Enrollment and authentication in ZTNA embedded enterprise mobile apps

How do I Secure the network for enterprise mobile apps with Ziti?

In our previous blog on securing the network for mobile app used to access Azure AI, we discussed how an enterprise using Azure Open AI on a mobile app secured the network connection between the mobile app and Azure cloud that provides the Azure Open AI service. If you aren’t aware, NetFoundry via CloudZiti and OpenZiti helps secure the network for mobile apps used by the enterprise and its B2B users. Our SDKs are embedded into the mobile app by the developers of the enterprise to avoid using another mobile app on the device for a zero trust network access.  

In this blog, we would be discussing the process that we designed for an enterprise covering  identity creation for the users on the CloudZiti network, the registration of identities and policy management. The goal was simple – “No friction, easy to use, highly secure Zero trust access from the mobile app”

The diagram above describes how any enterprise mobile app with an embedded SDK from Ziti establishes a secure outbound connection via the smart fabric to the application in the DC or public cloud ( In this example, the app is Azure open AI and the cloud is Azure) 

Automate identity provisioning & lifecycle management 

The customer uses Azure AD as their IDP. CloudZiti provides an automated process for creation and management of identities in the network with integration between CloudZiti console API and Microsoft Azure AD via API. Once the integration with AD was completed, the AD groups for which the identities have to be automatically created in the network were selected. The client sync feature of the CloudZiti platform also allows customers to select the option of deleting endpoints based on the AD sync. This allows admins to let the client sync automation take care of offboarding identities of users who leave the organization by just removing their AD account. The admin of our enterprise customer had also configured auto-reissue of enrollment JWT upon expiry which allowed them to take care of large scale deployment where users take time to enroll their identities and there is no burden of follow ups or manual re-issue of JWT for each identity. Client Sync automation simplifies the job of NetSecOps admins.

The above enrollment and authentication flow diagram lists the steps in the connection flow involving the mobile app, the enterprise application & it’s APIs, enterprise IDP and the Cloud Ziti APIs. The only human action in this process is entering the credentials as part of the enterprise IDP on the mobile app. This bootstrapped zero trust process can be applied on any enterprise mobile app including that of a superapp of enterprise private mobile apps to greatly simplify onboarding users while securing mobile app networks. 

Auto-enroll identity upon first login and continuously authorize and authenticate

When the app user logs in to the mobile app with their IDP credentials, the app checks if the user’s identity  is already registered to the network or not.  CloudZiti platform APIs were used by the developers to check the registration status and if not registered,  fetch the JWT ( Jason web token) of the user’s identity based on their identity name which was the e-mail address. The JWT is then used to enroll into the network by the app without any intervention from the user of the app. The entire process takes some microseconds. A x.509 cert is generated and signed by the CA for the identity on the app and resides on the mobile device. For every session that the app initiates to a destination, the certificate and the service policies that provide access to the destination are verified.

What levels of multifactor authentication can be applied?

The default approach that most enterprises take for implementing MFA is TOTP. The MFA controls can be app and device dependent or additionally, the CloudZiti network dependent. CloudZiti supports TOTP based MFA with multiple options of MFA timeout values based on the business requirements. However, developers can innovate with using mobile fingerprint authentication, facial recognition authentication etc that would be device / app dependent. These controls could add to strengthening the authentication of the user accessing the mobile app. 

Benefits of making enterprise mobile apps dark to the internet

The larger question at this juncture of cyber crime and cyber attacks on organizations is not why secure enterprise private mobile apps but how best to secure them; with no compromise on business agility. NetFoundry’s vision is to provide application embedded Zero Trust Application Access on a software defined network as a service platform that provides military grade security posture upgrade while accelerating business agility. 

CloudZiti provides various benefits not limited to:

1. No listening to IPs or ports ie no exposure to public internet inbound to the mobile app or cloud / DC
2. World’s first mTLS based zero trust private overlay for control plane and data plane traffic
3. Authentication before connection and continuous authentication / authorization.
4. E2E encryption with Poly 1305 Cha Cha 20 to benefit apps without inherent encryption
5. Micro segmentation and least privilege access.
6. Metrics, analytics and automation via APIs.

Zero Trust Networking over VPN or https combined with the approach of shift left security which is embedding secure networking on the app with SDKs would be the future of secure networking for private enterprise mobile apps. There is no overhead of running an additional mobile app for a private network overlay and there are multiple benefits of automated onboarding, visibility and control. NetFoundry has been a leader in this space helping enterprises secure their private enterprise mobile apps.

Have you made your mobile app dark yet? Try CloudZiti for free

Write to us at Customer Success <customer.success@netfoundry.io> to learn more about protecting the network for your enterprise mobile apps. You can also let me know if you found this blog useful.