Wednesday, May 3, 2023

VMware Horizon's Uncanny Alignment With NIST Zero Trust Guidance

The foundational components for Zero Trust architectures such as MFA, ICAM and endpoint security are solutions widely deployed today.  While most organizations already have these building blocks in place achieving Zero Trust objectives with their aggregate capabilities requires a level of orchestration and synchronicity that is far less common.  In that regard, the integration and orchestration of a broad set of security components through a single platform, the Anywhere Workspace, is something VMware has been perfecting for over a decade now.  To modernize legacy windows experiences Horizon is combined with Access, UEM, and Intelligence to create a superb remote access solution uncannily aligned with NIST Zero Trust guidance.  Such a deployment meets the immediate need to optimize support for a hybrid workforce while establishing a beachhead for further Zero Trust adoption.

This post maps out Anywhere Workspace Zero Trust capabilities to guidance provided by NIST and it's subsequent work with the National Cybersecurity Center Of Excellence (NCCoE).   The intent is to elevate a discussion about Horizon and Zero Trust by referencing a source respected and followed across the public and private sector.  With federal agencies like CISA, DoD and the NSA paying deference to NIST guidance, along with it's reference by executive order 14028, treating NIST as authoritative on the topic of Zero Trust is hardly controversial and can help ground a discussion. Accordingly, this post provides a primer on NIST guidance with a focus on the notional Zero Trust architecture first introduced in (SP) 800-207, then practically demonstrated in Implementing A Zero Trust Architecture.  It then compares logical components of this conceptual model to a Horizon architecture leveraging the full breadth of Anywhere Workspace Zero Trust capabilities.  This should be of interest to anyone looking to enhance windows desktops or applications with Zero Trust security, and, if nothing else, will enable Horizon admins to articulate advancements toward Zero Trust already achieved with their deployments.

A Primer On NIST Zero Trust Guidance 

Most descriptions of Zero Trust start by declaring a need to shift from perimeter based network security to a model where hostile actors are always presumed present and within reach.  Accordingly, instead of protecting networks the focus is on controlling access to the critical resources themselves through policy based controls that continually evaluate users and their requests. As the abstract for NIST (SP) 800-207 states, “Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”  While this article focusses on guidelines put forth by NIST and NCCoE, I'd like to call out the folksier description of Zero Trust laid out by MobileJon.  For most organizations Zero Trust adoption entails a recognition that firewalls and kerberos based security provided by Active Directory no longer cut the mustard given what we know about today's threats.

Mobile Jon's Guide To Zero Trust Security

To replace perimeter based network security (SP) 800-207 introduces a notional architecture detailing logical components required to achieved Zero Trust objectives.  In the more recent NIST/NCCoE publication,  Implementing A Zero Trust Architecture, example deployments illustrate how commercially available solutions are used to achieve these ZTA objectives.  This series of guides, "demonstrate several example ZTA solutions—applied to a conventional, general-purpose enterprise IT infrastructure—that are designed and deployed according to the concepts and tenets documented in NIST Special Publication (SP) 800-207, Zero Trust Architecture." The core functionality driving these ZTA demonstrations is illustrated below: 

Zero Trust Architecture, NIST 802-207
At the top of this model there's the brains of the entire operation, the Policy Decision Point (PDP), made up of a Policy Engine (PE)  and Policy Administrator (PA).  The Policy Engine makes the determination of whether or not a subject is granted access to a given resource.  It works in tandem with a Policy Administrator responsible for executing it's decisions.  To this end the PA helps establish the communication path between subject and resource, going on to, "generate any session-specific authentication and authentication token or credential used by a client to access an enterprise resource."  Finally, there's the Policy Enforcement Point (PEP) working in conjunction with the Policy Administrator to allow or deny connections between the subject and resource.  While there's certainly more details, this is the high level model proposed by NIST for enabling Zero Trust security. 

To make informed decisions about access requests the Policy Engine processes input from various sources, what are referred to as Policy Information Points (PIP). Data from these sources is ingested into a trust algorithm that determines whether a specific request to a resource should be allowed.  Examples of PIPs include endpoint antivirus, endpoint management and security analytics solutions.  PIPs contribute to a more comprehensive, 360-degree, contextual model for continually assessing the trust worthiness of a subject.  We're not just talking about defense in depth, but rather the coordination and orchestration of various security solutions into a comprehensive model.   

