Skip to content

A VPN Alternative for Securing Remote Access to Legacy Applications

A municipality in Southern Ontario was seeking a method of securing remote access to legacy applications – responsible for the treasury, billing, and permit functions. Cyber insurance requirements mandated that all remote access must have multi-factor authentication and privileged access management. The IT team was challenged with meeting these new requirements but keeping the user experience simple.

Their current VPN required the addition of two separate solutions for multi-factor and privileged access management. This was not acceptable due to the added complexity for their user base and the combined added costs.

data-custody

Objectives

The municipality set out to meet 4 main goals:

pam-multi-factor-authentication

Implement multi-factor authentication and privileged access management to achieve cyber insurance requirements

third-party-access

Meet budget constraints for buying, implementing, and operating the systems

role-based-access-controls

Simplify the user experience for a non-technical user base

weak-vpn-server-security

Ensure access to critical application currently not accessible remotely due to the requirement of a thick client

Zero Trust Network Access With Agilicus AnyX

The municipality selected Zero Trust Network Access (ZTNA) with Agilicus AnyX which comes complete with multi-factor authentication and privileged access enforcement. The Agilicus AnyX platform provides a VPN-less and clientless experience for users to connect to their work securely from anywhere, on any device.

By choosing Agilicus, the municipality was able to leverage ZTNA which pairs their user specifically to the legacy application rather than to the network. Upon a connection being made, the user is challenged for a second factor of authentication and admitted through privileged access management.

The municipality achieved the following results:

identity-aware-web-application-firewall

Simplified access allowing users to connect to legacy application from any device or location

cyber-security-policies

Enhanced session security achieved via an outbound only connection not visible on the public internet

detailed-auditing

Met cyber insurance requirements by seamlessly integrating multi-factor authentication and privileged access management

role-based-access-controls

Improved user experience by simply connecting as they would in the office while using their existing employee credentials for single sign-on

As a result, the costs and extra steps to connect to a VPN were avoided by the municipality. This allowed them to achieve their cyber insurance requirements while remaining within the limited budget and avoiding added complexity. Deployment was achieved company wide in under an hour.

Business Impacts

Through implementing Zero Trust Network Access with Agilicus AnyX, the municipality achieved secure remote access to their legacy application without the use of a VPN. The Agilicus AnyX platform provided robust security while remaining light, simple, and qualifying them for cyber insurance through extra layers of protection. The municipality was also able to simplify their administrative process by choosing a solution that could be quickly installed without the necessity of network changes or added hardware.

Since deploying the Agilicus AnyX platform was for securing their legacy application for remote users, the Muncipality expanded adoption of the platform to enable access to all city resources for employees whether remote or not. With the ease of bringing on new users, the municipality was able to improve the security of their entire organisation with a frictionless deployment and deliver an invisible IT security experience for their end users.

Contact us

First Name
Last Name
Email
Message
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

Secure Access to Critical Infrastructure for Partners and Vendors

A Municipality set out to modernise their water treatment facility to better enable secure connectivity for various internal teams (IT, Public Works), partner organisation, and their systems integrator. The Municipality chose Agilicus AnyX, to adopt a Zero Trust Architecture that enabled simple, secure remote connectivity with precise control over privileges.

Fill out the form to read the technical case study and learn how Agilicus AnyX worked to enable secure remote connectivity for so many unique users.

Fill out the form below to read the case study.

First Name
Last Name
Read the Case Study below. ↓
There was an error. Please try again. Or email info@agilicus.com
smart-city-water-security

Case Study:
Secure Access to Critical Infrastructure for Partners and Vendors

Executive Summary

A municipality located on the west coast in North America set out to modernise their water treatment facility to better enable secure connectivity for various internal teams (IT, Public Works), partner organisations, and their systems integrator. Facility management is shared with a partner municipality. A systems integrator needs access to perform maintenance and support. Given the number of internal and external individuals that need remote connectivity to the site, the municipality needed a secure solution that protected the critical infrastructure from external threats. 

Of particular importance was implementing a solution that did not require new accounts or interfere with the responsibilities or capabilities of all parties. The municipality chose Agilicus AnyX, to adopt a Zero Trust Architecture that enabled simple, secure connectivity and precise control over privileges leveraging the existing identity providers of each organisation. The result is a  matured cyber posture and VPN-less experience that creates a modern industrial air-gap for the water treatment facility. In turn, the municipality also benefited from detailed audit logs of all activity on the network, and the ability to extend just-in-time access for third parties and external vendors.

Protecting municipal critical infrastructure and shared resources.

How can I enable remote connectivity in a way that keeps my critical systems off the public internet but allow access for maintenance and support?

Municipal critical infrastructure is an essential service and citizens depend on the secure and reliable operation of municipal facilities. Remote connectivity and the ability to leverage data are two increasingly important requirements when it comes to successfully and safely operating critical infrastructure. The challenge is enabling remote connectivity in a way that protects the critical systems from online threats and attackers. It was particularly important for the municipality that they maintained a true air-gap without having to rework their entire network. 

To adequately support the water facility, individuals need to be able to remotely connect via Secure Shell (SSH), Remote Desktop Protocol (RDP), and access various SCADA web applications. However, governance, compliance, and the current threat environment made it especially complicated to use conventional technology such as a VPN or remote access tools like TeamViewer. While traditional access tools could partially solve internal remote needs, it would open the organisation and water treatment facility up to a host of attack vectors and cyber risk that was simply unacceptable. 

