The Architecture of the Identity-Aware Framework  (IAF)

The IAF is a SaaS solution that extends whole network security from the local network, across the cloud through AI-based central security services and onto the open Internet. It is agnostic to existing edge network configurations, firewalls, DMZs and cloud connectivity.  It is a permission-based application layer that manages all cryptography, protocols, packets and connectivity between IAF cloud services, Security Operations Center (SOC) services and an on-premise wireless gateway, all within a triply-encrypted E2EE (End-to-End-Encrypted) tunnel.

Because AI-based whole network security is
more than twice as effective as desktop anti-virus.            

Desktop anti-virus is now less than 40% effective and there is no anti-virus or other endpoint security for the many insecure IoT devices.  The combination of the on-premise gateway, the secure link with the IAF cloud services, and the IAF packet provenance controls creates a software driven DMZ that securely encapsulates and isolates all computers and devices on the edge network.  On an IAF edge network, no IAF client software is required on computers, servers or IoT devices, while the Mobile App for IOS and Android allows roaming and secure connectivity to any discovered IAF network, protecting hybrid worker communications wherever an IAF network is available.

By shifting threat management to enterprise-class SOC services, safely away from the local network and computing resources, overall threat detection and response shoots up to more than 90% effectiveness.
All Internet traffic moves from the edge network gateway, safely across the E2EE tunnel to the IAF cloud security services and out to the open Internet. Returning traffic follows the reverse path, is threat managed at the cloud SOC, and is subject to the same permissions controls while in transit over the IAF.

The Provenance Passport              TrustWrx has woven into its IAF technology an industry first, the “Provenance Passport” that is embedded in every IAF packet.  This new identity and usage policy-control is used to verify the device/user identity of the packet source, and also controls – through central policies – where packets, protocols, attachments, applications and file types may and may not go, as well as which other local or web resources they may interact with, and to what use they may be applied. It is the packet’s ticket to edge network and IAF cloud validity. Conversely, the lack of the packet passport signals a rogue packet that is not allowed to traverse the IAF network and can be quarantined or dropped.

By equipping the packet with a secure “passport”, referenced against a central policy engine, the packet’s originating source device/user is verifiable. Its local and cloud usage is precisely controlled, packets without a passport are simply blocked, and the edge network becomes a permission-based environment that is rendered invisible to unknowns from the open Internet. With a hands-free install, this innovation delivers previously unattainable levels of Internet security and privacy for the small company network and beyond to its hybrid workers at home and on the road.

The JIT Tunnel      The IAF operates on a JIT (Just in Time) secure tunnel that is the next generation beyond the aging and restrictive static tunnels of VPNs and TOR and the single-layer cryptography of the various secure protocols.  This triply-encrypted E2EE tunnel is entirely driven by the IAF application layer and exists only when packets are in motion across the IAF. More than just encryption, it is a permission-based packet authentication and authorization capability integrated within the cryptography stack that provides granular packet management at all points within the IAF and to the cloud.

A major virtue of the JIT Tunnel is that it does not present a static attack vector to the hacker. It simply does not exist until an IAF qualified packet is created – and it dissolves when the packet transfer is complete. Moreover, a qualified IAF packet is required in order for the JIT tunnel to be invoked, and for packets to pass between IAF cloud services and the gateway.

Qualified IAF packets are created: 1) At the gateway for packets outbound from computers, servers and IoT devices that are registered within the IAF central policy controls and,  2) On the IAF cloud services for qualified packets returning from the cloud.  The result is that any unqualified packet that presents at any part of the IAF services will be rejected – killing more than 90% of potentially rogue packets that present at the IAF cloud.

TrustWrx & Zero Trust for SMBs

Packet Identity is the Missing Security Component                The overall threat and malware problem persists to a large degree because the only identity a standard packet has is an IP address, which is easily and often spoofed. Uncontrolled and spoofed IP addresses are a common delivery mechanism for the more than 90% of packet traffic that is unwanted or dangerous. Having no credentials and with no means of verifying the true packet source, the good are indistinguishable from the bad, and more than nine out of ten packets are unwanted or dangerous.

Reviewing the Zero Trust Model             The Zero Trust model (ZTNA) is all about identity. So far, ZTNA has been concerned primarily with network micro segmentation and least privileged access for users, hardware and connected components.  But ZTNA, as it is currently implemented, has ignored the glaringly obvious fact that packets have no verifiable identity, even though packets are the basic essence of the Internet.

Regardless of any other security controls, the lack of verifiable packet identity is the equivalent of allowing tourists and terrorists to move freely through border check points without passports.

TrustWrx and ZTNA for SMBs                The major problem with ZTNA in its enterprise form is that its complexities and costs make it unavailable to the small network. TrustWrx provides the MSP with a cost-sensitive, integrated solution for its SMB customers that provides the basic ZTNA foundational elements for identity management of network segments, devices and users.  However, the IAF goes farther by raising the bar on the ZTNA concept of least privilege access – imbuing the packets themselves with verifiable identity and policy-driven packet usage controls.

For the first time the individual packet and the originating device and user will be identity-linked to each other and managed by centrally-controlled policies.   Binding the packet to its source device and user overcomes the anonymous nature of standard packets, provides the missing identity component and delivers a significant improvement to the Zero Trust model.

Insecure IoT Devices & The Mobile App

Insecure IoT devices – Comprehensive IoT Protection from TrustWrx
Until now, smart devices like Ring, Nest, Alexa, medical and industrial IOT devices and even smart light bulbs, have operated with very limited security capabilities and are generally exposed to the open Internet. This is a huge security risk, because insecure IoT devices have become a primary funnel for threats and malware to move across the connection to attack the servers and other digital assets of host companies. Utilizing the policy-managed packet routing of the IAF, TrustWrx is the first to seamlessly integrate into a permission-driven network the complete control of packets moving between IoT devices and other policy-approved devices, computers and external sites, and automatically disallowing unqualified packet traffic.

The Mobile App  –  Securing Roaming Mobile Devices
The TrustWrx Mobile App for Apple and Android devices is a downloadable app for registered accounts that securely manages all traffic to and from the mobile device – acting as an IAF client to the most recently discovered WiFi connection on any roaming-approved IAF gateway. This allows a mobile device to connect to any roaming approved IAF network anywhere and securely exchange traffic between the device, through the central policy services and to anywhere on the Internet.