The Zero trust chain Over the last few years, “Zero Trust” has been established as the reference model for information systems security. While ZTNAZero Trust Network Access. The ZTNA is a name describing products that apply a "Zero Trust", or lesser privilege, policy in the area of external access. The objective is to provide strictly indispensable access to an external user so that he can carry out the necessary tasks within the framework of his work without giving him superfluous rights or access that could represent a risk for the security of the information system. Access policies are defined according to : the identity of the user, possibly reinforced by two-factor authentication mechanisms, its connection conditions, such as its connection location or the health of the terminal used for the connection. The ZTNA makes it possible to give very fine and granular accesses to the information system differentiated according to the user, whether he is an internal teleworker or a service provider. This approach strongly limits the risks of intrusion or infection of the information system.... (Zero Trust Network Access) is one of its essential building blocks, “Zero Trust” goes beyond external access rights. A whole chain of trust is required to implement this model: identity and access management (IAM)A set of processes that manage a user's identity on the network. Identity and Access Management (IAM) is the set of processes that manage a user's identity on the network. It includes the following different segments: access management (AM), authentication, privilege account management (PAM), identity administration and governance (IGA). It is generally misused to refer to IGA. The functional scope of IAM is very broad. It will include functionalities allowing - to authenticate a user on the network (primary authentication), - manage its authorizations, the life cycle of its identity and the accounts associated with it, - to guarantee the traceability of his rights, as well as the actions carried out by/on him. To illustrate, the IAM makes it possible to simply assign the rights of a collaborator and to make them evolve according to his current situation. The fact that they belong to the company, and the function that determines their access authorization to certain applications, are taken into account in real time and integrated into the information system...., privileged user management (PAMPrivileged Access Management. PAM is a technology for managing access and authentication of authorized users, usually information system administrators, to administrative resources or applications. The main objective is to secure the information system by removing unauthorized access to sensitive resources. This protection is based on two main axes: management of the injection and life cycle of passwords used in administered resources and administration applications, the traceability of all the actions carried out when connecting users with a power of nuisance on the information system, in the form of audit or video traces. The users with malicious power concerned by the PAM may be internal users of the information system, such as system administrators or users handling sensitive data, as well as external users such as infomanagers or remote maintenance personnel....) and application virtualization (VDI)An access window to a remote desktop or applications. The virtualization of desktops or applications consists of displaying applications or a desktop on the user's computer, which are installed or run on a group of machines remote and independent of the user's computer. The user's workstation is thus transformed into a simple access window. This group of machines (virtual or not) can be located in an internal corporate network or in the cloud. In the case of application virtualization, the user sees the virtualized applications on his own desktop like other applications. Virtualized applications are independent of the operating system on the user's desktop. In the case of desktop virtualization (VDI Virtualisation Desktop Infrastructure), it is the user's desktop with its applications that is virtualized. The virtualized desktop or virtualized applications are independent of the user's operating system. The advantages of desktop virtualization include speed of execution (the user benefits from the power of remote machines), ease of use for the administrator who manages as many machines as they wish centrally, enhanced security, excellent overall cost, ease of managing updates, etc..... To be effective, this “Zero Trust” chain of trust must be seen as a set of interdependent solutions rather than a set of independent software bricks.According to the adage, the strength of a chain depends on its weakest link. The same applies to “Zero Trust”. Any vulnerability or weaker protection is immediately targeted in the event of an unauthorized intrusion attempt on an organization’s information system. Consequently, the deployment of an incomplete “Zero Trust” model cannot, strictly speaking, be qualified as “Zero Trust”. The 7 links of the Zero Trust chain The “Zero Trust” chain corresponds to the set of software building blocks that allow to achieve the so-called “Zero Trust” security, based on the principle that no one can be trusted. This concept can also be called the principle of least privilege.The links in the “Zero Trust” chain follow a logical path to ensure the end-to-end information system security: Provide authorizations on the application: The first link in the “Zero Trust” chain consists of managing authorizations in real time (Just-In-Time IAM) with the objective of being able to quickly give rights to a user, deploy them and withdraw them just as quickly to guarantee consistency at any time between the user’s needs and the rights granted to him. AuthenticationPrimary or secondary authentication Authentication allows a user to guarantee his or her identity before accessing a resource or service. Primary authentication will give user access to the workstation (Windows login). Several authentication modes can be made available to users: login and password, smart or contactless cards, biometrics, mobile ... To classify an authentication mode it will be enough to rely on the principles of the 3 factors: "What do I have? ", " What do I know? ", " Who am I? ». The answers provided to these questions make it possible to say for a given authentication method whether it is "simple" or "double" factor. Secondary authentication is the