Search

US-12627712-B2 - Identity-aware secure network

US12627712B2US 12627712 B2US12627712 B2US 12627712B2US-12627712-B2

Abstract

An identity-verification based secure network based on a zero-trust mechanism, is disclosed. The network includes an initiating host (IH), an accepting host (AH), and a software-defined perimeter (SDP) controller. The controller is configured to receive, from the IH, an indication of a source identity, verify a security posture of the source identity based on a stored policy associated with the source identity, and transmit the policy, to the AH, based on the verification. The AH is configured to receive, from the IH, data packets and verify one or more source identities corresponding to each of the received data packets based on a check of each of the one or more source identities against the policy received from the controller. The AH is further configured to transmit one or more of the received data packets, corresponding to the source identity, based on the verification being successful for the source identity.

Inventors

  • Sundher Narayanaswamy
  • Sarath Chandra BYSANI
  • Milan RAMACHANDRAN

Assignees

  • ELISITY, INC.

Dates

Publication Date
20260512
Application Date
20230307

Claims (17)

  1. 1 . An identity-verification based secure network, comprising: an initiating host (IH); an accepting host (AH); and a controller, wherein the controller is configured to: receive, from the IH, an indication of a source identity; verify a security posture of the source identity based on a stored policy associated with the source identity; and transmit the policy, to the AH, based on the verification, and wherein the AH is configured to: receive, from the IH, data packets via a secure tunnel established between the IH and the AH; verify one or more source identities corresponding to each of the data packets, received over the secure tunnel, based on a check of each of the one or more source identities against the policy received from the controller; and transmit one or more of the received data packets, corresponding to the source identity, based on the verification being successful for the source identity.
  2. 2 . The network of claim 1 , wherein the source identity is associated with one of a source device, an application hosted on the source device, and a user using the source device.
  3. 3 . The network of claim 1 , wherein the IH is configured to transmit an access request to the controller to authorize the source identity to access one or more of an application and a service hosted on a destination device, and further, wherein the access request comprises the indication of the source identity.
  4. 4 . The network of claim 1 , wherein the policy comprises one or more hash parameters comprising one or more of: the source identity, wherein the source identity identifies one of a source device, an application, and a user that intends to access one of an application and a service hosted on a destination device associated with the AH; a session identity associated with a session established between the IH and the controller; an application access key that comprises a hash function associated with the source identity; and an entitlement privilege indication that indicates access level allowed for the source identity.
  5. 5 . The network of claim 1 , wherein the controller is further configured to: compare one or more parameters associated with the source identity with one or more corresponding hash parameters in the stored policy to verify the security posture of the source identity; and transmit, to the AH, at least the stored policy based on the comparison indicating a positive result.
  6. 6 . The network of claim 1 , wherein the IH is configured to transmit an access request to the controller to authorize the source identity to access one or more of an application and a service hosted on a destination device.
  7. 7 . The network of claim 1 , wherein the controller is further configured to transmit the policy and a routing information via a control channel established between the controller and the AH and further, wherein the routing information is usable by one or more nodes to route the data packets via a secure tunnel established between the IH and the AH.
  8. 8 . The network of claim 1 , wherein the AH is configured to authorize the source identity associated with the one or more of the received data packets based on the verification being successful for the source identity, wherein the authorization comprises allowing the source identity to access one or more of an application and a service hosted on a destination device associated with the AH.
  9. 9 . The network of claim 1 , wherein the controller is configured to periodically update the stored policy based on one or more public security threats associated with one or more endpoint devices in the network.
  10. 10 . The network of claim 1 , wherein the AH is further configured to: periodically evaluate a security posture associated with the source identity; determine an occurrence of a modification in the security posture; and transmit, to the controller, the security posture indication of the modified security posture.
  11. 11 . The network of claim 10 , wherein the controller is further configured to: determine another policy comprising one or more corrective actions based on the received security posture indication; and implement the determined policy.
  12. 12 . An identity-verification method performed in a secure network, comprising: receiving, by an accepting host (AH) from a controller, a policy based on a verification of a source identity at the controller; receiving, from an initiating host (IH), data packets via a secure tunnel established between the IH and the AH; verifying one or more source identities corresponding to each of the data packets, received over the secure tunnel, based on a check of each of the one or more source against the policy received from the controller; and transmitting one or more of the received data packets, corresponding to the source identity, based on the verification being successful for the source identity.
  13. 13 . An accepting host (AH) for performing identity-verification in a secure network, the accepting host comprising: a processor; and a memory comprising computer-executable instructions, which when executed, cause the processor to: receive, from a controller, a policy based on a verification of a source identity at the controller; receive, from an initiating host (IH), data packets via a secure tunnel established between the IH and the AH; verify one or more source identities corresponding to each of the data packets, received over the secure tunnel, based on a check of each of the one or more source identities against the policy received from the controller; and transmit one or more of the received data packets, corresponding to the source identity, based on the verification being successful for the source identity.
  14. 14 . The host of claim 13 , wherein the policy comprises one or more hash parameters comprising one or more of: the source identity, wherein the source identity identifies one of a source device, an application, and a user that intends to access one of an application and a service hosted on a destination device associated with the AH; a session identity associated with a session established between the IH and the controller; an application access key that comprises a hash function associated with the source identity; and an entitlement privilege indication that indicates access level allowed for the source identity, wherein the source identity is associated with one of a source device, an application hosted on the source device, and a user using the source device.
  15. 15 . The host of claim 13 , wherein the source identity is associated with one of a source device, an application hosted on the source device, and a user using the source device.
  16. 16 . The host of claim 13 , wherein the processor is configured to authorize the source identity associated with the one or more of the received data packets based on the verification being successful for the source identity, wherein the authorization comprises allowing the source identity to access one or more of an application and a service hosted on a destination device associated with the AH.
  17. 17 . The host of claim 13 , wherein the processor is further configured to: periodically evaluate a security posture associated with the source identity; determine an occurrence of a modification in the security posture; and transmit, to the controller, the security posture indication of the modified security posture.

