EBOOK

Implementing Identity-based
Zero Trust and SASE Architectures
HOW TO USE NETWORK ACCESS CONTROL TO PROTECT THE ORGANIZATION
 SECURITY ZERO TRUST, VISIBILITY AUTHENTICATION COMPLIANCE ACCESS & INTEGRATION EDGE-TO-CLOUD SUMMARY
EVOLUTION SASE, & IDENTITY SEGMENTATION SECURITY

Table of contents
3 Why security must evolve
4 Zero Trust and SASE rely on identity
6 Know what’s on your network
7 Ensure consistent authentication for assigning privileges
8 Enforce configuration compliance
9 Leverage identity to dynamically segment network traffic
11 Build deep integration with the security ecosystem
12 How Aruba can help: Edge-to-cloud security solutions
14 Summary

2
 SECURITY ZERO TRUST, VISIBILITY AUTHENTICATION COMPLIANCE ACCESS & INTEGRATION EDGE-TO-CLOUD SUMMARY
EVOLUTION SASE, & IDENTITY SEGMENTATION SECURITY

Why security must evolve

Network security challenges have significantly increased as workers have
become more decentralized, new IoT devices have flooded the network,
and attacks have become more sophisticated and persistent. Traditional
security approaches focused primarily on the network perimeter have
become ineffective as a primary security strategy.

Modern network security must accommodate an ever-changing, diverse

set of users and devices, as well as much more potent threats targeting
previously “trusted” parts of the network infrastructure.
To address this issue, two major network security initiatives were launched
as a guide in planning, designing, and implementing more secure networks
in support of an overall IT protection strategy. In the 2014 Federal
Information Systems Management Act (FISMA), the National Institute of
Standards and Technology (NIST) was impaneled to develop a set of overall
security guidelines and architecture that has evolved into Zero Trust
Architecture. In 2019, Gartner defined the Secure Access Service Edge
(SASE) concept in recognition that IT access and corresponding security
services will be available in the cloud.

3
 SECURITY ZERO TRUST, VISIBILITY AUTHENTICATION COMPLIANCE ACCESS & INTEGRATION EDGE-TO-CLOUD SUMMARY
EVOLUTION SASE, & IDENTITY SEGMENTATION SECURITY

Zero Trust and SASE rely on identity

A foundational principle of Zero Trust and SASE architectures is that
access to IT resources should not be dictated solely by where or how a
client connects. In other words, the network is inherently untrustworthy,
and an “overlay” security fabric must be added based on a well-defined,
identity-based architecture that segments traffic to those paths and
resources that have been explicitly permitted. In addition, these
architectures can cover the security “lifecycle” of an endpoint from
authentication and authorization to continuous monitoring and
attack response.

The objective is to authenticate the client and then continuously compare

its configuration and status to a defined set of acceptable security states
to ensure that it will not introduce vulnerabilities or is not participating
in an attack. In this guide, you’ll learn how to implement a Zero Trust and
SASE architecture using identity as the foundation.

4
 SECURITY ZERO TRUST, VISIBILITY AUTHENTICATION COMPLIANCE ACCESS & INTEGRATION EDGE-TO-CLOUD SUMMARY
EVOLUTION SASE, & IDENTITY SEGMENTATION SECURITY

Support both frameworks by addressing 5 key

security challenges

1
Eliminate network blind spots. The goal is to discover and profile all devices connected to the network—
including IoT devices outside the purview of the network and security team.

2
Verify identity before allowing access. Starting with 802.1X, there are many authentication techniques to
ensure that only legitimate users and devices connect to the network, including emerging solutions for IoT devices.

3
Compare endpoint configuration to compliance baselines and remediate as needed. This allows the
security team to define and enforce configuration guidelines that reflect the application of the appropriate patches
and updates.

4 Establish least-privilege access to IT resources by segmenting traffic based on identity-based

policies. After identity and configuration compliance are confirmed, the user or device can be assigned a set of IT
privileges dictated by pre-defined access policies enforced in the network infrastructure.

5 Continuously monitor the security state of the user and device and bi-directionally communicate
with other elements in the security ecosystem. Reduce or eliminate access rights if there are signs that a
network-connected user or device has been compromised.

