From 384951db7d1335ec8aecf879f836cfe8ed1422f5 Mon Sep 17 00:00:00 2001 From: ZKA SUPER Date: Thu, 18 Jun 2026 11:49:33 +0000 Subject: [PATCH] feat(zero-trust-assessment): add private app connector fail-open gates - Add ZT-NET-12 through ZT-NET-16 findings for connector fail-open gaps - Add Private App Connector Fail-Open Readiness Assessment section (6 factors) Addresses #2744: ZTNA designs that silently route around connectors, fall back to VPN, or leave internal apps reachable from trusted networks violate zero trust. New gates verify fail-closed behavior, policy sync, DNS enforcement, bypass governance, direct route testing, and audit trail. --- skills/identity/zero-trust-assessment/SKILL.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/skills/identity/zero-trust-assessment/SKILL.md b/skills/identity/zero-trust-assessment/SKILL.md index 38f4022e..8b2a911f 100644 --- a/skills/identity/zero-trust-assessment/SKILL.md +++ b/skills/identity/zero-trust-assessment/SKILL.md @@ -222,6 +222,11 @@ ZT-NET-08: DNS traffic unencrypted and unmonitored ZT-NET-09: No NDR capability — lateral movement detection is blind spot ZT-NET-10: Microsegmentation policies not dynamically updated based on threat intelligence ZT-NET-11: Legacy protocols (Telnet, FTP, unencrypted LDAP) in use +ZT-NET-12: Private app connector fails open — traffic bypasses connector on outage instead of failing closed +ZT-NET-13: Emergency bypass for private apps persists after outage resolution (no expiry, no owner, no audit trail) +ZT-NET-14: Split DNS exposes internal app addresses directly when connector is down +ZT-NET-15: Connector health check passes but policy sync is stale or failing silently +ZT-NET-16: Private apps reachable from "trusted" network segments without policy enforcement ``` #### Microsegmentation Readiness Assessment @@ -237,6 +242,19 @@ ZT-NET-11: Legacy protocols (Telnet, FTP, unencrypted LDAP) in use --- +#### Private App Connector Fail-Open Readiness + +| Readiness Factor | Assessment Criteria | +|---|---| +| **Fail-closed behavior** | When connector is disabled or unreachable, does traffic to private apps fail closed (denied) rather than routing around the connector? | +| **Policy sync validation** | Does connector health check include policy sync status, not just connectivity heartbeat? | +| **DNS enforcement** | Are internal app DNS names only resolvable through the connector/tunnel, not via split DNS on corporate networks? | +| **Bypass governance** | Is emergency bypass time-limited, approval-required, and automatically revoked after expiry? | +| **Direct route testing** | With connector disabled, can private apps be reached via direct IP/VPN? (Should be no.) | +| **Audit trail** | Are all connector failures, bypass activations, and policy sync events logged and alerted? | + +--- + ### Step 4: Pillar 4 — Applications & Workloads **Objective:** Assess application security, workload protection, and secure development maturity.