The team had several essential needs in addition to a secure remote connection:

weak-vpn-server-security

On site machines needed to stay online at all times. These are systems that are unable to receive security updates and patches.

third-party-access

The systems integrator needed secure remote access but organisational security policies must be adhered to (no shared credentials, multi-factor authentication).

compromised-credentials-cyber-attack

The SCADA (supervisory control and data acquisition) system at the facility needed to maintain an always on connection to city hall to export data for record keeping and analysis.

pam-multi-factor-authentication

All access and activity need to be tracked and recorded through detailed logs with evidence if something were to go wrong.

Water treatment facilities and other critical infrastructure demand high security due to their vital role in society. The municipality needed a solution that offered a modern air-gap to deliver resource segmentation without limiting remote connectivity for operations, service, and support.

Solution

A Zero Trust Architecture by Agilicus AnyX proved to be the right solution for enabling secure remote connectivity while creating a virtual air-gap at the facility. Zero Trust consists of three central tenets – Identity, Authorisation, and Access.

identity-aware-firewall

Identity

Every user or operator must be individually known and authenticated. 

role-based-access-controls

Authorisation

Every action an individual takes must be authorised based on their identity and privileges to interact with a resource

secure-remote-access-any-device

Access

Authenticated and authorised user actions are routed only to the destination resources.

A modern air-gap was achieved with a 15 minute installation that did not require a full network rework.

Identity – Any User

Identity is the way a given user proves who they are. For example, employees have a corporate email address – that corporate email address allows individuals to prove who they are. Agilicus AnyX allows an unlimited number of corporate email addresses, from different organisations to work together as if they were part of the same organisation – this is called federated identity.

Authentication across so many organisations without issuing new accounts or passwords was achieved by federating identity and leveraging the Agilicus Open ID Connect proxy for session management and to enable single sign-on. 

Authentication is performed by known upstream issuers (Azure, O365, GMail, Okta, etc.) or a customer’s known identity provider. As a result, Agilicus uses an authenticated user’s JSON Web Token (JWT) and never requires or stores passwords and credentials.

A simple identity layer on top of the OAuth 2.0 protocol, OpenID Connect (OIDC) allows the verification of an identity and can request and receive information about authentication, sessions, and end-users. 

Within the Agilicus AnyX Authentication Issuer, the Municipality had several configuration options:

  1. Configure the sign-in screen theming with Municipal logo and branding.
  2. Select from a set of Agilicus-Managed Upstream Identity Providers (Apple, Google, Linkedin).
  3. Add their own Identity Providers and that of their partners (Azure Active Directory, Microsoft Active Directory, etc) – In this case the municipality used Azure Active Directory. Their partner organisation was able to use Okta, and their systems integrator was able to use GSuite.
  4. Configure and enforce multi-factor authentication
  5. Control rules regarding when/how/who can authenticate to the system

A detailed example of how Agilicus uses OpenID Connect can be found here.

Authorisation – Least Privilege

agilicus-cybersecurity-platform

Through Agilicus AnyX, the municipality gained precise control over resources and user privileges. Every resource (network, server, application, etc.) has a set of permissions that are both role and resource specific – Owner, Editor, Viewer, Self. For each resource the municipality could select a user or user group and delegate necessary privileges. 

In order to fold those resources into the Zero Trust Architecture, Agilicus AnyX uses a connector to facilitate the connection between a network and the authorised end-users. The Agilicus Connector is installed on a device to create a unidirectional pathway to the Agilicus Cloud. This outbound only connection blocks all ports and remote connectivity unless achieved through the authorised path, Agilicus AnyX. The Agilicus connector is self updating and follows The Update Framework (TUF Framework). The TUF Framework offers a means of protecting mechanisms involved in automatically downloading software updates. A changelog is readily available to ensure the municipal team is informed of any updates that have occurred.  

Each Agilicus Connector uses a Globally Universally Unique Identifier (GUUID) to individually identify the resource and an OpenID connect issuer to control its authentication domain. This ensures Agilicus AnyX can confirm the identity of a given resource and enforce privileges. Once installed on the destination resource, new directories and services to share or expose are managed entirely from the administrative web interface. Combined with Role-Based Access Controls, users and user groups at the Municipality could be paired with only the resources they need with strict, least privilege access. 

Complete, micro-segmentation of users, resources, and sites are also achieved by the Agilicus Connector. The Agilicus Connector can be installed at different points in the network or on individual systems allowing for a per-site, or per-resource approach to micro-segmentation. As a result, users and resources are protected from themselves and cannot connect unless authorised.

In order to achieve the objective of creating a secure, always on connection between the water treatment facility SCADA system and city hall, a small router with a firewall that denied all inbound and outbound traffic except through the Agilicus Connector was installed on site. This introduced a service forwarder where only an authorised and authenticated connection can be established. All data such as chlorine levels could now be recorded and transmitted under a Zero Trust security framework, with complete end-to-end encryption.

Access – Simply and Securely

secure access solutions

The Agilicus AnyX platform centralises authorisation management ensuring municipal operators and administrators can easily add or remove users and enable or disable access privileges through a single web-based portal. Meanwhile, the various end-users perform authentication using their designated accounts via Single Sign-On through the Agilicus AnyX platform to gain access to only the applications and resources they have permissions for.

