivers a zero trust operational model, enabling zero trust application access for all applications, limiting horizontal movement and protecting them from direct access by bad actors.
A universal authentication translator
Serves as a translator, enabling SSO even for applications using legacy authentication methods and unable to support modern authentication, like SAML or OAuth.
Seamless integration with existing solutions
Streamlines integration with existing tools, including on-premises and Identity-as-a-Service (IDaaS) offering, and leading solutions for mobile device management (MDM) and enterprise mobility management (EMM), SSO, MFA, device checks, and more.