A Ziti Network's security setup is defined by several entities defined in the Edge Management API. The following are related to identity authentication and service access:
- Identities - describe a human, device, or service within Ziti Edge
- Authenticators - describes the credentials of an authentication method associated with an Identity
- Enrollments - describes a set of criteria necessary to create a new Identity and associated Authenticator
- Authentication Policy - describes the methods available for Identity authentication
- 3rd Party CAs - allows external x509 PKIs to be used for authentication
- External JWT Signers - allows external JWT signers to be used for authentication
- API Session - a security context represented by a security token (JWT, secret, etc) that represents Identity authentication
- Session - a security context represented by a security token (JWT, secret, etc) that represents access to a Service
- Service Policy - describes which Identities have access to which Services and the Posture Checks that are required to pass for access
- Edge Router Policies - describes which Identities have access to which Edge Routers
- Posture Checks - describes additional environmental state that an Identity must have in order to obtain and maintain service access
- Posture Queries - describes a request for environmental information from a client
- Posture Responses - a response to a Posture Query provided by a client
- Posture Data - the current environmental state provided via Posture Responses and known information
- Authentication Queries - additional, secondary, authentication factors required after initial, primary, authentication
There is an additional policy type for Edge Routers:
- Service Edge Router Policies - determines which services can be accessed over which routers
Authentication & Authorization High Level Flow
The following is a high level overview of how these entities interact. Each interaction is further detailed in their own separate section.
- a client enrolls
- A client may enroll via a pre-shared secret defined as an Enrollment or other verifiable documents (JWTs, x509 Certs/CAs)
- an Identity is created with associated Authenticators and Authentication Policies
- authentication: a client Identity attempts to authenticate
- the authentication credentials are verified against the Authenticators, 3rd Party CAs, External JWT Signers, and/or Authentication Policy associated with the principal
- secondary factors defined by the Authentication Policy are reported to the client (MFA TOTP, JWT) as Authentication Queries
- the client provides secondary factors
- the client receives an API Session security token without unanswered Authentication Queries
- authorization: a client may list Services which will be either grant
dial(client connect) or
- the Service Policies provide a filtered list of all services for the specific client issuing the request
- the Service Policies are also used to evaluate the Posture Checks associated with a Service Policy
- the Posture Checks are converted to Posture Queries with type, pass/fail state, and criteria information
- The Services and Posture Queries are returned to the client
- (Continuous) the client submits any Posture Responses to Posture Queries as necessary
- authorization: the client requests a Session for a specific Service
- (Continuous) the Service Policies are consulted for access additionally re-evaluating Posture Checks against the current know Posture Data
- the list of Service Edge Router Policies and Edge Router Policies are consulted to provide a valid list Edge Routers the Session security token may be used on
- a Session security token and Edge Router list is provided to the client
- the client attempts to connect to a target Edge Router with an API Session security token
- the target Edge Router evaluates the credential
- the client requests a Service connection with their Session security token
- the connection request is verified through Service Edge Router Policies
- the Edge Router coordinates the service connection
High Level Concepts
Below are the major areas of Ziti Edge's security model with a minimal description of what each area covers. The link(s) in each section will lead to a more detailed explanation of the relevant topics.
Ziti Edge defines a top level entity called an Identity. An Identity is a security principal that can bind (host) or dial (connect) to services over a Ziti Network. Read more in the Identity section.
Enrollment is a client initiated process where the result is the creation of an Identity that has some manner of authenticating. Enrollments may be automated through 3rd Party Cas and External JWT Signers or may be completed through pre-provisioning. Read more in the Enrollment section.
Authentication is the process of a client proving their identity through the submission of one primary credential and zero or more secondary credentials that are prompted by Authentication Queries. Authentication methods can be configured through 3rd Party Cas, External JWT Signers, and Authentication Policies. Read more in the Authentication section.
Authorization in Ziti is configured for Identities and Edge Routers. Edge Router authorization only covers which services can be used over an Edge Router via Service Edge Router Policies. Identity authorization is covered by Service Policies and Edge Router Policies.
All policies in Ziti are represented by a robust attribute based access control system (ABAC) based on
properties on entities within the Edge Management API.
roleAttributes properties are an array of user defined strings.
Policies support attribute selector properties to determine which entities a policy interacts on. Policies themselves
are documented in Policies section.
Additionally, Service Policies can require additional environmental states to be satisfied by Posture Checks. Posture Checks analyze Posture Data. Posture Data is a collection of server side information and data harvested from Posture Responses sent by client endpoints in response to Posture Queries. More can be found in the Posture Check section.
Read more in the Authorizationsection.