Defining Granular Access Policies for the Environment (Activity 5.1.1 Part 1) 

In a Zero Trust architecture, access controls must be applied within the network, governing traffic flow based on verified identity and device trust, not just network location. This is the focus of the first activity in the Network and Environment pillar: Zero Trust Activity 5.1.1: Define Granular Control Access Rules & Policies Pt1

This activity marks the point where the enterprise, in collaboration with its Components, undertakes the task of creating granular network access rules and policies that align with Zero Trust principles. This isn’t about simple firewall rules based on IP addresses; it’s about defining who (user or NPE on a specific device) can communicate with what application or service, and how

Associated Concept of Operations (ConOps) are developed alongside these policies to ensure future supportability and operational understanding. Once these enterprise-level policies are agreed upon, Components are tasked with implementing them into existing network technologies, such as Next Generation Firewalls (NGFWs) and Intrusion Prevention Systems (IPSs). The goal is to immediately improve initial risk levels by applying more granular controls and ensure future interoperability by establishing standardized policy definitions. 

This activity also introduces the concept of identifying Communities of Interest (COIs), which are groups of users, applications, and data with shared access requirements. Defining access policies around these COIs helps in creating logical segments and simplifying policy management. 

The outcomes of Activity 5.1.1 Part 1 highlight the successful establishment of enterprise-wide network access policy standards and initial implementation:

 

  1. Enterprise provides standardized policy for deployment. 
  1. Identify Communities of Interest. 
  1. Components implement access policies according to Enterprise standards and CONOPS. 

The ultimate end state for this activity, and a key goal of granular network control, is to Provide access control over multiple identities, applications, devices, and traffic levels, reducing the risk of unauthorized accessing and increasing visibility on monitoring for threat response. This signifies a move towards a network where traffic is controlled with precision based on context. 

Solutions for Achieving Define Granular Control Access Rules & Policies Part 1 

Implementing granular network access policies requires a combination of policy definition frameworks, leveraging identity and device context, and configuring existing network enforcement points: 

  1. Enterprise Policy Definition Frameworks: 
  • Establish a centralized framework or system for defining and managing enterprise-wide Zero Trust network access policies. This framework should allow for the creation of granular rules based on attributes of the communicating entities. 
  • Develop the associated CONOPS documents that describe how these policies will be implemented and operated. 

  1. Leveraging Identity and Device Attributes: 
  • The granularity of the network access rules relies heavily on the attributes of the communicating entities. Integrate your policy definition and enforcement points with: 
  • Enterprise IdP/IdAM solutions: To pull user and NPE identities and their associated attributes (roles, groups, etc.). 
  • Device Management and Posture Assessment tools: To pull device attributes (managed status, compliance posture, device type, etc.). 

  1. Implementing Policies in Existing Network Technologies: 
  • This involves configuring network security devices and platforms to enforce the defined granular policies. While the activity specifically mentions existing NGFWs and IPSs, a Zero Trust approach often utilizes:  
  • Modern NGFWs/IPSs: Configure these devices to apply policies based on available identity and application awareness, going beyond simple IP/Port rules where possible. 
  • Zero Trust Network Access (ZTNA) Solutions/Cloud Security Platforms: These platforms act as intelligent gateways, enforcing granular access policies based on identity and device posture before granting access to specific applications, effectively controlling network traffic flow at a more abstract level than traditional firewalls. 
  • Other Network Enforcement Points: Configure switches, wireless controllers, and other network infrastructure components to enforce policies based on device authentication and compliance status (as established in Activity 2.2.1). 

  1. Identifying Communities of Interest (COIs): 
    • Analyze data flows and business requirements to identify Communities of Interest within the enterprise. Define the members (users, devices, applications) of each COI and their specific communication needs. This informs the creation of targeted access policies. 

Key Items to Consider: 

  • Complexity of Granular Policy Definition: Defining and managing thousands or millions of granular access rules for a large enterprise is a significant undertaking. Standardization and automation are crucial. 
  • Translation to Network Technology Configurations: Translating abstract Zero Trust policies into specific configurations for diverse network devices (NGFWs, switches, etc.) from various vendors can be complex and error-prone. 
  • Consistent Policy Enforcement: Ensuring that granular policies are enforced consistently across all relevant network segments and enforcement points is vital for preventing security gaps. 
  • Visibility into Traffic Flows: To define and troubleshoot granular policies, you need deep visibility into network traffic flows and who is communicating with what. 
  • Role of COIs: Effectively defining and leveraging COIs can simplify policy management and facilitate the implementation of microsegmentation in later stages. 
  • Impact on Network Performance: Implementing granular inspection and control at the network layer can potentially impact network performance; careful planning and testing are required. 

Relevant Technologies and Tools: 

Successfully implementing Activity 5.1.1 relies on capabilities for policy definition, attribute sourcing, and network-level enforcement: 

  • Policy Management and Orchestration Platforms: Tools that centralize the definition and management of Zero Trust policies and can push configurations to various enforcement points. 
  • Next Generation Firewalls (NGFWs) / Intrusion Prevention Systems (IPSs): Network security devices that can enforce access control policies based on criteria beyond traditional IP and port, including user and application identity (if integrated with identity sources). 
  • Enterprise Identity Provider (IdP) / Identity and Access Management (IdAM) Solutions: Serve as authoritative sources for user and NPE identities and attributes, providing context for policy decisions. 
  • Device Management and Posture Assessment Tools: Provide attributes about connecting devices (managed status, compliance, type) that inform network access policies. 
  • Network Segmentation Technologies: While not the primary focus of policy definition in this activity, the underlying network infrastructure must support the logical or physical segmentation required to apply granular policies effectively. 
  • Visibility and Analytics Tools (SIEM, Network Monitoring): Provide insights into network traffic, user activity, and policy violations, crucial for defining policies and monitoring their effectiveness. 

The Technical Buyer’s Network Control Mandate: 

Activity 5.1.1 is the entry point into applying granular, identity-aware access controls directly within the network environment. It’s about moving beyond legacy network perimeter models and defining precisely who and what can communicate within your infrastructure based on Zero Trust principles.  

For technical buyers, success in this activity means contributing to the definition of clear, enterprise-wide granular access policies and then leveraging your existing network technologies (like NGFWs) and integrating them with your identity and device management sources to enforce these policies. This activity reduces the risk of unauthorized lateral movement and establishes a network environment where traffic flow is governed by verified identity and context, a core element of a mature Zero Trust architecture. 

Pillar: Network and Environment 

Capability: 5.1 Data Flow Mapping 

Activity: 5.1.1 Define Granular Control Access Rules & Policies Part 1 

Phase: Target Level 

Predecessor(s): None 

Successor(s):  5.2.1 Define SDN APIs; 5.1.2 Define Granular Control Access Rules & Policies Pt2

Technology Partners