Thinfinity Workspace employs an advanced ZTNA (Zero Trust Network Access) architecture to provide secure, efficient, and user-friendly remote access to resources. The architecture involves several key components: a Gateway, a Primary Broker, Secondary Brokers, and a Virtualization Server. Let's delve into these components and explore how they align with the key principles of ZTNA, including least privilege access, micro-segmentation, continuous authentication, and policy-based access control.
Key Components of Thinfinity's ZTNA Architecture
Thinfinity Reverse Gateway
Thinfinity Gateway serves as the initial point of contact for users accessing the Thinfinity Workspace. It operates as a reverse gateway, establishing a secure connection with the user's browser. Positioned in the DMZ or a public cloud, it's the only component that needs to be exposed to the internet, requiring only port 443 to be opened as an inbound connection.
Primary Broker
The Primary Broker serves as the central controller within the Thinfinity Workspace architecture. It is responsible for serving the Thinfinity landing page to the user. Upon user login, the Primary Broker validates the user credentials against an Identity Provider (IdP) or incorporates multi-factor authentication (MFA) methods. It further enforces role-based permissions to ensure that users access only the resources they are authorized to use.
Secondary Brokers
Secondary Brokers take the Thinfinity architecture to a higher level by offloading the Virtualization Server process to target networks where the final connections are established. Each Secondary Broker can be deployed in different networks, such as a data center or public cloud, allowing for multiple resources across various networks and locations to be made available within the same Thinfinity Workspace.
Virtualization Server
The Virtualization Server process, living on the secondary Brokers, is a critical part of the Thinfinity Workspace. It's responsible for establishing a connection between the final host and the Gateway.
Thinfinity ZTNA Architecture Diagram
Thinfinity's ZTNA Principles in Practice
Thinfinity Workspace's architecture is built around the principles of ZTNA, emphasizing secure, least privilege access and providing dynamic, policy-based controls.
Principle of Least Privilege Access
Thinfinity's ZTNA architecture embodies the principle of least privilege access. The Primary Broker enforces role-based permissions, ensuring users are granted only the necessary access rights to carry out their tasks. This strategy minimizes the risk of unauthorized access to sensitive information and mitigates potential damage from security breaches.
Micro-Segmentation
Micro-segmentation is a crucial aspect of ZTNA that Thinfinity's architecture embraces. By offloading the Virtualization Server process to Secondary Brokers located in different networks, Thinfinity effectively divides the network into smaller, isolated sections. This division reduces the risk of widespread network compromise, impeding the lateral movement of threats and enhancing overall security.
Continuous Authentication
Thinfinity's ZTNA architecture emphasizes continuous authentication. The Primary Broker continually validates user credentials and monitors the access session for any suspicious activity. If an issue arises, it can immediately revoke access, providing sustained, real-time protection.
Policy-Based Access Control
Finally, Thinfinity's architecture embodies the ZTNA principle of policy-based access control. The Primary Broker leverages dynamic policies informed by user roles, device attributes, and other contextual details to manage access privileges. This approach ensures a flexible and adaptive security posture, granting the right level of access at the right time.
Workflow of Thinfinity's ZTNA Architecture
With the key components and principles in place, Thinfinity Workspace ZTNA architecture operates as follows:
- The user opens an HTML5 browser and accesses the Thinfinity Workspace, requiring no client-side installation.
- The user's connection request is directed to the Thinfinity Gateway, which securely manages connections through outbound ports and a cloud tunnel.
- The connection request proceeds to the Primary Broker, which validates user credentials and enforces role-based permissions.
- Once validated, the Primary Broker selects the appropriate Secondary Broker within the target network. This Secondary Broker then takes over, transferring the Virtualization Server process to its network.
- The Secondary Broker establishes reverse connections to the Gateway and initiates connections to desktops or applications located on different machines within its respective network. These connections use IP addresses and the selected protocol over SSL.
- The user is granted access to applications and desktops hosted across multiple machines and networks. They can then launch a remote desktop or application seamlessly.
Conclusion
Thinfinity Workspace's advanced ZTNA architecture promotes security, flexibility, and efficient resource allocation. By fulfilling key ZTNA principles of least privilege access, micro-segmentation, continuous authentication, and policy-based access control, Thinfinity provides a secure, efficient, and user-friendly solution to remote access. Its distinct architecture components and workflow ensures a seamless user experience, regardless of the location and nature of the resources.