The authentication workflow performed by end users, and the outbound only connection from the resource meet in the middle (The Agilicus Cloud) where a connection is only established if all authentication and authorisation parameters are met (user identity, multi-factor authentication, privileges).

Agilicus AnyX easily supports SSH, RDP, and Virtual Network computing (VNC), Web Applications, and even access to PLCs. These access methods to specific resources are created through the administrative portal. Each resource is further secured by the patented Identity Aware Firewall which acts as an HTTP-proxy. This ensures SSL and TLS are enforced for every connection and protects the resources from various issues such as server misconfiguration. The Identity Aware Firewall blocks all traffic unless authenticated and authorised adhering to the never trust, always verify Zero Trust principle.

Deployment

remote-connectivity-water

Least Privilege Access

integrator-remote-access-flow

Outcome

The municipal team was able to adopt a virtual air-gap and implement a Zero Trust Architecture to secure the water treatment facility achieving their goal of enabling secure, least privilege access for all authorised parties – internal users, partner organisations, and their systems integrator. Agilicus AnyX also equipped the municipal team with detailed audit logs of all activity on municipal water infrastructure. The team now has a clear view of who is accessing their systems, what they are doing with that access, and when they are accessing facility resources.

federated-identity

Federating Identity with OIDC ensured no new identity management services or licences were required. Passwords stay with the users and are never passed to, or stored by Agilicus AnyX. This also means if an employee leaves, their access is instantly revoked as soon as they are deleted from their own company.

cyber-insurance-requirements

Multi-Factor Authentication is easily enforced across all users for access to any resource, including non-participating systems, such as the machine hosting the facility Human Machine Interface (HMI).

secure-access

Complete, micro-segmentation of both users and resources was achieved via the Agilicus Connector, preventing network traversal and requiring authentication and authorisation for access.

secure-remote-desktop-access

The Agilicus Connector was used to establish a secure, always on connection to the city hall for data collection from the water treatment facility. The data is necessary for record keeping as well as management and monitoring of the facility resources to ensure proper function.

The Agilicus Connector enabled secure accessibility to the resources without needing a public IP, VPN, or client. That means while the various teams were able to establish a secure and convenient remote connection, water treatment facility resources are neither exposed to nor visible on the public internet.

cybersecurity-no-vpn

The Water Treatment facility cyber posture was greatly enhanced through the Identity Aware Firewall and Agilicus Connector. That means no lateral traversal, enforced SSL, and the blocking of peripheral devices on facility machines.

Agilicus-Platform

Both the systems integrator and the partner organisation no longer needed to send workers to site for troubleshooting, maintenance, and operation leading to cost and labour savings.

What is Agilicus AnyX 

Agilicus AnyX is an easy to deploy, all-in-one Zero Trust Network Access platform that allows organisations to improve security and equip employees with frictionless access to only the resources they need. The platform ensures organisations can micro-segment resources and infrastructure while ensuring authorised users can get simple, secure access to applications, desktops, shares, and other resources. A secure alternative to perimeter-based network access, Agilicus AnyX provides a clear view of who is doing what, when, and for how long with an easy to access web-based portal for managing policies, roles, and access privileges.

Enabling Secure Remote Connectivity to 100 Critical Infrastructure Sites, Nationwide

A major systems integrator that services critical infrastructure across the United States seamlessly transformed their service model through Zero Trust, to reduce costs while enabling secure remote connectivity to over 100 customer sites.

Fill out the form below to read the case study.

First Name
Last Name
Read the Case Study below. ↓
There was an error. Please try again. Or email info@agilicus.com
vpn-replacement-solution

Case Study:
Enabling Secure Remote Connectivity to 100 Critical Infrastructure Sites, Nationwide

A major systems integrator that services critical infrastructure across the United States seamlessly transformed their service model through Zero Trust, to reduce costs while enabling secure remote connectivity to over 100 customer sites.

Summary

A major systems integrator that primarily supports water treatment facilities across the United States needed a way to remotely connect to over 100 on-site systems to perform support, maintenance, and troubleshooting. In order to do that, the systems integrator also had to comply with customer security requirements for remote access (no shared credentials, multi-factor authentication, privileged access). Agilicus AnyX, a Zero Trust Network Access platform, enabled remote connectivity for the systems integrator without requiring any new hardware, clients, or a VPN. As a result, access was simplified for the systems integrator while ensuring they could adhere to each customers expectations on security.

Network Modification Using Agilicus AnyX to Create an Outbound Only Connection at IEC 62443 Level 3.

OT-Agilicus-Connector

Challenges with enabling remote connectivity for support and maintenance.

cyber-attack-vpn-compromise

Remote access was particularly important for the systems integrator with over 100 sites located coast to coast. The systems integrator had so far been forced to send technicians to site in order to support customers. The ability for technicians to remotely connect for immediate support from anywhere, on any device represented significant cost savings and higher customer satisfaction. 

Due to growing cyber threats and attacks targeting critical infrastructure and operational technology, it was not an option to use traditional remote access tools such as TeamViewer or LogMeIn. Neither the systems integrator nor their customers were comfortable with using these remote access tools because of shared credentials, no multi-factor authentication, and lack of auditability.  

