Zero Trust Security in practice
In this article, we will learn about partner ecosystems and how to implement zero trust security in practice.
I want to add a quick story. At an event, a teenage girl came up with many questions. “How can we remember the usernames and passwords for all social media sites? It’s good that these days we have all these Google and Facebook authentications, which help us by signing in to different accounts.”
How does this integration take place, and how is security maintained?
Over the years, the login process has changed. It now needs additional authorization and authentication. Even resetting a password is not a one-step process.
What is MuleSoft?
MuleSoft is a middleware integration tool. It provides a lot of capabilities and components when it comes to integration. You can manage the entire API lifecycle, all the stages from API design, management, development, and security policies under one roof.
You don’t have to rely on different products for monitoring or logging; you get everything in one place.
It’s not just an ETL tool or an iPass service; it has a lot more to offer regarding integration.
Enabling Application Network
Consider that you have a complex application network or organization structure, wherein many different end systems connect to your application. These systems could be internal or external to your organization. They are interconnected. There could be reusable components and non-reusable components. In this complex structure, you’re exchanging data and metadata.
When you have such a complex structure having lots of data exchange, how do you manage the security of such an architecture? To manage that, what comes into picture is zero trust security.
Zero Trust Security
This is a concept based on Zero trust; do not trust anyone. It means you will identify all the vulnerabilities; you’re not going to trust me. Each and every entity or each and every API call or maybe a response or request will be verified at each and every level. So, even if I’ve been an employee of an organization for over a decade, I still have to verify every time I log in. I have to prove my identity. That is the whole concept or soul of zero trust security. Trust no one and always verify yourself. So, we provide role-based access based on requirements. We will also have full inspection control over data flows among the different systems.
Lastly, we will have a centralized management system. It will be identity management or a security system security group that will take care of all the security-related matters and inspect and monitor all the activities across the organization’s network.
The need for Zero Trust Security
- Control exchange of data and metadata between all assets
- Authentication and authorization of all entities
- Security at the application level and the entire network level
- Eliminate VPN
- Edge cutting security
- Protecting the entire ecosystem against advanced threats and malware attacks
Implementing Zero Trust Security with Mulesoft
We have a layered security approach. You can either have security at the peripheral level across the application network, or you can have it at a particular node level at an application level. Suppose an application tries to connect with some of the systems like Facebook or NetSuite. You can apply security at an individual application level to keep track of incoming and outgoing requests or monitor the number of requests or malicious attempts.
A basic endpoint or a proxy endpoint will receive a request. Then there is an API Manager, the MuleSoft API Governance platform. It will be responsible for managing all the security policies, managing all the applications, and governing all the API security. The third thing would be the API gateway and the backend API. The API gateway can be like a gatekeeper of your premises. This is where you get authenticated and are authorized access based on your role.
We perform authentication and authorization every time a request is sent to the basic endpoint. The request is sent towards the backend API only if the request is successful. If the authentication request is successful, then the request is sent to the backend API. If the validation or the authentication authorization fails at the API gateway level, it will reject or deny the request. That is how it is protecting our backend applications or backend systems. So this is a very simple topology, which is quite easy to implement.
You can use basic authentication, which could be a simple LDAP or JWT policy. Then you have different OAuth providers, which can be an Identity Management System responsible for managing your tokens and generating new tokens. You can have an IP denylist or allowlist, which blocks or allows IPs based on your preferences.
You can choose to have security at the application or network level.
It is easy to set up security using MuleSoft. Apart from this, if you want to apply custom policies or requirements, you can build a security policy from scratch and apply it on your application network. In addition, there is tokenization which is similar to encryption-decryption.