the TrustWrx Identity-Aware Framework
The TrustWrx Technology Mission
To provide to Managed Service Providers (MSPs, Internet Service Providers, (ISPs) and network management professionals a packaged Zero Trust security solution that may be deployed across the providers’ SMB customer base, regardless of the size or complexity of the customer’s network configuration.
Through the TrustWrx Partner Program, this new security breakthrough provides MSPs with a recurring source of revenue that meets the expanding security requirements of their customers. Designed for rapid installation with very little technical overhead, the TrustWrx SMB solution brings to the small and medium size business a level of AI-based security and privacy that has not been previously achievable.
Because the cloud has dissolved the perimeter. In the new cloud world, the old perimeter protections have become fragmented and static tunnels have become a security and management quagmire. These legacy tunnels have now become a favored hunting ground for hackers. The problem is these point-to-point tunnels have no knowledge of or any control over the packets they move, making them a Trojan Horse in the security stack. The Internet now needs a modern alternative to the difficulties, constraints and proven dangers of the point-to-point security tunnels like VPNs and TOR – along with advanced identity and security features.
Zero Trust for Small and Medium Businesses
TrustWrx is the first to bring Zero Trust Network Access model (ZTNA) concepts to the small and medium size business (SMBs) by providing a central policy engine that knows the identities and manages the permissions between all connected components and cloud resources. It also embeds policy-driven identity and usage credentials directly within all packets moving on TrustWrx protected networks.
For the first time, the individual packets have verifiable provenance – think of it like a passport – that adds three critical capabilities to secure packet management.
- The verifiable validity of packets by reference to centrally stored dynamic policies that know the packet’s source device, user and associated access policies.
- Control over the precise use of the packets; where packets, attachments, protocols, applications and file types may and may not go, as well as which other resources they may interact with and to what use they may be applied.
- Rejection of any packets that don’t include an embedded IAF passport that present anywhere on the IAF permissive network. This mechanism alone will kill more than 90% of potentially rogue packets that present at the IAF cloud.
The Four Main Components of the Identity-Aware Framework :
- A plug and play customer-premise gateway. This is an industry standard wireless router, flashed remotely with TrustWrx gateway software and installed by the end-user – no technical expertise required – and managed by the end-user or the MSP. TrustWrx provides a list of qualified routers that may be remotely flashed with the TrustWrx gateway software.
- A triply-encrypted JIT (Just in Time) tunnel that isolates, validates and secures all traffic between the TrustWrx cloud services and the gateway. It policy-drives traffic access controls on the edge network and the IAF cloud, while rendering the edge network invisible to the open Internet.
- A suite of TrustWrx central services at AWS that host the IAF policy management and proxy routing software, the SOC interface, the CRM system, web sites, etc., branded and managed by the MSP.
- A Partner Security Operations Center (SOC) These services are contracted from partner providers. The IAF is modular and can connect and integrate services from any third-party SOC, protecting previously established MSP/SOC relationships.
By giving packets verifiable identity, precisely controlling packet usage and significantly collapsing the threat surface, TrustWrx brings the value of corporate-class Zero Trust security to the small enterprise customers of the MSP.
The Architecture of the Identity-Aware Framework (IAF)
The IAF is a SaaS solution that extends whole network security from the local network, across the cloud through AI-based central security services and onto the open Internet. It is agnostic to existing edge network configurations, firewalls, DMZs and cloud connectivity. It is a permission-based application layer that manages all cryptography, protocols, packets and connectivity between IAF cloud services, Security Operations Center (SOC) services and an on-premise wireless gateway, all within a triply-encrypted E2EE (End-to-End-Encrypted) tunnel.
Because AI-based whole network security is
more than twice as effective as desktop anti-virus.
Desktop anti-virus is now less than 40% effective and there is no anti-virus or other endpoint security for the many insecure IoT devices. The combination of the on-premise gateway, the secure link with the IAF cloud services, and the IAF packet provenance controls creates a software driven DMZ that securely encapsulates and isolates all computers and devices on the edge network. On an IAF edge network, no IAF client software is required on computers, servers or IoT devices, while the Mobile App for IOS and Android allows roaming and secure connectivity to any discovered IAF network, protecting hybrid worker communications wherever an IAF network is available.
By shifting threat management to enterprise-class SOC services, safely away from the local network and computing resources, overall threat detection and response shoots up to more than 90% effectiveness.
All Internet traffic moves from the edge network gateway, safely across the E2EE tunnel to the IAF cloud security services and out to the open Internet. Returning traffic follows the reverse path, is threat managed at the cloud SOC, and is subject to the same permissions controls while in transit over the IAF.