Likewise, the VPN was both impractical for the systems integrator and risky for their customers due to cyber risks such as lateral network traversal. For the systems integrator, VPNs limit efficiency at scale (e.g, 100 VPNs for 100 customers). When it comes to providing support, VPNs can be unreliable and limit the ability to connect to and provide support for multiple sites at once. For operators, VPNs break the air gap and can become a doorway for cyber attacks like ransomware.

Enabling secure remote connectivity without compromising on security.

cyber-insurance-requirements

Water treatment facilities and municipal critical infrastructure require strict security policies to protect the citizens and communities they serve. In order to comply with these security requirements and best serve their customers while achieving their own business objectives, the systems integrator implemented Agilicus AnyX. The platform empowered the systems integrator with precise control over permissions and detailed audit logs for a complete view of technician activity for each site and system. 

With Agilicus AnyX, the systems integrator was able to enable access for authorised technicians without requiring yet another set of credentials or shared access between users. The platform also made it possible to enforce multi-factor authentication for access to any system by any user. The result was remote connectivity through a Zero Trust Network Access framework that complied with customer policies as well as a greatly improved cyber posture for the systems integrator and the sites they manage.

Improved business efficiency with remote connectivity.

cyber-security-policies

Faster site commissioning, faster support and troubleshooting responses, fewer site visits and the potential for 24/7 live monitoring.

remote-connectivity

Micro-segmented down to the device level with a single click to ensure techs did not access something out of scope.

role-based-access-controls

Multi-factor authentication enforced in a way that meant secure access but did not add complexity for the support techs.

detailed-auditing

Detailed audit logs which provide perfect evidence of who accessed the systems, what change they made, and how long they were connected.

identity-aware-web-application-firewall

Ensured the entire site was off the public internet and air-gapped by leveraging the Agilicus outbound only connection. This meant that no VPN or no public IP address was needed (even on cellular sites).

Deployment Architecture


User Flow

integrator-remote-access-flow

What is Agilicus AnyX 

Agilicus AnyX is an easy to deploy, all-in-one Zero Trust Network Access platform that allows organisations to improve security and equip employees with frictionless access to only the resources they need. The platform ensures organisations can micro-segment resources and infrastructure while ensuring authorised users can get simple, secure access to applications, desktops, shares, and other resources. A secure alternative to perimeter-based network access, Agilicus AnyX provides a clear view of who is doing what, when, and for how long with an easy to access web-based portal for managing policies, roles, and access privileges.

Third Party and Vendor Access Management for Critical Infrastructure

Located in the heart of one of largest economic regions on the west coast in North America, our customer is a municipality with a very active industrial and commercial services sector. The team at the municipality needed to adopt Vendor Access Management (VAM) and enforce Multi-Factor Authentication on the SCADA system at their water treatment facility. With Agilicus AnyX, the team was able to achieve their goals and adopt a Zero Trust security framework to enable secure access for all internal users and third party vendors.

secure access solutions

Vendor Access and Multi-Factor Authentication Enforcement Challenges

Due to their scale of operations, our customer works with third parties to ensure critical infrastructure resources are operating optimally. However, third parties and vendors introduce inherited cyber risks for municipalities, which is especially dangerous for critical infrastructure. 

Our customer set out to introduce multi-factor authentication requirements and Vendor Access Management for all city resources, including their critical infrastructure. The SCADA system supporting the water facility had several limitations that interfered with the adoption of those secure access policies.

Budget constraints prevented the IT team from changing the licensing for the SCADA software to integrate identity into the application.

A single, shared login was not acceptable and it was not possible to provide individual active directory licenses to vendors.

Multi-Factor Authentication was required for access by user groups.

Remote access to the SCADA system was a requirement for all internal and external users.

It was critical that any solution would provide the Information Technology team with precise control over permissions and privileges for such a diverse user group (internal users, vendors, third parties). A large and costly upgrade of the SCADA system was simply not possible. The Municipality needed a SaaS solution that could deliver Vendor Access Management and introduce authentication and authorisation as a layer instead of as an add on to the SCADA software integration. 


Vendor Access Management (VAM) with Agilicus AnyX

The Agilicus AnyX introduces authentication and authorisation policies across user groups to enable simple access without exposing resources to the public internet. Our customer seamlessly and affordably enabled secure access for vendor support of the SCADA system at the water treatment facility with Agilicus AnyX.

security-platform-utility

Vendor Access Management

Agilicus AnyX was used to quickly and easily onboard third party vendors without issuing new accounts or credentials. Fine-grained authorisation is paired with detailed audit logs, ensuring the team has complete control and visibility over when their users and vendors are accessing the SCADA system.

Multi-Factor Authentication

Multi-factor authentication can be enforced on any resource, requiring a second factor as part of the login flow to gain access to any designated resource.

federated-identity

Federated Identity

Agilicus AnyX federates identity, allowing users from different organisations to use their individual user ID for access to their permissioned applications. Single Sign-On delivers a simple end user access experience while the platform works behind the scenes to unify authentication, putting administrators in full control of who can onboard into their system.

security-ease-of-implementation

Centralised Authorisation Management

Through a single pane of glass, administrators can easily add or remove users and precisely adjust authorisation permissions, whether it’s for an internal employee or third party vendor.

vpn-replacement-solution

Identity Aware Web Application Firewall

In addition to the above security The Agilicus AnyX Identity Aware Web Application firewall makes resources accessible to authorised users without making them visible on the public internet, where access is only permitted on the basis of authenticated identity.

