Skill v1.0.1
currentAutomated scan100/100+3 new
name: implementing-zero-trust-network-access description: 'Implementing Zero Trust Network Access (ZTNA) in cloud environments by configuring identity-aware proxies, micro-segmentation, continuous verification with conditional access policies, and replacing traditional VPN-based access with BeyondCorp-style architectures across AWS, Azure, and GCP.
' domain: cybersecurity subdomain: cloud-security tags:
- cloud-security
- zero-trust
- ztna
- beyondcorp
- identity-aware-proxy
- micro-segmentation
version: '1.0' author: mahipal license: Apache-2.0 nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1078.004
- T1530
- T1537
- T1580
Implementing Zero Trust Network Access
When to Use
- When replacing traditional VPN-based remote access with identity-based access controls
- When implementing micro-segmentation to limit lateral movement within cloud networks
- When compliance or security strategy requires zero trust architecture adoption
- When providing secure access to cloud workloads without exposing them to the public internet
- When building context-aware access policies based on user identity, device health, and location
Do not use as a complete replacement for network security controls (ZTNA complements but does not replace firewalls and network ACLs), for protecting internet-facing public applications (use WAF), or for IoT device access where identity-based authentication is not feasible.
Prerequisites
- Identity provider (Entra ID, Okta, Google Workspace) with MFA enforcement
- Cloud-native networking capabilities (AWS PrivateLink, Azure Private Link, GCP IAP)
- Device management solution (Intune, Jamf, CrowdStrike) for device posture assessment
- Service mesh or zero trust proxy (Cloudflare Access, Zscaler ZPA, or cloud-native IAP)
- Centralized logging for access decisions and policy enforcement
Workflow
Step 1: Deploy GCP Identity-Aware Proxy (IAP) for Application Access
Configure IAP to provide authenticated access to web applications without VPN.
# Enable IAP APIgcloud services enable iap.googleapis.com# Configure OAuth consent screengcloud iap oauth-brands create \--application_title="Corporate Apps" \--support_email=security@company.com# Enable IAP on an App Engine applicationgcloud iap web enable \--resource-type=app-engine \--oauth2-client-id=CLIENT_ID \--oauth2-client-secret=CLIENT_SECRET# Enable IAP on a backend service (GCE/GKE)gcloud compute backend-services update BACKEND_SERVICE \--iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET \--global# Set IAP access policy (who can access)gcloud iap web add-iam-policy-binding \--resource-type=app-engine \--member="group:engineering@company.com" \--role="roles/iap.httpsResourceAccessor"# Configure access levels based on device and contextgcloud access-context-manager levels create corporate-device \--title="Corporate Managed Device" \--basic-level-spec=level-spec.yaml \--policy=POLICY_ID
Step 2: Implement AWS Verified Access for Zero Trust
Deploy AWS Verified Access to provide identity-based access to internal applications.
# Create a Verified Access trust provider (OIDC)aws ec2 create-verified-access-trust-provider \--trust-provider-type user \--user-trust-provider-type oidc \--oidc-options '{"Issuer": "https://login.microsoftonline.com/TENANT_ID/v2.0","AuthorizationEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize","TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token","UserInfoEndpoint": "https://graph.microsoft.com/oidc/userinfo","ClientId": "CLIENT_ID","ClientSecret": "CLIENT_SECRET","Scope": "openid profile email"}'# Create a Verified Access instanceaws ec2 create-verified-access-instance \--description "Zero Trust Access Instance"# Attach trust provider to instanceaws ec2 attach-verified-access-trust-provider \--verified-access-instance-id vai-INSTANCE_ID \--verified-access-trust-provider-id vatp-PROVIDER_ID# Create a Verified Access group with policyaws ec2 create-verified-access-group \--verified-access-instance-id vai-INSTANCE_ID \--policy-document '{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": "*","Action": "verified-access:AllowAccess","Condition": {"StringEquals": {"verified-access:user/groups": "engineering"}}}]}'# Create endpoint for an internal applicationaws ec2 create-verified-access-endpoint \--verified-access-group-id vag-GROUP_ID \--endpoint-type load-balancer \--attachment-type vpc \--domain-certificate-arn arn:aws:acm:REGION:ACCOUNT:certificate/CERT_ID \--application-domain app.internal.company.com \--endpoint-domain-prefix app \--load-balancer-options '{"LoadBalancerArn": "arn:aws:elasticloadbalancing:REGION:ACCOUNT:loadbalancer/app/internal-app/xxx","Port": 443,"Protocol": "https","SubnetIds": ["subnet-xxx"]}'
Step 3: Configure Azure Private Link and Conditional Access
Set up Azure Private Link for network isolation and conditional access for identity-based controls.
# Create Private Endpoint for an Azure serviceaz network private-endpoint create \--name app-private-endpoint \--resource-group production-rg \--vnet-name production-vnet \--subnet private-endpoint-subnet \--private-connection-resource-id /subscriptions/SUB_ID/resourceGroups/RG/providers/Microsoft.Web/sites/internal-app \--group-ids sites \--connection-name app-connection# Configure private DNS zone for the serviceaz network private-dns zone create \--resource-group production-rg \--name privatelink.azurewebsites.netaz network private-dns link vnet create \--resource-group production-rg \--zone-name privatelink.azurewebsites.net \--name production-link \--virtual-network production-vnet \--registration-enabled false
# Create Conditional Access policy requiring compliant device + MFAConnect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"$params = @{DisplayName = "Zero Trust - Require MFA and Compliant Device"State = "enabled"Conditions = @{Applications = @{IncludeApplications = @("All")}Users = @{IncludeUsers = @("All")ExcludeGroups = @("BreakGlass-Group-ID")}Locations = @{IncludeLocations = @("All")ExcludeLocations = @("AllTrusted")}}GrantControls = @{Operator = "AND"BuiltInControls = @("mfa", "compliantDevice")}SessionControls = @{SignInFrequency = @{Value = 4Type = "hours"IsEnabled = $true}}}New-MgIdentityConditionalAccessPolicy -BodyParameter $params
Step 4: Implement Micro-Segmentation with Network Policies
Deploy network-level micro-segmentation to complement identity-based access controls.