Implementing A Zero Trust Architecture (Fact Sheet)
While (SP) 802-207 establishes a high level framework for Zero Trust, Implementing A Zero Trust Architecture goes into the nitty gritty of how these PIPs are pieced together with PAs, PEs and PEPs to deliver Zero Trust objectives.  Currently there's 5 sample architectures total, 3 of which are referred to as crawl phase architectures, E1B1, E2B1 and E3B1.  These first 3 builds focus on enhanced identity governance (EIG), what's viewed as a, "foundational component of ZTA."   Then, there's 2 more run phase architectures, E1B2 and E3B2,  that build upon the crawl phase.  Eventually the plan is to introduce additional advanced architectures with capabilities like micro-segmentation. "After completing the EIG crawl phase builds, we enhanced these implementations by adding specialized PE and PA components, device discovery, and cloud-based resources in the EIG run phase. In future phases, we plan to introduce capabilities such as software-defined perimeter and micro-segmentation."  Here's a graphical representation of crawl phase architecture E1B1, featuring Okta and Ivanti:

Implementing A Zero Trust Architecture, Volume B: Approach, Architecture and Security Characteristics

Again, while there's only 5 example architectures today the publication is a work in progress and there's additional examples planned for the future.  If I had the option I'd bet large sums of money that VMware products will eventually find their way into future architectures.  More conspicuous than the absence of VMware products in the current publication are the listed contributions of VMware employees in 1800-35B.  One of these five is Peter Bjork, a very high profile evangelist of VMware's Zero Trust capabilities.  While something more exhaustive and definitive might come out in an update to the publication, as a blogger and long time fan of VMware EUC I'm going to take a swag at mapping Horizon and Workspace ONE components to the notional ZTA architecture put forth by NIST.  

Mapping VMware EUC Components To A Notional ZTA 

To those familiar with VMware's EUC stack the notional ZTA put forth by NIST can come across  like a fun adaptation or clever spin on architectures put out by VMware for about a decade.   Personally, reading NIST documentation on ZTA felt like deja-vu. (all over again)  With it's identity capabilities, federation options and conditional access policies, Workspace ONE Access clearly fits the bill as a policy decision point (PDP), acting both as a policy engine (PE) and policy administrator (PA).  These identity based policies for controlling access to resources are further enhanced by solutions like WS1 UEM, WS1 Inteligence and Carbon Black.  While these provide relevant security capabilities in their own right, as sources of data providing context for access policies they're clearly acting as policy information points (PIP).  Finally, sitting between endpoint devices and virtual desktops on the data plane is Unified Access Gateway acting as a policy enforcement point (PEP). 

For over a decade WS1 Access has offered admins a way to wrap modern authentication around Horizon. It's policy engine is driven by conditional access policies that enforce an adaptable set of authentication requirements based on user context.  Some of these auth methods are built-in, some arise from a combination of Access and UEM, and others are available through 3rd party solutions via RADIUS or SAML based integrations.   While Access supports several federation standards, SAML 2.0 is definitely the star of the show, key to it's policy administration for solutions like Horizon.  Once a subject has met the requirements of these conditional access policies they're issued a SAML assertion granting access to the Horizon environment.  

The ability to drive adaptable authentication requirements through a policy engine has always been a major selling point for WS1 Access.  It's conditional access policies for each application are initially defined based on a user's AD membership, general device type, and IP range a request comes from.  This contextual insight is extended to device posture through a simple integration with WS1 UEM that incorporates device compliance status into conditional access polices.  Historically referred to as, "conditional access based on device compliance," this functionality is achieved through a combination of certificate auth and UEM's device compliance policies.  It's an option VMware has offered for about a decade now, functionality foundational to Zero Trust that's mandated by pretty much all sources on ZTA.  For example, in BeyondCorp A New Approach to Enterprise Security, a similar approach to incorporating device context is called out, with unique certificates on managed devices used as a conduit to device information. "While the certificate uniquely identifies the device, it does not single-handedly grant access privileges. Instead, it is used as a key to a set of information regarding the device." 

Access can also ingest data from Workspace ONE Intelligence regarding device and login risk, further extending the contextual insight of it's policy engine.  Both solutions represents the results of analytics run against data collected into the Intelligence data lake from Access or UEM.  Device Risk Score is driven by factors like OS patching, anomalous configuration and detected threats on a device.  Login Risk Score, "uses machine learning models to analyze past user login patterns and determine if a login attempt is anomalous." Collectively, these risks scores represent additional policy information points to further calibrate our conditional access policies by. 

Finally, there's my favorite bouncer Unified Access Gateway (UAG). Like any good bouncer it's lean on brains but intimidatingly hardened and experienced. Working in coordination with Access and Horizon Connection Server it guarantees all proxied Horizon display protocol traffic is on behalf of subjects vetted by conditional access policies.  In this capacity it acts as a policy enforcement point (PEP) for remote Horizon Connections.  Below is an illustration of how it facilitates SAML based authentication between Access and an internal Horizon environment prior to proxying display protocol traffic to a virtual desktop or RDS host. 

Setting Up Resources In VMware Workspace ONE Access

The specific model above has been alive and well for over 6 years now, having replaced a legacy Security Server based model that itself was about 5 years old.  Again, an example of Zero Trust functionality Horizon customers have had in place for about a decade. 