The Provenance Passport TrustWrx has woven into its IAF technology an industry first, the “Provenance Passport” that is embedded in every IAF packet. This new identity and usage policy-control is used to verify the device/user identity of the packet source, and also controls – through central policies – where packets, protocols, attachments, applications and file types may and may not go, as well as which other local or web resources they may interact with, and to what use they may be applied. It is the packet’s ticket to edge network and IAF cloud validity. Conversely, the lack of the packet passport signals a rogue packet that is not allowed to traverse the IAF network and can be quarantined or dropped.
By equipping the packet with a secure “passport”, referenced against a central policy engine, the packet’s originating source device/user is verifiable. Its local and cloud usage is precisely controlled, packets without a passport are simply blocked, and the edge network becomes a permission-based environment that is rendered invisible to unknowns from the open Internet. With a hands-free install, this innovation delivers previously unattainable levels of Internet security and privacy for the small company network and beyond to its hybrid workers at home and on the road.
The JIT Tunnel The IAF operates on a JIT (Just in Time) secure tunnel that is the next generation beyond the aging and restrictive static tunnels of VPNs and TOR and the single-layer cryptography of the various secure protocols. This triply-encrypted E2EE tunnel is entirely driven by the IAF application layer and exists only when packets are in motion across the IAF. More than just encryption, it is a permission-based packet authentication and authorization capability integrated within the cryptography stack that provides granular packet management at all points within the IAF and to the cloud.
A major virtue of the JIT Tunnel is that it does not present a static attack vector to the hacker. It simply does not exist until an IAF qualified packet is created – and it dissolves when the packet transfer is complete. Moreover, a qualified IAF packet is required in order for the JIT tunnel to be invoked, and for packets to pass between IAF cloud services and the gateway.
Qualified IAF packets are created: 1) At the gateway for packets outbound from computers, servers and IoT devices that are registered within the IAF central policy controls and, 2) On the IAF cloud services for qualified packets returning from the cloud. The result is that any unqualified packet that presents at any part of the IAF services will be rejected – killing more than 90% of potentially rogue packets that present at the IAF cloud.
TrustWrx & Zero Trust for SMBs
Packet Identity is the Missing Security Component The overall threat and malware problem persists to a large degree because the only identity a standard packet has is an IP address, which is easily and often spoofed. Uncontrolled and spoofed IP addresses are a common delivery mechanism for the more than 90% of packet traffic that is unwanted or dangerous. Having no credentials and with no means of verifying the true packet source, the good are indistinguishable from the bad, and more than nine out of ten packets are unwanted or dangerous.
Reviewing the Zero Trust Model The Zero Trust model (ZTNA) is all about identity. So far, ZTNA has been concerned primarily with network micro segmentation and least privileged access for users, hardware and connected components. But ZTNA, as it is currently implemented, has ignored the glaringly obvious fact that packets have no verifiable identity, even though packets are the basic essence of the Internet.
Regardless of any other security controls, the lack of verifiable packet identity is the equivalent of allowing tourists and terrorists to move freely through border check points without passports.
TrustWrx and ZTNA for SMBs The major problem with ZTNA in its enterprise form is that its complexities and costs make it unavailable to the small network. TrustWrx provides the MSP with a cost-sensitive, integrated solution for its SMB customers that provides the basic ZTNA foundational elements for identity management of network segments, devices and users. However, the IAF goes farther by raising the bar on the ZTNA concept of least privilege access – imbuing the packets themselves with verifiable identity and policy-driven packet usage controls.
For the first time the individual packet and the originating device and user will be identity-linked to each other and managed by centrally-controlled policies. Binding the packet to its source device and user overcomes the anonymous nature of standard packets, provides the missing identity component and delivers a significant improvement to the Zero Trust model.
Insecure IoT Devices & The Mobile App
Insecure IoT devices – Comprehensive IoT Protection from TrustWrx
Until now, smart devices like Ring, Nest, Alexa, medical and industrial IOT devices and even smart light bulbs, have operated with very limited security capabilities and are generally exposed to the open Internet. This is a huge security risk, because insecure IoT devices have become a primary funnel for threats and malware to move across the connection to attack the servers and other digital assets of host companies. Utilizing the policy-managed packet routing of the IAF, TrustWrx is the first to seamlessly integrate into a permission-driven network the complete control of packets moving between IoT devices and other policy-approved devices, computers and external sites, and automatically disallowing unqualified packet traffic.
The Mobile App – Securing Roaming Mobile Devices
The TrustWrx Mobile App for Apple and Android devices is a downloadable app for registered accounts that securely manages all traffic to and from the mobile device – acting as an IAF client to the most recently discovered WiFi connection on any roaming-approved IAF gateway. This allows a mobile device to connect to any roaming approved IAF network anywhere and securely exchange traffic between the device, through the central policy services and to anywhere on the Internet.
Patented Core Technology – US patents protect many features of the TrustWrx technology.