Our customer was able to implement Vendor Access Management and enforce multi-factor authentication to ensure the SCADA system could only be remotely accessed by authorised users without exposing the water treatment facility to external risks.


Business Impact

With Agilicus AnyX our customer adopted vendor access management with precise control of authorisations and permissions across user groups without having to issue new accounts for their vendors. Precise authorisation controls enabled permissions and privileges per user, simplifying access without giving up ground on control or visibility of who was accessing the SCADA system. 

Vendor Access Management was effectively achieved without interrupting water services for citizens or burdening internal users and third party vendors.


User-Management-Controls

Centralised Authorisation Management for Internal Users and Third Party Vendors

role-based-access-controls

Least Privilege Access Controls and Detailed Audit Logs

identity-single-sign-on

Remote Access with Enhanced Cyber Resilience

federated-identity-login

Authentication via Federated Identity and Single Sign-On

secure-access

Enforcement of Multi-Factor Authentication


Get in Touch

Interested in learning more about how the Agilicus AnyX platform works to deliver Vendor Access Management (VAM) across IT and operational technology resources? Fill out the form below to get in touch with our team.

First Name
Last Name
Message
Thanks! Someone will contact you.
There was an error. Email web-info @ agilicus.com if you need assistance.

Adding Multi-Factor Authentication to Legacy Systems and SCADA with Agilicus AnyX

A municipality in Eastern Canada was seeking a method for securing access to the SCADA systems in their water treatment facility through the implementation of Multi-Factor Authentication. This was driven by pressures from city council to improve security, qualify for cyber insurance, and support the different levels of access needed by stakeholders supporting the facility.

The IT team specifically needed to balance security with accessibility – they needed to ensure that the teams supporting the SCADA system had remote access to the Human Machine Interface’s (HMI) thin client without sacrificing the security of the network.

Security Challenges

The IT department had various hurdles to overcome on their path to support the water team and provide them with secure access to the SCADA application. The municipality was facing four key problems:

end-to-end-encryption

Their SCADA systems was exposed and reachable via the public internet

identity-aware-web-application-firewall

Pressures to meet cyber insurance requirements from council

authorisation-management

A workforce that did not like to change the way they do things

cyber-security-policies

The system in question was a critical system that always had to be connected to the internet and could never be logged out, updated, or shut down

After doing some research the municipality identified it is possible to keep these systems off the public internet and allow access without using a VPN.  What was most interesting to them is that this could be done with zero changes to their network or the way employees access the systems.


Using Multi-Factor Authentication and Zero Trust Network Access to Increase Security with Agilicus AnyX

Working with Agilicus, the municipality implemented the AnyX platform and was able to achieve secure access to their water management and SCADA systems as well as adding an extra layer of protection through enforcing multi-factor authentication.

The municipality was able to achieve the following:

pam-multi-factor-authentication

Enhanced security by providing a platform that removed the exposed URL to behind a firewall while leaving their systems fully accessible, but not visible to the public internet

security-ease-of-implementation

Achieved a quick and frictionless implementation without network changes in under an hour

Fulfilled cyber insurance requirements by ensuring each user is challenged with the second factor before access is granted and seamlessly allowed the continued use of existing USB security keys

weak-vpn-server-security

Added enhanced protection against common security threats including blocking lateral traversal, restricting user privileges, and producing a full audit log

As a result, the municipality was able to avoid a project that would have normally taken months and met their incoming multi-factor requirements for all users in under an hour. This was all achieved while allowing employees to use their existing credentials, be seamlessly authorised, and require no additional training through Agilicus’ robust solution.


Business Impact

By securing remote access with multi-factor authentication and implementing Zero Trust Network Access the municipality was able to protect their critical systems while simplifying administration. All of this was achieved without the necessity of making changes to the network or installing new hardware. The region was able to achieve the multi-factor authentication they sought after without the use of drastically different technologies and personal device changes. In addition, the municipality established a secure encrypted connection to the Agilicus cloud giving them total control over who had access to the SCADA system and what each user was able to access, all while reducing the time to connect.

In the end, the municipality was able to become more secure, lower their administrative overhead, and have a single pane of glass strategy to control access.


no-gateways

Increased Cyber Resilience

no-network-configuration

No Network Changes or Additional Systems

fast-deployment

Reduced time to connect

seamless

Met Cyber Insurance Requirements

user-onboarding

Reduced Administrative Overhead


Get in Touch

Interested in learning more about how the Agilicus AnyX platform works to enforce multi-factor authentication across IT and operational technology resources? Fill out the form below to get in touch with our team.

First Name
Last Name
Message
Thanks! Someone will contact you.
There was an error. Email web-info @ agilicus.com if you need assistance.

Digitally Enabling Workers with Secure Access to Web Applications through Zero Trust

One of Canada’s smartest cities is using the Agilicus AnyX platform to digitally enable mobile workers with secure access to web applications through a Zero Trust framework. Our customer provisioned a series of web applications to digitise analog processes, achieve compliance requirements, and deliver secure access for its diverse workforce, but faced a number of security and deployment challenges.

