The following are the supported use cases for Zero Trust Access Gateway while additional variations are being developed and released.

Source IP/Method/Path

This security policy, although developed for object storage solutions, is not limited to this workload. This approach applies security looking at three specific characteristics of the traffic being captured: Who, What, and Where. The traffic must match all three attributes to be permitted access to the published system. This configuration will ensure applications or users in a less secure zone do not have the necessary access to possibly write any malicious data into the shared storage system that may compromise the applications in the highest security zone. Those same applications in the less secure zone might be able to write and delete data from other buckets if those buckets were not accessible to highly secure systems.

Who – The source IP Address of the requestor. Since the primary workload is object storage, this IP address may be that of a user or an application access the storage. These source IP addresses would be directly associated with security zones.

What – The HTTP Method being passed to the published system. This would most commonly be a GET, PUT, or DELETE.

Where – This is the path of the object being requested or written. In object storage terminology, this would commonly be the name of an S3 bucket.

Authentication Header/Method/SourceIP

This security policy is also focused on the Object Storage workload but can be leveraged with other solutions that utilize HTTP methods and the Authorization Header. The traffic once again must match all three attributes to be permitted access to the published system. If the quantity of buckets being secured becomes more difficult to manage, the ability to leverage user accounts to secure the storage is an alternate solution. The accounts that are used to authenticate to today's storage solutions are passed within the HTTP header. This Authentication Header can set policies to permit or deny specific access to the storage or other backend system. This identifying header can be combined with the source IP address of the application or user to deliver granular security.

Who – The Authentication Header within the HTTP traffic. Many object storage vendors leverage the Authentication header to pass credentials for accessing the storage solution.

What – The HTTP Method being passed to the published system. This would most commonly be a GET, PUT, or DELETE.

Where – This is the Source IP address from where the traffic originated. This may be in the form of a single IP address or an entire network subnet.

SteeringGroup/Path/SourceIP

This security policy is designed for any application that allows for pre-authentication to occur on the Progress Kemp Load Balancer. The Edge Security Pack is a security feature that provides the ability to pre-authenticate users on the load balancer before sending connections to the backend systems. In addition to verifying a user's identity, Edge Security Pack permits or restricts access based on group memberships in Active Directory. This functionality, combined with identifying the requestor's source IP address, can enforce granular controls to different portions or paths of an application.

Who – Steering Group. This is a Progress Kemp specific attribute that looks at the Active Directory group a user is a member of and directs (steers) them to a specific element of the published application.

What – The path within the published application the user is trying to access. By defining this using regular expressions (regex), an application can be segmented to suit many scenarios

Where – This is the Source IP address from where the traffic originated. This may be in the form of a single IP address or an entire network subnet.

Trusted/ Untrusted Zone

This security policy leverages the Edge Security Pack, allowing pre-authentication to occur on the Progress Kemp Load Balancer. This approach applies security looking at two specific characteristics of the traffic being captured: Who and Where. Should the traffic match the attributes for a Trusted zone, the user is presented with a simple form to authenticate to the application. Should the traffic be identified as Untrusted, the user will be required to provide multi-factor authentication to gain access. Active Directory Group memberships identified using Edge Security Pack are also leveraged to ensure that only specific users, either from a known or unknown network, can access the published application.

Who – Permitted Group. This is a Progress Kemp-specific attribute that looks at the Active Directory group a user is a member of and permits or denies access dependent on their group membership.

Where – This is the Source IP address from where the traffic originated. This may be in the form of a single IP address or an entire network subnet.