Description

FIELD OF THE INVENTION The embodiments discussed in the present disclosure are generally related to providing secure communication in networks. In particular, the embodiments discussed are related to providing secure communication in networks based on a Zero-Trust security mechanism. BACKGROUND OF THE INVENTION In a remote working model, a distributed enterprise with its assets spread around multiple disparate and geographically separate domains, presents a large attack surface for a third-party attack. To reduce the attack surface, a Zero-Trust security mechanism includes identity verification of all devices and humans that access resources on a private network. However, a challenge associated with the conventional Zero-Trust security mechanism is that it merely reduces and does not eliminate the attack surface of the enterprise. This may leave the enterprise vulnerable to third-party attacks. Therefore, there is a need to overcome the above drawback by providing a more secure Zero-Trust security mechanism in a network. SUMMARY OF THE INVENTION Embodiments of an identity-verification based secure communication network and a corresponding method are disclosed that address at least some of the above challenges and issues In an embodiment, an identity-verification based secure network is disclosed. The network includes an initiating host (IH), an accepting host (AH), and a software-defined perimeter (SDP) controller. In an embodiment, the controller is configured to receive, from the IH, an indication of a source identity, verify a security posture of the source identity based on a stored policy associated with the source identity, and transmit the policy, to the AH, based on the verification. In an embodiment, the controller may verify the security posture in conjunction with an Endpoint Detection and Response software, which may consider known public security threats to verify the security posture. Additionally, the controller may periodically keep re-evaluating and auto-updating the stored policy associated with the source identity. Further, the AH is configured to receive, from the IH, data packets and verify one or more source identities corresponding to each of the received data packets based on a check of each of the one or more source identities against the policy received from the controller. The AH is further configured to transmit one or more of the received data packets, corresponding to the source identity, based on the verification being successful for the source identity. In another embodiment, an identity-verification method performed in a secure network, is disclosed. The method includes receiving, by the AH from a controller, a policy based on a verification of a source identity at the controller. The method further includes receiving, from the IH, data packets. The method further includes verifying one or more source identities corresponding to each of the received data packets based on a check of each of the one or more source identities against the policy received from the controller. The method further includes transmitting one or more of the received data packets, corresponding to the source identity, based on the verification being successful for the source identity. In yet another embodiment, an AH for performing identity-verification in a secure network, is disclosed. The AH includes a processor and a memory that includes computer-executable instructions, which when executed, cause the processor to receive, from a controller, a policy based on a verification of an identity at the controller. The instructions further cause the processor to receive, from the IH, data packets and subsequently, verify one or more source identities corresponding to each of the received data packets based on a check of each of the one or more source identities against the policy received from the controller. The instructions further cause the processor to transmit one or more of the received data packets, corresponding to the source identity, based on the verification being successful for the source identity. BRIEF DESCRIPTION OF THE DRAWINGS Further advantages of the invention will become apparent by reference to the detailed description of preferred embodiments when considered in conjunction with the drawings: FIG. 1 illustrates a network for implementing disclosed embodiments of a secure communication network, according to an embodiment. FIG. 2 is a signal flow diagram to illustrate a method for identity verification, according to an embodiment. FIG. 3 is a flowchart illustrating the steps involved in the identity verification, according to an embodiment. FIG. 4 illustrates an exemplary device, according to an embodiment. DETAILED DESCRIPTION The following detailed description is presented to enable any person skilled in the art to make and use the invention. For purposes of explanation, specific details are set forth to provide a thorough understanding of the present invention. However, it will be appa