Read the case study and learn how Agilicus AnyX has been used to onboard over 1000 users and deliver frictionless secure access to custom web applications without the need for a VPN, new users names, passwords, or active directory licences.

Fill out the form to reveal the case study.

First Name
Last Name
Read the Case Study below. ↓
There was an error. Please try again. Or email info@agilicus.com

Enabling the Modern Workforce with Secure Access to Web Applications through Zero Trust

Summary

Situated outside of the Greater Toronto Area, our customer is recognised as one of Canada’s smartest cities and is home to many leading technology companies and universities. With a shared mandate of workplace health and safety, leadership, compliance, and fiscal responsibility, our customer is dedicated to ensuring service excellence for its citizens and employees. Our customer’s IT organisation provides technology support to the team of elected officials, staff, and volunteers to help achieve these mandates and deliver municipal services. 

In order to deliver on these mandates, our customer commissioned several productivity and compliance applications from a third party, but faced considerable challenges in securely deploying them to the workforce.

smart-city-web-application

Application deployment challenges

  • Firewall could not handle inbound traffic as reverse proxy for multiple sites/apps
  • Needed to keep app data in existing on-site system
  • Wanted to get app in hand of users without new logins to existing system, new passwords, or active directory licences 
  • Users needed to be able to access the applications from anywhere, without a VPN

Leveraging Web Applications to Digitally Enable Mobile Workers and Improve Productivity

Our customer commissioned three business applications from a third party to improve productivity and help meet compliance requirements by digitally enabling end-user employees, contractors, and other personnel who are mobile and have no fixed workspace or location. These applications were critical for the organisation to digitise analog processes, streamline record keeping, manage costs, empower mobile users, improve productivity, and achieve various compliance requirements such as hours of service for commercial vehicle operators.

In order to achieve this objective, the IT organisation at our customer had to overcome several key implementation roadblocks and end-user challenges:

weak-vpn-server-security

Deployment

The existing firewall was not capable of handling inbound traffic as a reverse proxy for multiple sites and applications.

cyber-attack-vpn-compromise

Data Custody

Requirement to keep data and application hosting on-site at the town hall.

pam-multi-factor-authentication

User Security

There could be no new passwords, usernames, or active directory licences involved in the application deployment to avoid costs and weak credentials.

federated-identity-login

End-User Challenges

Nomadic, mobile, and deskless workforces without a fixed location where work is conducted needed to be able to connect without a company issued device or a VPN.

End-User Challenges

Many staff at the city are part of a mobile workforce that does not require a company issued device or they do not have tasks that require regular access to computers. However, the ability to leverage technology and productivity applications would significantly streamline the administrative duties that they must comply with.

Commercial Vehicle Operators

These users are off-premise and mobile. They do not have or require corporate issued devices to perform their duties and some may work as part-time contractors for the city. All commercial vehicle operators must log their driving hours for compliance with the Ministry of Transportation of Ontario. Our customer developed an application that would modernise this record keeping and better ensure compliance without burdening the end user operator.

Seasonal Workers

Seasonal workers such as the lifeguards, park workers, and city maintenance personnel for our customer are required to complete online safety training. This compliance requirement is in place to help create a safe environment for staff and citizens. It is impractical to issue corporate devices or active directory licences to seasonal workers.

Volunteers and Extended Teams

The workforce for our customer comprises part-time employees, contractors, and volunteers in addition to the full-time staff. Technology solutions ensure that organisation resources could be digitised, preserve the privacy of city personnel, and help the volunteers and extended team members be more effective in their roles. The volunteers and extended team members do not require active directory licences or company issued devices to support the city.

Taking a digital first approach was only natural for our customer, but getting their users onboarded to the various productivity web applications was met with several implementation and cybersecurity roadblocks.

Implementation Roadblocks

Stakeholders from the IT and Business Applications teams would be involved in the deployment process, each with their own unique requirements. In working with the IT organisation at the city there were several unique needs that were quickly identified, which had to date prevented the organisation from adopting web applications for productivity:  

  1. “We think to keep our data we must host it. But, that means our firewall needs to handle multiple unique systems behind it by host name, which is a type of reverse proxy. It doesn’t handle that, our team doesn’t know how to make that happen, so we are blocked.”
  2. “We don’t want/won’t allow new usernames or passwords, they get written down.”
  3. “We must hold our data.”

While the applications created by the third party were built to spec and capable of driving new efficiency and productivity for the city, there were a number of implementation roadblocks that had to be overcome in order for deployment to the end users.

data-custody

Data Custody

Like all municipalities, our customer must adhere to the Municipal Freedom of Information and Protection of Privacy Act and retain data to meet regulatory obligations. As a result, the city has chosen to be the custodian of its own data which also aligns with the internal backup strategy, need for data integrity, and self management of enterprise applications.

User Security

People are maintaining an incredible number of usernames and passwords. Having end-users manage yet another set of access credentials was viewed as both a burden and a cyber risk. The risk of weak and shared credentials being used would leave private applications open to brute force and credential stuffing attacks. Likewise, enforcing strict password policies would lead to the use of weak passwords, the credentials being written down, or stored insecurely.

user-security
user-management

User Management

The ability to manage user access and privileges was important to the IT team. Unfortunately adding licences to the active directory would be both expensive and impractical due to the transitory nature of some of the users (e.g, seasonal workers, volunteers, etc.). Considering a significant portion of the end-users would be seasonal, volunteer, or in the field, it also didn’t make sense to issue licences that came with business applications such as document editors. However, the team still needed the ability to add or remove users and manage their access privileges without adding new active directory licences.