5
 SECURITY ZERO TRUST, VISIBILITY AUTHENTICATION COMPLIANCE ACCESS & INTEGRATION EDGE-TO-CLOUD SUMMARY
EVOLUTION SASE, & IDENTITY SEGMENTATION SECURITY

Know what’s on your network What you can do now

The ability to broadly and accurately identify all wireless and wired • Build a device inventory of what is
devices connected to the network—from traditional IT-managed connected to the network.
devices to previously undetected IoT devices such as
cameras, medical equipment, sensors, and other hard-to-detect • Continuously monitor for new devices and
endpoints—is an essential security control. connections.
The most effective approach uses multiple discovery methods to • Leverage cloud-based fingerprint
find and classify a wide range of device types. The most advanced databases to access profiles for previously
solutions use machine learning to constantly evaluate contextual unseen devices.
and behavioral information, dynamically update fingerprints, and
provide recommendations for previously unseen devices.

In support of granular traffic segmentation, device discovery and

profiling can be integrated with access policies for closed-loop,
end-to-end access control from visibility to network infrastructure
enforcement. Devices can automatically be assigned access
privileges based on a given policy or quarantined in the event they
are out of configuration compliance or behaving in a malicious or
insecure manner.

6
 SECURITY ZERO TRUST, VISIBILITY AUTHENTICATION COMPLIANCE ACCESS & INTEGRATION EDGE-TO-CLOUD SUMMARY
EVOLUTION SASE, & IDENTITY SEGMENTATION SECURITY

Ensure consistent authentication What you can do now

for assigning privileges
• Set up an authentication solution that
After a user or device is known and profiled, the next step is to can work with multiple protocols and
authenticate its identity each time it connects to the network. interfaces with a wide variety of identity
Organizations can rely on secure authentication using databases.
standards-based 802.1X enforcement. MAC address authentication
can also be used for IoT and headless devices lacking support for • Establish a guest portal to seamlessly
802.1X. In addition, the Wi-Fi Alliance has recently defined a Wi-Fi onboard visitors.
CERTIFIED Easy Connect™ standard for securely onboarding certified
IoT devices. • Implement 802.1X authentication for
both wired and wireless connections and
prioritize Wi-Fi EasyConnect-enabled
Comprehensive guest access simplifies visitor workflow processes to devices for IoT applications.
enable employees, receptionists, and other non-IT staff to
create temporary guest accounts for secure wireless and wired
access. Highly customizable, mobile friendly portals provide easy-to-
use login processes that include self-registration, sponsor approval,
and bulk credential creation.

7
 SECURITY ZERO TRUST, VISIBILITY AUTHENTICATION COMPLIANCE ACCESS & INTEGRATION EDGE-TO-CLOUD SUMMARY
EVOLUTION SASE, & IDENTITY SEGMENTATION SECURITY

Enforce configuration compliance What you can do now

Configuration compliance and security posture assessment are • Establish standards for configuration,
critical security controls that can be done by the network. During the version, and patch levels required for
authorization process, health assessments are performed on specific endpoints accessing the network.
devices to ensure they adhere to IT-defined configuration standards,
including patch levels, antivirus, antispyware, and firewall policies. • Subscribe to a vulnerability database to
Devices not meeting compliance standards can either be ensure that devices connected to the
automatically remediated with a persistent agent or redirected to a network have the necessary patches to
captive portal for further follow-up. deal with validated attacks.
Posture-based health checks are built for common environments • Educate your end users and IoT
and can eliminate vulnerabilities across a wide range of operating administrators regarding the need to keep
systems. Whether agentless or using persistent or dissolvable endpoints up to date for optimal security
clients, these solutions can centrally identify compliant endpoints hygiene.
on wireless, wired, and VPN infrastructures.

8
 SECURITY ZERO TRUST, VISIBILITY AUTHENTICATION COMPLIANCE ACCESS & INTEGRATION EDGE-TO-CLOUD SUMMARY
EVOLUTION SASE, & IDENTITY SEGMENTATION SECURITY

Leverage identity to The ability to microsegment traffic based on identity and role
delivers two main benefits:
dynamically segment
Dynamic process: Role-based policy is assigned on the fly to
network traffic a wired port or wireless connection based on factors such as
the access method of the client. Contextual data—like time of
At the core of the NIST Zero Trust Architecture is a day, type of machine, etc.—can also be included so IT staff no
collaboration of two key network components: longer must use static attributes to control access.

