Thinfinity® Workspace ZTNA Architecture: A Comprehensive Analysis

Thinfinity® Workspace ZTNA Architecture: A Comprehensive Analysis


Thinfinity Workspace employs an advanced ZTNA (Zero Trust Network Access) architecture to provide secure, efficient, and user-friendly remote access to resources. The architecture involves several key components: a Gateway, a Primary Broker, Secondary Brokers, and a Virtualization Server. Let's delve into these components and explore how they align with the key principles of ZTNA, including least privilege access, micro-segmentation, continuous authentication, and policy-based access control.

Key Components of Thinfinity's ZTNA Architecture


Thinfinity Reverse Gateway

Thinfinity Gateway serves as the initial point of contact for users accessing the Thinfinity Workspace. It operates as a reverse gateway, establishing a secure connection with the user's browser. Positioned in the DMZ or a public cloud, it's the only component that needs to be exposed to the internet, requiring only port 443 to be opened as an inbound connection.

Primary Broker

The Primary Broker serves as the central controller within the Thinfinity Workspace architecture. It is responsible for serving the Thinfinity landing page to the user. Upon user login, the Primary Broker validates the user credentials against an Identity Provider (IdP) or incorporates multi-factor authentication (MFA) methods. It further enforces role-based permissions to ensure that users access only the resources they are authorized to use.

Secondary Brokers

Secondary Brokers take the Thinfinity architecture to a higher level by offloading the Virtualization Server process to target networks where the final connections are established. Each Secondary Broker can be deployed in different networks, such as a data center or public cloud, allowing for multiple resources across various networks and locations to be made available within the same Thinfinity Workspace.

Virtualization Server

The Virtualization Server process, living on the secondary Brokers, is a critical part of the Thinfinity Workspace. It's responsible for establishing a connection between the final host and the Gateway.

Thinfinity ZTNA Architecture Diagram





Thinfinity's ZTNA Principles in Practice

Thinfinity Workspace's architecture is built around the principles of ZTNA, emphasizing secure, least privilege access and providing dynamic, policy-based controls.

Principle of Least Privilege Access

Thinfinity's ZTNA architecture embodies the principle of least privilege access. The Primary Broker enforces role-based permissions, ensuring users are granted only the necessary access rights to carry out their tasks. This strategy minimizes the risk of unauthorized access to sensitive information and mitigates potential damage from security breaches.

Micro-Segmentation

Micro-segmentation is a crucial aspect of ZTNA that Thinfinity's architecture embraces. By offloading the Virtualization Server process to Secondary Brokers located in different networks, Thinfinity effectively divides the network into smaller, isolated sections. This division reduces the risk of widespread network compromise, impeding the lateral movement of threats and enhancing overall security.

Continuous Authentication

Thinfinity's ZTNA architecture emphasizes continuous authentication. The Primary Broker continually validates user credentials and monitors the access session for any suspicious activity. If an issue arises, it can immediately revoke access, providing sustained, real-time protection.

Policy-Based Access Control

Finally, Thinfinity's architecture embodies the ZTNA principle of policy-based access control. The Primary Broker leverages dynamic policies informed by user roles, device attributes, and other contextual details to manage access privileges. This approach ensures a flexible and adaptive security posture, granting the right level of access at the right time.

Workflow of Thinfinity's ZTNA Architecture

With the key components and principles in place, Thinfinity Workspace ZTNA architecture operates as follows:
  1. The user opens an HTML5 browser and accesses the Thinfinity Workspace, requiring no client-side installation.
  2. The user's connection request is directed to the Thinfinity Gateway, which securely manages connections through outbound ports and a cloud tunnel.
  3. The connection request proceeds to the Primary Broker, which validates user credentials and enforces role-based permissions.
  4. Once validated, the Primary Broker selects the appropriate Secondary Broker within the target network. This Secondary Broker then takes over, transferring the Virtualization Server process to its network.
  5. The Secondary Broker establishes reverse connections to the Gateway and initiates connections to desktops or applications located on different machines within its respective network. These connections use IP addresses and the selected protocol over SSL.
  6. The user is granted access to applications and desktops hosted across multiple machines and networks. They can then launch a remote desktop or application seamlessly.

Conclusion

Thinfinity Workspace's advanced ZTNA architecture promotes security, flexibility, and efficient resource allocation. By fulfilling key ZTNA principles of least privilege access, micro-segmentation, continuous authentication, and policy-based access control, Thinfinity provides a secure, efficient, and user-friendly solution to remote access. Its distinct architecture components and workflow ensures a seamless user experience, regardless of the location and nature of the resources.

    • Related Articles

    • ZTNA Monitoring in Thinfinity® Workspace 7: Leveraging Audit Logs and Analytics for Enhanced Security

      Introduction Zero Trust Network Access (ZTNA) is a security paradigm that emphasizes the need to trust no one, whether inside or outside the organization's network. Thinfinity® Workspace 7 has embraced this approach, integrating advanced features ...
    • Thinfinity® Remote Workspace - A Zero Trust Network Access (ZTNA) Solution

      Introduction In the era of digital transformation, the need for secure, flexible, and efficient access to internal applications for remote users has never been more critical. As organizations continue to adopt cloud technologies and support remote ...
    • Outperform Traditional VPNs with a ZTNA Approach

      Introduction The Zero Trust Network Access (ZTNA) sector is experiencing a swift expansion, with an anticipated growth to $38.6 billion by 2026, marking a CAGR of 18.4% from 2022 to 2024. This expansion is driven by the increasing need for secure ...
    • What is ZTNA?

      Zero Trust Network Access (ZTNA) is an IT security solution that enables secure remote access to an organization's applications, data, and services. By implementing clearly defined access control policies, ZTNA offers a distinct advantage over ...
    • ZTNA vs. Traditional Network Security

      In the context of digital security and connectivity, the landscape is continually shifting, driven by technological advancements and the evolving nature of threats. Traditionally, network security revolved around the concept of maintaining a secure ...