Introduction

CoIP Access Platform uses Zero Trust Factors to identity users, as well as provide endpoints and applications with metadata that can be used in policy decisions. This document describes the Zero Trust Factors and how they can be leveraged in Access Policy definition,

Basic Concepts

Zero Trust Factor Checking

When a user, endpoint, or Gateway Proxy comes online, it registers itself with CoIP Access Platform, and CoIP Access Platform collects metadata needed for authentication, known as Zero Trust Factors. This registration step is always performed every time a new control connection is established, which can be triggered by any disruption to the control channel.

For example, a user logging in from a laptop at home may authenticate using her user credentials, and CoIP Access Platform will automatically gather and authenticate her laptop’s metadata, such as her private IP address, which is checked upon registration. If she then switches from a WiFi network to a cellular network, she may not need to re-authenticate, depending on the corporate SSO settings, but switching networks triggers a new control connection to CoIP Access Platform, which will re-authenticate and detect the private IP address change.

Identity Providers

CoIP Access Platform supports local directory, LDAP/AD, and SAML 2.0 identity providers for users.  The identity provider is configured for a given customer tenant by clicking “Manage Identity Services” under Advanced Mode > Portal Management > Customers.

IP Geolocation Providers

To use IP Geolocation, you must first configure MaxMind GeoIP2 credentials.  This is accessible from Advanced Mode > Service Management > Third Party Web Services.

In the current release, Geolocation is only supported with Country level granularity.

User Zero Trust Factors

Zero Trust Factors for users are defined at the User Role level, and include the following:

• User identity (local directory, LDAP, or SAML 2.0 providers) with MFA
  • SAML 2.0 providers use their configured MFA option
  • CoIP Access Platform natively supports email MFA
• Hostname
• Private IP addresses of the machine
• Observed public IP (IP address of the machine’s Internet gateway)
• Client machine MAC address
• Geolocation
• IP whitelist

These factors are pinned when the user successfully signs on, so that changes to these factors can be detected; however, MAC address and private IP addresses can be pre-provisioned on a per-user basis to lock access to a specific machine.

Actions upon detecting a Zero Trust violation include Alert Only, and Quarantine and Alert. The use of the Quarantine function is described later in this document.

Currently, Zero Trust Factors for users are configured in the CoIP Client Group in the Security Profile of the Security Group, which is accessible by clicking on the Client Group in Advanced Mode > Project Management > Security Profiles.

• User identity (local directory, LDAP, or SAML 2.0 providers) with MFA
  • SAML 2.0 providers use their configured MFA option
  • CoIP Access Platform natively supports email MFA
• Hostname
• Private IP addresses of the machine
• Observed public IP (external IP address of the machine’s Internet gateway)
• Client machine MAC address
• Geolocation

Endpoint Identity

Zero Trust Factors for endpoints include

• IP Geolocation
• Hostname
• Private IP addresses of the machine
• Observed public IP (external IP address of the Internet gateway)
• Network interfaces (all network interfaces are monitored)
• Endpoint MAC address
• Cloud Service Provider information, including
  • CSP Provider name
  • CSP Region
  • CSP Instance ID

CSP-reported factors are supported on AWS, Google Cloud, and Microsoft Azure.

Application Identity Zero Trust Factors

Application Identity Zero Trust Factors are defined in Application Process Objects, under Access Policy Management > Application Process Objects.  For more information on configuring an Application Process Object or Group, please refer to the Creating Secure Access Policies Quick Start Guide.

Handling Zero Trust Factor Violation Events on Endpoints

Alerts and Logs

Administrators may choose to receive an email alert when an endpoint trust factor violation is detected.  To receive email alerts, you must first configure SMTP settings in Advanced Mode > Service Management > Mail Sender, and then set up the Endpoint Trust Factor Verification alert under Advanced Mode > Service Management > Email Notifications.

Logs of Zero Trust Factor violations may be accessed from Advanced Mode > Project Management > Security Logs.

Quarantine

In addition to alerts, administrators may also choose to quarantine an endpoint, which prevents them from connecting to other CoIP endpoints to protect other sensitive machines or disable remote user access.  CoIP services continue to run, so the zCenter control channel is maintained, and the quarantine action does not chamber an endpoint against the physical underlay. This leaves a quarantined endpoint accessible for investigation and remediation.

Once you have remediated a quarantined endpoint, you may recover it through Avanced Mode > Project Management > Quarantined Endpoints.