• A Policy Engine/Administrator that defines the Fine-grained segmentation: This allows client traffic to be
conditions under which a user or device can connect to the segmented based on permissions in the access policy.
network and what access privileges they are entitled to, based Microsegmentation provides enhanced security and perfor-
on the authentication and compliance process they must go mance benefits, given that access controls can be much more
through granular than hard-to-manage VLAN assignments, and they are
enforced by the network infrastructure.
• A Policy Enforcement Point that interprets and enforces
the access instructions delivered by the Policy Engine Trust enforced by Dynamic Segmentation
Users and NIST Policy Applications and

Together they constitute real-time, or dynamic, traffic segmen- Devices Engine/Administrator Destinations

tation. However, this kind of control cannot be added in after

Role-based
Corp P
Access Switch Policies

the fact to a network built without consideration for how to Academic

manage and enforce identity-based access that must adjust in

BYOD O Records

real time to accommodate changes in endpoint and network IOT O

notma1
ware.biz
status.
Access Point
Guest P AirGroup
Gateway
NIST Policy
Enforcement Points

9
 SECURITY ZERO TRUST, VISIBILITY AUTHENTICATION COMPLIANCE ACCESS & INTEGRATION EDGE-TO-CLOUD SUMMARY
EVOLUTION SASE, & IDENTITY SEGMENTATION SECURITY

When VLANs are not enough: What you can do now

Using EVPN-VXLAN to extend
network segmentation on a • Establish groups of users and devices
that have similar access permissions to
global scale IT assets.

The proliferation of endpoints due to BYOD, workplace mobility, • Build access control policies that reflect
and IoT is driving a need for more fine-grained segmentation the organization’s security controls.
strategies to separate different profiles of users, devices, and
traffic on a global basis—beyond what traditional VLANs can • Map roles to identity at time of
offer. Modern network switches have expanded configuration and authorization and assign an access policy
policy enforcement choices to include industry standards such as based on role.
EVPN-VXLAN for more flexibility, global scale, and third-party
interoperability. EVPN-VXLAN enables businesses to connect
geographically dispersed locations using Layer 2 virtual bridging, and
has emerged as a popular networking framework largely due to the
limitations of traditional VLAN-based networks. VXLAN
encapsulates Layer 2 Ethernet frames in Layer 3 UDP packets,
meaning virtual Layer 2 subnets can span underlying Layer 3
networks and extend network segmentation across physical
locations.

10
 SECURITY ZERO TRUST, VISIBILITY AUTHENTICATION COMPLIANCE ACCESS & INTEGRATION EDGE-TO-CLOUD SUMMARY
EVOLUTION SASE, & IDENTITY SEGMENTATION SECURITY

Build deep integration with the What you can do now

security ecosystem
• Build an overall Zero Trust and SASE-based
As emphasized in both the NIST Zero Trust Architecture and SASE security strategy to guide your security
frameworks, organizations must be able to deploy best-of-breed investments.
security solutions and ensure that their entire security ecosystem
communicates and coordinates attack awareness and response. • Ensure your security solutions are open
and can seamlessly integrate with your
A critical advantage of this approach is that organizations can network access control.
leverage their existing security investments by seamlessly
integrating solutions such as next-generation firewall (NGFW) • Design policies that will make the
and security information and event management (SIEM) network an ally in detecting and
technologies with their network access control solutions. This responding to attacks.
avoids single solution lock-in that results in costly upgrades and
a single source of products. A network security framework that
integrates with the broader security ecosystem provides the best
elements of a unified solution with the flexibility of an open
architecture.

Sharing context between each component supports end-to-end

policy enforcement and visibility. This enables the access
control solution to respond to changing threats for users and
devices after they have authenticated to the network.

11
 SECURITY ZERO TRUST, VISIBILITY AUTHENTICATION COMPLIANCE ACCESS & INTEGRATION EDGE-TO-CLOUD SUMMARY
EVOLUTION SASE, & IDENTITY SEGMENTATION SECURITY

How Aruba can help: The Aruba Edge Services Platform delivers
Zero Trust and SASE Edge-to-Cloud security solutions
The Aruba Edge Services Platform (ESP) supports Zero Trust and SASE architectures by delivering device discovery,
authentication, configuration enforcement, role-based access control, built-in policy-based traffic segmentation, and
continuous threat protection, all from a single solution comprising:
Aruba Central Client Insights: Policy Enforcement Firewall (PEF):
Security and networking teams are constantly watching for devices that are connected PEF is a stateful, Layer 7 firewall that can be enabled on Aruba wireless access points,
to the network outside the proper controls. Client Insights uses a full range of passive gateways, and controllers. PEF is the companion enforcement point for ClearPass policies
and active discovery techniques along with AI fingerprinting to ensure that every and enforces policy-based per-user and per-device traffic segmentation for wired, wireless,
device is located and profiled. and WAN connectivity.