Digital Workforce Enablement through a Zero Trust Architecture

Technology plays a pivotal role in the strategy and execution of municipal services at the city. The ability to extend secure access to remote and mobile workforces would only benefit the city in its mission to deliver service excellence for the citizens while fostering a safe work environment. 

The Agilicus AnyX platform offers a Zero Trust Network Access solution that quickly and easily allowed our customer to onboard users, retain custody of their data, and deliver end to end security, all without the need for new usernames, passwords, or active directory licences. 

By using the Agilicus AnyX platform, our customer would be able to scale adoption of its business and productivity applications, getting them into the hands of their remote and mobile end users.

vpn-replacement-solution

What is Agilicus AnyX

AnyX removes the complexity of extending secure access to web applications for authorised employees and non-employees. The platform puts organisations in full control with role-based access controls and granular auditing logs. 

Users can easily self-onboard as the platform federates identity and enables single sign-on. Organisations can maintain their native active directory and preferred identity providers of their partner organisations.

The AnyX platform ensures any user can securely connect to any application, resource, or desktop from any device while bolstering defences with a modern approach to cybersecurity.

No VPN – No Hardware – No Client

Data Custody

To ensure our customer could be the custodian of its data and be in control of their own fate, Agilicus introduced a hybrid cloud architecture through a three-tier approach to hosting the applications.

The web application runs in the web browser, while a database is hosted on site at our customer and serves as the ultimate data repository. A web server sits in the middle and acts as an API (application program interface), connecting the end user’s application with the hosted database.

These connections are each secured through Agilicus’ unique, identity aware web application firewall which sits between the end user and the web server. Another sits between the web server and the database backend ensuring the city could self host the databases. In this hybrid model where the backend data stays on premise, a workload firewall that uses mutual TLS and SPIFFE ensures only the specified application can access only the specified resources in the database.

User Security

The AnyX platform easily federates identity so that organisations like our customer can quickly onboard users and link an electronic identity with a given user’s privileges to specific applications and resources. Our customer was able to extend secure, convenient access via single sign-on to its users without having to add active directory licences by enabling social login.

That means, when a seasonal worker, part-time hire, or volunteer joins the organisation, they simply have to provide a Gmail or other such ID to be given access. Every user that needed to onboard was able to do so without requiring a single new password or username. This is an integral function of the Agilicus AnyX platform where by design no user names or passwords are stored.

In addition to Agilicus being able to federate identity, the AnyX platform provides administrators with the capability to enforce multi-factor authentication for any resource or application. Our customer’s users could easily be required to authenticate through a second factor to prove their identity and gain access to their business and productivity applications.

User Management

By leveraging a user’s electronic identity to provide access, our customer is able to benefit from role-based access controls and fine-grained authorisation capabilities. The result is simplified user management, where administrators can easily add or remove end-users from any application, instantly.

role-based-access-controls

Role Based Access Controls

Role-based access controls allow administrators to grant privileges to users so that they may access information and resources they need for their jobs while preventing them from accessing unrelated resources that they do not have permissions for.

least-privilege-access

Simplified User Management

Users can be added or removed from any application instantly (seasonal workers, part-time employees, contractors, or other job actions). 


Business Impact

user-onboarding

1000+ Users

The city quickly scaled the adoption of web applications onboarding over 1000 users without requiring new usernames, passwords, or active directory licences.

fast-deployment

10 Applications

The Zero Trust framework through Agilicus AnyX was so effective the IT organisation soon delivered secure access to 10 web applications across city workers.

seamless

$100K Savings Per Year

Our customer was able to find considerable cost savings of at least $100 per user, per year by not having to purchase additional active directory licences or adopt another identity provider.

no-network-configuration

Digitising Analog Process

Additionally, shifting analog record keeping to digital better equipped city team members for meeting compliance requirements.

friction-free-user

User Privacy

Some use cases included phone lists and directories, which when delivered via web application through AnyX enhanced individual personal privacy and data security without limiting accessibility to authorised staff and volunteers.

Our customer was able to quickly scale adoption of web applications across the city and onboard over 1000 mobile users and enable secure access to the respective business and productivity applications. That has allowed the city to accomplish compliance requirements, streamline administrative tasks, and drive productivity by leveraging technology and web applications. Most significant was the ability to achieve those objectives without compromising on cybersecurity standards and without having to purchase and issue new active directory licences.

The value of getting these mobile workforces online quickly became apparent with demonstrable business impact. The various teams at the city were suddenly able to shift from analog and in person methods of performing specific job functions to entirely digital, 24/7 accessible resources that would be available on any device. After the adoption of the initial run of applications and due to the scalable nature of the Agilicus AnyX platform, our customer quickly went from three productivity applications to 10

Agilicus AnyX allowed the IT team to introduce web applications across departments with use cases varying from administrative services (payroll, HR, training, inventory management, directories and phone lists) to more tactile use cases such as fire services and bylaw enforcement. In fact, the Agilicus AnyX platform became a marquee solution for the Bylaw Department within the city and allowed this organisation to retire legacy handheld devices in favour of modern smart devices. This significantly reduced the cost of delivering bylaw services for the city while adding increased flexibility for the bylaw officers.