access of a user to an application from an open session on a workstation. The application can be of any type: web, client-server, local to the workstation or external......: This involves taking into account the authentication context (where the user accesses his applications, at what time, with what device, whether or not he is using a controlled workstation, etc.) in order to be able to strengthen the authentication via different MFA mechanisms such as OTP, smart cards or Q&A mechanisms, depending on this context. Finally, it is also a question of being able to offer this user a back-up solution, if he forgets his password or strong authentication method, so that he can still access his work environment in complete security. Provide network access to the application: In this context, it is important to eliminate what can be called the “VPNVirtual Private Network. VPN is a technology that simulates a local area network between two trusted networks. In practice this allows two elements (workstations, servers, printers, etc.) to communicate with each other even though they are not physically located in the same computer network. Since communication between these two networks passes through a public network in most cases, VPNs incorporate security mechanisms to ensure that communication between the two networks cannot be intercepted by a third party to ensure confidentiality. This technology is very practical in the context of companies deployed in several locations that need to share computer resources, such as file sharing. For ease of use, this technology has been adopted by IT departments in cases where teleworking is used by considering the remote user's workstation as an extension of the company's computer network even though this workstation is not part of a trusted network.... risk” since the VPN provides access to a complete network and does not allow to control, within this access, what the user connects to. It is therefore essential to have an access management solution that allows to give selective access to applications and not global access to the network. It is also necessary to be able to cover a whole range of different scenarios: organized or massive teleworking, access of internal employees or service providers, and to give access to a certain area of the network, to a specific workstation or a specific application. The access solution must secure the end-to-end flow from the user’s workstation to the application. Finally, the user experience must be equivalent to the one experienced at the office even when the user is outside the office. Provide logical access to the application: It is necessary to ensure that the application infrastructure actually applies the authorizations previously defined in the first link of the “Zero Trust” chain. The application provision solution must adapt in real time to authorization changes (if the IAM solution indicates that the user must have access to new applications or, on the contrary, removes access rights from certain applications, the application infrastructure must immediately apply the changes). The user’s different access modes (thin client terminal, web console, controlled or uncontrolled workstation, etc.) must be taken into account and the user experience must be as fluid as possible. Match the user’s identity with the application account: The objective is that the user should not have to manipulate passwords, since the more passwords he manipulates, the more he will be tempted to communicate them or write them down somewhere to remember them. This allows to force password policies such as strong passwords or password rotation. It also avoids having to “lend” accounts, which prevents any traceability of actions. It is also important to privilege registered accounts over generic accounts. Control what is done on the application: This link concerns privileged users, who have quite important modification rights on resources. First of all, only the tools they need should be provided to them, according to their profile. The main objective will then be to trace and record all privileged user sessions, to detect suspicious actions and react immediately, for example to ask the user to re-authenticate or to automatically and directly close his session. Guarantee the identity in real time: In the “Zero Trust” chain, the identity of the person is essential since the entire chain is based on that person. This means that a simple initial authentication is not enough because on the one hand, there is a real risk of password theft or even strong authentication means, and on the other hand, there is a risk of identity theft after the user has authenticated. A malicious user can take control of a session when the authenticated user is temporarily absent without locking the session. It is therefore necessary to be able to ensure in real time that the person in front of the screen is the one who logged in. How to cover the entire spectrum of this chain of trust? In a “Zero Trust” policy, organizations should aim to implement this entire chain of trust. Most organizations already have several links in place but the chain is not complete. For this reason, Systancia has developed products that cover the entire Zero Trust chain from end to end: Systancia Identity, an identity and authorization management product that allows to set authorization rules for applications (link 1). Systancia Access, an authentication product allowing to securely manage transparent user authentication to all the applications, and Systancia Gate, a multi-tenant, multi-site “zero-trust” private network access product, both of which will ensure the user authentication (link 2). Systancia Gate, also able to provide network access to the application (link 3). Systancia Workplace, an application virtualization product (VDI) offering the user an interface for immediate access to his virtual desktop and applications, which will be able to give logical access to applications (link 4). Systancia Access, also able to match the user’s identity with the application account (link 5). Systancia Cleanroom, the only PAM product offering IS administrators a sterile and disposable workstation for administering all the resources, which will enable them to control what is done on applications (link 6). Systancia Cleanroom Authograph, a continuous authentication product for privileged users based on behavioral biometrics and artificial intelligence algorithms that will guarantee the user’s identity in real time (link 7).