10.1.1 Applying ZTNA to Thinfinity® Workspace

Here is how Thinfinity Workspace implements the ZTNA core principles:

Principle of Least Privilege Access (PoLP)

Users, devices, and applications are granted only the minimum access rights necessary to perform their legitimate functions, and only for the duration required. All other access is denied by default.

Granular Access Profiles:

• Access Profiles are the primary mechanism for PoLP. Instead of granting broad network access, each Access Profile explicitly defines which specific application, desktop, or intranet resource a user can access. From the profile creation wizard, the possibility to choose the resource category (desktop, application, folder or terminal) and the resource type (desktop app, intranet app, web app, etc.)

Role-Based Access Control (RBAC):

• Mapping to IdP Groups: The admins can leverage their existing Identity Provider (Active Directory, Thinfinity IdP) groups. They can map these groups to specific roles within Thinfinity Workspace.

• Role-Based Access Profile Assignment: Admins can assign Access Profiles (and thus access to specific remote resources) to roles/groups, rather than individual users. This ensures that users automatically inherit the minimum necessary access based on their organizational role. From Labels and Permission Groups in Access Profile Permissions tab.

• User Interface Permissions: PoLP is even implemented within the Thinfinity Workspace UI. Administrators can only see and manage the configurations relevant to their specific duties. Permissions tab from the Configuration Manager.

Time-Based Access Control / Access Scheduling:

• Scheduled Access: Access Profiles can be configured to permit access only during specific hours or days of the week when it's genuinely needed. For example, a contractor only accessing a resource from 9 AM to 5 PM, Monday to Friday. - Access Hours tab in Settings menu, Access Hours tab in Configuration Manager.

• Session Durations: admins can enforce maximum session durations, automatically disconnecting users after a set period, forcing re-authentication, and requiring them to re-evaluate their need for continued access.

Remote Privilege Access Management (RPAM):

• Just-in-Time (JIT) Access: RPAM directly implements PoLP for elevated access. Instead of standing privileges, users request temporary, approved access to sensitive resources (a production server). - Resource Reservation module

• Time-Bound Privileges: Approved RPAM access is typically time-bound, ensuring that elevated privileges are automatically revoked after the defined duration, aligning with JIT principles.

Micro-Segmentation

Definition: The practice of dividing the network into small, isolated segments down to the individual workload level, with granular security policies applied to each segment. This limits lateral movement in case of a breach.

Thinfinity Workspace Implementation:

• Virtualization Agent as Micro-Perimeter:

  • Each Virtualization Agent effectively creates a micro-perimeter around the specific remote resource it manages (a single server, a set of VDIs). - Installing Thinfinity Workspace in Agent mode.

  • The Agent only permits traffic specifically related to the Thinfinity Workspace session and only from the authorized Broker/Gateway. It does not open up the entire remote network segment.

• Gateway-Enforced Resource Isolation:

  • Gateways act as intelligent proxies. They don't just route traffic; they apply context-aware policies. A user connecting through a Gateway to Resource A cannot bypass the Gateway to directly access Resource B, even if Resource B is on the same physical network segment.

  • No Direct Client-to-Resource Connectivity: Thinfinity Workspace inherently prevents direct client-to-resource connections. All traffic flows through the Gateway and then the Virtualization Agent, creating logical micro-segments around each published resource.

• Internal Web Application Firewall (WAF) and IP Filtering:

  • WAF for Published Web Apps/Websites: If your platform includes an internal WAF, it can inspect traffic to published intranet websites or web applications, providing an additional layer of security for that specific "segment" of your web applications.

  • IP Filtering/ACLs on Gateways and Agents: Configure the Gateways and Virtualization Agents to only accept connections from known and trusted internal IP ranges (from the Brokers, from other trusted Gateway nodes). This prevents unauthorized network segments from even attempting to connect to these components. From the Protection tab of the Thinfinity Gateway Manager.

• Network Segmentation for Components:

  • Beyond the application level, the admins can physically or logically segment the Thinfinity Workspace components. They can place Gateways in a DMZ, Brokers in a separate trusted zone, and Virtualization Agents closer to the remote resources they serve, with strict firewall rules between these segments. For details, see Gateways, Brokers and Virtualization Agents.

Continuous Authentication

Definition: Authentication is not a one-time event at login. It's an ongoing process where user and device trustworthiness are continuously re-evaluated throughout a session based on various contextual factors.

Thinfinity Workspace Implementation:

• Session Re-authentication:

  • Configurable Session Timeouts: When a session expires, the user is forced to re-authenticate, verifying their identity at regular intervals.

  • Idle Timeouts: Automatically disconnect or lock sessions after periods of inactivity, requiring re-authentication to resume.

• Multi-Factor Authentication (MFA) Enforcement:

  • MFA on Every Login: Enforce MFA for every login attempt, ensuring a higher level of initial trust.

• Behavioral Analytics (Thinfinity Analytics Module):

  • Thinfinity Analytics module can be leveraged to monitor user behavior patterns (typical resources accessed, time of day, location, data transfer volumes).

Policy-Based Access Control (PBAC)

Definition: Access decisions are not based solely on identity but on a dynamic set of attributes (contextual information) about the user, device, resource, and environment, evaluated against defined policies.

Thinfinity Workspace Implementation:

• Attribute-Based Access Rules:

  • User Attributes: access is granted on user attributes from the IdP (department, role, security clearance level).

  • Resource Attributes: Policies can be tied to the sensitivity level or type of the remote resource.

  • Environmental Attributes:

    • Source IP Filtering/ACLs: access to specific resources can be granted based on the user's source IP address or geographical location.

    • Time-Based Access Control: As mentioned under PoLP, access can be restricted based on the time of day or day of the week.

• Contextual Policy Enforcement at the Gateway:

  • The Gateway is the primary policy enforcement point. When a user requests a connection, the Gateway evaluates all relevant attributes (user identity, authentication strength, potentially device posture, source IP, time of day) against the configured access policies (Access Profiles, RBAC, RPAM).

  • Dynamic Access Decisions: The decision to grant or deny access, and the scope of that access, is made dynamically per session based on these policies, rather than a static list of permissions.

• Security Restrictions within Access Profiles:

  • Your "Security Restrictions" in Access Management align directly with PBAC. These allow you to define granular rules (disable clipboard, prevent file transfer, restrict printing) based on the specific context of that Access Profile, applying different rules for different resources even for the same user.

• Centralized Policy Management:

  • All policies (Access Profiles, RBAC mappings, RPAM rules, security restrictions, IP filtering) are managed from a central configuration interface - the Thinfinity Workspace Configuration Manager. This ensures consistency and simplifies auditing.