11.1.1 Applying ZTNA to Thinfinity® Workspace

Access Profile serve as the primary implementation of the PoLP. Rather than provisioning extensive network permissions, each Access Profile explicitly specifies permitted access to particular applications, desktops, or intranet resources. During the profile creation process via the configuration wizard, administrators can select the resource category—such as desktop, application, folder, or terminal—and define the resource type, including desktop applications, intranet applications, web applications, among others.

Mapping to IdP Groups: Administrators can utilize existing groups within integrated IdPs—such as Active Directory or Thinfinity IdP—to establish role-based associations. These IdP groups can be systematically mapped to designated roles within Thinfinity Workspace for streamlined access control management.

Role-Based Access Profile Assignment: Administrators can associate Access Profiles—defining permissions and access to specific remote resources—to organizational roles or groupings, rather than assigning permissions on a per-user basis. This approach ensures automatic inheritance of the principle of least privilege, aligning user privileges with their organizational role. The mappings are configured via Labels and Permission Groups within the Access Profile Permissions tab.

User Interface Permissions: The implementation of the PoLP extends to the Thinfinity Workspace user interface. Administrative users are restricted to viewing and modifying configurations pertinent solely to their designated responsibilities. These restrictions are enforced through permissions configured within the Permissions tab of the Configuration Manager.

Scheduled Access: Access profiles may be configured to restrict user authentication and resource access to predefined time windows. This includes specifying permissible days and hours, such as allowing contractor access solely from 9 AM to 5 PM, Monday to Friday. Configuration is managed through the Access Hours tab within the Settings menu.

Session Duration Enforcement: Administrators may establish maximum session duration policies that automatically terminate active sessions upon reaching the specified time limit. Subsequent re-authentication is mandated, compelling users to reassess the validity of their continued access privileges.

JIT (Just-in-Time) Access: RPAM directly implements PoLP for elevated access. Instead of standing privileges, users request temporary, approved access to sensitive resources (a production server). - Resource Reservation module

Time-Bound Privileges: Approved RPAM access is typically time-bound, ensuring that elevated privileges are automatically revoked after the defined duration, aligning with JIT principles.

Each Virtualization Agent establishes a micro-perimeter around the designated remote resource it manages (e.g., a single server or a collection of virtual desktop infrastructure instances). When deploying Thinfinity Workspace in Agent mode, the Agent restricts network traffic exclusively to protocols and data pertinent to the Thinfinity Workspace session, permitting communication solely from the authorized Broker or Gateway. This configuration prevents exposure of the entire remote network segment, maintaining a minimal attack surface.

Gateways act as intelligent proxies. They don't just route traffic; they apply context-aware policies. A user connecting through a Gateway to Resource A cannot bypass the Gateway to directly access Resource B, even if Resource B is on the same physical network segment.

No Direct Client-to-Resource Connectivity: Thinfinity Workspace inherently prevents direct client-to-resource connections. All traffic flows through the Gateway and then the Virtualization Agent, creating logical micro-segments around each published resource.

WAF for Published Web Apps/Websites: If your platform includes an internal WAF, it can inspect traffic to published intranet websites or web applications, providing an additional layer of security for that specific "segment" of your web applications.

IP Filtering/ACLs on Gateways and Agents: Configure the Gateways and Virtualization Agents to only accept connections from known and trusted internal IP ranges (from the Brokers, from other trusted Gateway nodes). This prevents unauthorized network segments from even attempting to connect to these components. From the Protection tab of the Thinfinity Gateway Manager.

Beyond the application level, the admins can physically or logically segment the Thinfinity Workspace components. They can place Gateways in a DMZ, Brokers in a separate trusted zone, and Virtualization Agents closer to the remote resources they serve, with strict firewall rules between these segments. For details, see Understanding Thinfinity Workspace Components.

Session Re-authentication:

• Configurable Session Timeouts: When a session expires, the user is forced to re-authenticate, verifying their identity at regular intervals.

• Idle Timeouts: Automatically disconnect or lock sessions after periods of inactivity, requiring re-authentication to resume.

• 2FA Enforcement:

  • 2FA on Every Login: Enforce 2FA for every login attempt, ensuring a higher level of initial trust.

Behavioral Analytics ( Analytics Module):

• Analytics module can be leveraged to monitor user behavior patterns (typical resources accessed, time of day, location, data transfer volumes).

ABAC (Attribute-Based Access Control) Policy Specification: User Attributes: Access permission is determined by attributes sourced from the IdP, including organizational department, role designation, and security clearance level.

Resource Attributes: Access policies are associated with resource-specific attributes such as classification sensitivity levels or resource type categories.

Environmental Attributes:

• Source IP Filtering and ACLs (Access Control Lists): Resource access privileges are conditioned upon the user's originating IP address or geographical location.

• Time-Based Access Restrictions: Access rights are constrained temporally, based on defined time intervals or days of the week, consistent with principles outlined in the PoLP (Principle of Least Privilege).

Policy Enforcement at the Network Gateway: The Gateway functions as the primary enforcement point for access control policies. On each access request, it performs real-time evaluation of relevant session attributes—such as user identity, authentication strength, device posture metrics (if available), source IP address, and request timestamp—against predefined policies, including Access Profiles, Role-Based Access Control (RBAC), and Remote Privilege Acess Management (RPAM).

Dynamic Access Decisioning: Access authorization decisions—whether to grant or deny, and the scope of permitted actions—are generated dynamically per session. These decisions are made based on contextual attribute evaluation rather than static permission lists, supporting granular and adaptive access control.

Security Restrictions Embedded in Access Profiles: Security controls, as specified within Access Management configurations, align directly with Policy-Based Access Control (PBAC). These include fine-grained rules such as disabling clipboard functionality, preventing file transfers, or restricting printing capabilities, which are enforced based on the specific context encapsulated by each Access Profile. Different rules can be applied to individual resources even when accessed by the same user, ensuring contextual security enforcement.

Centralized Policy Administration: All access control policies—including Access Profiles, RBAC mappings, RPAM rules, security restrictions, and IP filtering configurations—are managed via a centralized configuration interface, the Thinfinity Workspace Configuration Manager. This centralized management promotes policy consistency, facilitates streamlined auditing processes, and simplifies policy updates.