By encapsulating the windows experience into an portable and secure service Horizon provides a catch all solution for extending Zero Trust capabilities to legacy windows apps.  Any windows desktop experience or windows app delivered through Horizon can be wrapped in modern auth that's driven by a contextual policy engine.  This is no small feat.  We're talking legacy applications that rarely support modern auth butting heads with the Zero Trust requirement for extended identity governance.   Horizon bridges this gap to meet a fundamental requirement for ZTA.   In addition, there's many features of the stand alone Horizon solution, such as Instant Clones, that clearly advance the pursuit of Zero Trust.  Non-peristent Horizon models isolate an endpoint device from windows workloads and introduce critical containment that reduces the blast radius of any potential compromise in terms of both space and time.  The inherent security awesomeness of Horizon itself and it's contribution to Zero Trust outcomes is something I will detail in a future post. 

A Clear Path Forward For Existing Horizon Customers

Existing Horizon customers can progress towards Zero Trust adoption by making incremental improvements to their remote access experience for windows workloads.  This fulfills the immediate and practical need to support a hybrid workforce while developing capabilities for Zero Trust adoption across the board.   Customers who own Horizon Universal licensing already have the key ingredients for getting started on this journey, Horizon, UAG and WS1 Access.  These solutions meet core ZTA requirements and can later be augmented with UEM, Intelligence and Carbon Black.  This process of wrapping Zero Trust security around your windows experience is easily adapted to secure SaaS solutions like Office, Salesforce, ServiceNow, Workday or Google Workspace.  

With this framework in place you can increase SaaS adoption while expanding your Horizon deployment and shrinking the trusted network.  Further, the path forward includes incremental wins along the way that our tangible and hold value in and of themselves, allowing you to eat this elephant one bite at a time.  No one complains about having a unified catalog and providing SSO only makes friends.  MFA is something we all know is necessary and extending it's reach while minimizing disruption amounts to rolling up your sleeves and taking care of business.  Right sizing your security based on context is just good manners.  Mandating device enrollment for sensitive services is hardly controversial.   These steps represent small but very tangible wins as you progress along your Zero Trust journey.  Eventually, in a perfect world you'd have a combination of Horizon, Access, UEM, Intelligence, Carbon Black and NSX protecting workloads from endpoints to the data center.   

Some Excellent VMware Collateral On Zero Trust Adoption 

VMware provides some very impressive guidance on Zero Trust, particularly in Tech Zone.  In respect to NIST SP 800-207, EO 14028, and their impact on the federal space there's a great article by Andrew Osborn called, Incorporating VMware Zero-Trust For the Presidential Executive Order. It offers a summary of cybersecurity mandates and models created to guide federal agencies in their adoption of Zero Trust.   These include CISA's Cloud Security Technical Reference Model and Zero Trust Maturity Model.  At the end of the article Andrew states, "VMware will be augmenting our solution alignment and future whitepapers to incorporate the new CISA foundational pillars."  

Zero Trust Maturity Model 2.0

True to this promise is one of my favorite articles on Zero Trust and Horizon,  Zero Trust Secure Access to Traditional Applications with VMware.  It provides a very thorough and exhaustive account of how different capabilities across the Anywhere Workspace stack can contribute to a Zero Trust architecture for legacy windows applications.  It organizes these capabilities according to 5 pillars of trust.  They might look familiar to you.

Along the same vein there's an article on the use of VMware Tunnel for access to on-premises web applications called, Zero Trust Secure Access to On-Premises Web Applications with VMware.  Similar to the Horizon focussed article it provides a detailed and exhaustive account of the Anywhere Workspace capabilities that enable Zero Trust security for on-premises web apps.  Finally, anything put out by Peter Bjork is likely to further your understanding of Zero Trust capabilities offered by VMware. With extended identity governance at the core of Zero Trust, his expertise in WS1 Access is highly relevant.  


To quote chief justice Earl Warren, “Everything I did in my life that was worthwhile, I caught hell for.” Implementing Zero Trust isn't going to be fun, will involve a lot of work and invariably is going to frustrate some people.  It's an interdisciplinary undertaking transcending traditional IT silos filled with hyper-focused specialist who don't get paid to think or care about the big picture.  Success will require grit and confidence while striking a balance between the status quo and need to transform security.  In a situation like this a mature platform integrating a broad set of capabilities really shines.  With the Anywhere Workspace we gain a guaranteed level of interoperability amongst separate components needed to realize a Zero Trust architecture.  Instead of sweating details about interoperation why not pass the work off to a single vendor with a solution that has aligned with NIST guidance for over a decade, long before (SP) 800-207 was even published?  It's a path forward most existing Horizon customers can pursue with components already owned and in place.