# AWS: Create security groups for micro-segmentationaws ec2 create-security-group \--group-name web-tier-sg \--description "Web tier - only HTTPS from ALB" \--vpc-id vpc-PRODaws ec2 authorize-security-group-ingress \--group-id sg-WEB \--protocol tcp --port 443 \--source-group sg-ALBaws ec2 create-security-group \--group-name app-tier-sg \--description "App tier - only from web tier"aws ec2 authorize-security-group-ingress \--group-id sg-APP \--protocol tcp --port 8080 \--source-group sg-WEB# Kubernetes NetworkPolicy for pod-level segmentationcat << 'EOF' | kubectl apply -f -apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:name: api-allow-web-onlynamespace: productionspec:podSelector:matchLabels:app: api-serverpolicyTypes:- Ingressingress:- from:- podSelector:matchLabels:app: web-frontendports:- protocol: TCPport: 8080EOF
Step 5: Enable Continuous Verification and Logging
Implement continuous trust verification rather than one-time authentication.
# Configure CloudWatch to monitor access decisionsaws logs create-log-group --log-group-name /verified-access/access-logs# Enable Verified Access loggingaws ec2 modify-verified-access-instance-logging-configuration \--verified-access-instance-id vai-INSTANCE_ID \--access-logs '{"CloudWatchLogs": {"Enabled": true,"LogGroup": "/verified-access/access-logs"}}'# Query access logs for denied requestsaws logs start-query \--log-group-name /verified-access/access-logs \--start-time $(date -d "24 hours ago" +%s) \--end-time $(date +%s) \--query-string 'fields @timestamp, identity.user, http_request.url, decision| filter decision = "deny"| sort @timestamp desc| limit 50'
Key Concepts
| Term | Definition | |
|---|---|---|
| Zero Trust | Security model that requires strict identity verification for every person and device accessing resources, regardless of network location | |
| ZTNA | Zero Trust Network Access, the technology that implements zero trust principles by providing identity-aware, context-based access to applications | |
| Identity-Aware Proxy | Proxy service that verifies user identity and device context before allowing access to backend applications, replacing VPN-based access | |
| Micro-Segmentation | Network security technique that creates fine-grained security zones around individual workloads or applications to limit lateral movement | |
| BeyondCorp | Google's implementation of zero trust architecture that shifts access controls from the network perimeter to individual users and devices | |
| Continuous Verification | Ongoing assessment of user identity, device health, and access context throughout a session rather than only at authentication time |
Tools & Systems
- GCP Identity-Aware Proxy: Google's BeyondCorp implementation providing context-aware access to web applications and VMs
- AWS Verified Access: AWS service for zero trust access to applications based on identity and device posture verification
- Azure Conditional Access: Microsoft's policy engine for enforcing context-based access controls based on user, device, location, and risk
- Cloudflare Access: Cloud-delivered ZTNA solution providing identity-aware access to internal applications
- Zscaler ZPA: Enterprise ZTNA platform replacing VPN with application-level access based on identity and context
Common Scenarios
Scenario: Replacing Corporate VPN with Zero Trust Access for Cloud Applications
Context: An organization with 2,000 employees accesses 30+ internal cloud applications through a traditional VPN concentrator. VPN performance issues and security concerns drive the decision to implement ZTNA.
Approach:
- Inventory all applications currently accessed through VPN and classify by sensitivity
- Deploy GCP IAP or AWS Verified Access for web-based internal applications
- Configure conditional access policies requiring MFA and device compliance for all applications
- Implement micro-segmentation using security groups to limit lateral movement between application tiers
- Set up continuous verification with re-authentication every 4 hours for sensitive applications
- Migrate users in phases, starting with low-risk applications, monitoring access logs for issues
- Decommission VPN after all applications are accessible through ZTNA with full logging
Pitfalls: Not all applications support identity-aware proxy integration. Legacy thick-client applications may require agent-based ZTNA solutions instead of proxy-based approaches. Device posture assessment requires an endpoint management solution deployed to all corporate devices. Break-glass access procedures must be documented for scenarios where the identity provider is unavailable.
Output Format
Zero Trust Network Access Implementation Report==================================================Organization: Acme CorpImplementation Date: 2026-02-23Applications Migrated: 24 / 30ZTNA ARCHITECTURE:Identity Provider: Microsoft Entra IDAccess Proxy: AWS Verified Access + GCP IAPDevice Management: Microsoft IntuneMFA: FIDO2 + Authenticator AppACCESS POLICY COVERAGE:Applications requiring MFA: 30 / 30 (100%)Applications requiring compliant device: 24 / 30 (80%)Applications with continuous verification: 18 / 30 (60%)Applications with location restrictions: 12 / 30 (40%)SECURITY IMPROVEMENTS:VPN-related incidents (before): 12/monthZTNA-related incidents (after): 2/monthMean time to detect unauthorized access: 4 min (was 2 hours)Lateral movement paths eliminated: 85%MIGRATION STATUS:Phase 1 (low-risk apps): 12/12 completePhase 2 (medium-risk apps): 12/12 completePhase 3 (high-risk apps): 0/6 in progressVPN decommission: Scheduled after Phase 3