Industry has embraced Zero Trust (ZT) architectural tenets and implementations for cloud-native environments, following stricter security requirements to both internal and external tenants. Among others, these approaches combine fine-grained identity management and monitoring for both inventorying and better analysing the devices' security posture for overall protection, along with strict separation of concerns and isolation to enforce minimal privilege. Networking-wise, ZT approaches rely as well on isolation and least privilege; enacted by separate, secure tunnels per tenant connecting to a given infrastructure. Such implementations can also be applied to the connectivity within and towards experimental infrastructures. In this sense, this work contributes the design and evaluation of a cloud-native VPN-as-a-Service (VPNaaS) that can be (i) easily orchestrated to deploy on-the-fly, separate tunnels per each tenant remotely connecting to the infrastructure; (ii) integrated with common Identity and Access Management (IAM) tools, key to ZT deployments; and (iii) adapt to computing- or entropy- constrained environments. This solution is customisable and allows, among others, to select from RSA or Elliptic Curves (EC) as key generation algorithm and their parameters to achieve more secure keys and adapt to resource-constrained environments.

翻译：工业界已在云原生环境中采纳零信任架构原则与实现，遵循对内部及外部租户更严格的安全要求。这些方法将细粒度身份管理与监控相结合，用于设备清册和安全态势分析以实现全面防护，同时通过严格的关注点分离与隔离机制执行最小权限原则。在网络层面，零信任方法同样依赖隔离与最小权限，通过为每个连接到特定基础设施的租户建立独立的安全隧道来实现。此类实现也可应用于实验性基础设施的内外部连接。基于此，本文贡献了一种云原生VPN即服务（VPNaaS）的设计与评估，该服务具有以下特性：（i）可轻松编排以按需部署每个远程连接基础设施的租户的独立隧道；（ii）与零信任部署关键的身份与访问管理（IAM）工具集成；（iii）适应计算或熵受限环境。该解决方案具有可定制性，允许选择RSA或椭圆曲线（EC）作为密钥生成算法及其参数，以实现更安全的密钥并适应资源受限环境。