ClearPass: Central NetConductor:

ClearPass performs a wide range of Zero Trust Architecture functions. It starts with This suite of cloud-native network connectivity and security services enables organizations
a range of authentication services to identify users and devices. Based on identity, of all types and sizes to automatically configure wired, wireless, and WAN infrastructure
ClearPass Policy Manager will assign a set of access permissions that are enforced to deliver optimal network performance while enforcing the granular access control
by the Aruba network. ClearPass OnGuard performs advanced endpoint posture security policies that are the foundation of Zero Trust and SASE architectures. With Central
assessment and remediation to ensure security and compliance requirements are NetConductor, Dynamic Segmentation can be managed via the cloud with the ability to
met prior to users and devices connecting to the network. centrally define and enforce access policies either in a distributed or centralized fashion
based on the choice of overlay.
Dynamic Segmentation:
Aruba’s market-leading Dynamic Segmentation solution is a critical element of the Aruba 360 Security Exchange:
edge-to-cloud security built into Aruba ESP. It establishes least-privilege access to IT Aruba security products integrate with a wide range of third-party IT systems for end-to-
resources by segmenting traffic based on roles and associated access permissions. end policy enforcement and visibility for mobile and IoT devices. ClearPass Policy Manager
Dynamic Segmentation unifies role-based access and policy enforcement across wired, is bi-directionally integrated with over 150 third-party security and management products
wireless, and WAN networks, ensuring that users and devices can communicate with to provide identity-based information to the ecosystem and receive threat and attack
destinations consistent with their role only—keeping traffic secure and separate. information to inform policy decisions.

12
 SECURITY ZERO TRUST, VISIBILITY AUTHENTICATION COMPLIANCE ACCESS & INTEGRATION EDGE-TO-CLOUD SUMMARY
EVOLUTION SASE, & IDENTITY SEGMENTATION SECURITY

The Pentagon modernizes wired

and wireless connectivity, across Security Zero Trust and SASE
Requirements Architecture
Aruba Solution

all classification levels, with Know what’s on

the network
An organization protects
resources by defining what
Aruba Client
Insights

Aruba infrastructure Authenticate all

resources it has
Create, store, and manage ClearPass Policy
users and enterprise user accounts and Manager
devices identity records
The Pentagon, headquarters of the United States Department of
Defense (DoD), is modernizing its classified and unclassified Ensure con-
figuration and
Gather information about the
enterprise asset’s current state
ClearPass OnGuard

networks to support tens of thousands of devices daily. Aruba’s compliance and apply updates to
ESP-based architecture will provide the Pentagon an automated guidelines are configuration and software
followed components
networking infrastructure that eliminates manual processes like Assign and All resource authentication and Dynamic Segmentation
port mapping and initial switch configuration. It is also expanding enforce access authorization are dynamic and enabled by:
its deployment of Aruba ClearPass Policy Manager for secure policies in the strictly enforced before access
network is allowed via coordination - ClearPass, PEF with
network access control across its networks. between a Policy Engine and a Aruba access points and
Policy Enforcement Point gateways

- Central NetConductor,
policy manager, and inline
enforcement via Aruba
switches and gateways
5. Communicate Provide real-time (or near ClearPass Policy Manager/
bi-directionally real-time) feedback on the Aruba 360 Security
with the secu- security posture of enterprise Exchange
rity ecosystem information systems; integrate
and respond to with security information and
attacks event management systems

13
 SECURITY ZERO TRUST, VISIBILITY AUTHENTICATION COMPLIANCE ACCESS & INTEGRATION EDGE-TO-CLOUD SUMMARY
EVOLUTION SASE, & IDENTITY SEGMENTATION SECURITY

Summary
Networking solutions with intrinsic support for Zero Trust and SASE
architectures provide a strong, built-in security foundation. Without
comprehensive support for all five of the major security requirements,
organizations are faced with assembling complicated, unintegrated
solutions that leave gaps in their protection.

Ready to get started? Learn more at:

https://www.arubanetworks.com/connect-and-protect/

14
Thank You

Contact Us
© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties
for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing
herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omis-
sions contained herein.

ebk_security_RM_020122 a00118824enw