Get in touch with our team to learn more about leveraging Zero Trust to adopt and deliver secure access to productivity applications and streamline the workforce.

Protecting Critical Municipal Infrastructure and Securing Operational Technology at a Water Treatment Facility

A Canadian town has turned to Agilicus to ensure that its critical infrastructure resources can be securely accessed by technicians, employees, and third-party partners, whether on-premise or remote.

Read the case study and learn how Agilicus helps protect operational technology against cyber threats through user, resource segmentation while delivering a seamless end-user experience.

Fill out the form below to read the case study.

First Name
Last Name
Read the Case Study below. ↓
There was an error. Please try again. Or email info@agilicus.com

Protecting Critical Municipal Infrastructure and Securing Operational Technology at a Water Treatment Facility

Summary

Our customer is a rural municipality based in Ontario. The local government is dedicated to creating a safe, sustainable municipality where the economy, environment, community, and heritage can flourish. One of the key responsibilities of the local government is to manage critical infrastructure for the citizens. This includes managing, operating, and securing the SCADA systems for their water treatment facilities. The municipal IT organisation works with the water treatment facility teams, providing support for these key services and their operation.

smart-city-water-security

Enhancing Cybersecurity at Water Treatment Facilities and Enabling Secure Access

One of the biggest challenges our customer faced was that the physical water treatment facility is in a remote location and not easily accessible by staff and partner organisations. The SCADA system contained in this facility needs to be accessed by multiple user groups including a partner municipality that shares the facility and systems.

To reduce the complexity of reaching the physical facility and to meet data storage requirements, the customer placed a remotely accessible machine on site. This device transmits data to the townhall and is used to access, control, and monitor the facility by all parties concerned, whether remote or on-premise. However, due to the nature of SCADA systems, the machine must always be connected, and it can never go offline. The requirement for continuous connectivity means the device can never power off or receive patches and system updates, further complicating security for the device and the networks it connects to. 

What made the problem especially complex for our customer was enabling secure access for their partner municipality and users outside of their native active directory without impeding security or user experience. The traditional solution of adding client software (VPNs) and dictating new workflows, practises, and protocols for non-employees meant greater operational overhead and longer roll-out times. Additionally, the inability to implement traditional security mechanisms for such a critical system was creating immense cyber risk, especially as so many different user groups needed to be able to access the system.


Secure Access to Critical Systems and Operational Technology through the Agilicus AnyX Platform

With Agilicus, our customer was able to deliver third-party access, maintain continuous connectivity to enable data transfer to and from townhall, and enable secure remote access to their broad user groups and third-party partners.

Starting with a review of the overall system and the user groups who need access to the water treatment facility the team at Agilicus developed a path to implementation that could run in parallel to current systems to avoid the risk of service disruption. This included:

federated-identity

Integrating the municipality’s native active directory and that of their partner organisations to institute single sign-on.

secure-remote-desktop-access

Introduction of the Agilicus AnyX Identity Aware Web Application Firewall to secure access to the SCADA system web application interface.

cybersecurity-no-vpn

Blocking all inbound and outbound traffic to the host machine that is not authorised through the Agilicus AnyX Agent.

pam-multi-factor-authentication

Use the Agilicus AnyX firewall rules to prevent running physical devices and peripherals like USB drives on the facility machine.

role-based-access-controls

Enacting strict, least privilege and role-based access controls to authorize user access to the SCADA system.

secure-access

Enforcing multi-factor authentication policies to gain access to the remote system through the web application or RDP.

granular-auditing-capability

A granular audit trail of how a user or technician accessed the SCADA system, when they accessed it, and what they did while they accessed it.

Through the Agilicus AnyX platform, any authorised user could securely access the SCADA system from a remote desktop or through the web application without sacrificing security or impinging on the end-user experience. This streamlined maintenance and operation processes across the partner organisations and enabled secure access for all personnel who required access to the water treatment facility. Finally, because traffic would be routed through the Agilicus platform for authorisation, our customer also benefited from DDOS protection and improved cyber resilience.

Network Diagram:
User, Resource Segmentation and Secure
Access with Agilicus

The network diagram is a visualization of how the access workflow changes when operational technology resources are secured through Agilicus.

zero-trust-vs-remote-access-tools

Business Impact

user-onboarding

Streamlined User Onboarding

11 internal users and 14 third parties including contractors and technicians from their partner municipality.

fast-deployment

Deployed in a Single Afternoon

The Agilicus AnyX platform was implemented in a single afternoon.

parallel-implementation

Parallel Implementation

Agilicus AnyX ran in parallel to existing infrastructure, allowing the municipality to migrate at their own pace.

seamless

Seamlessly Adopted

Adopting Zero Trust Network Access didn’t require clients, network changes, appliances, or new licenses.

friction-free-user

Friction-Free User Experience

With Agilicus, IT security became invisible to the end-users enabling simple, secure access for the technicians to do their jobs.

Municipalities are required to obtain and maintain cyber insurance to mitigate the fallout of intrusions, breaches, and hacks. Complying with these requirements has proven most difficult when it comes to securing operational technology and SCADA systems due to their 100% uptime requirements. As a result of implementing the AnyX platform from Agilicus, our customer has been able to achieve their cyber insurance compliance requirements for privileged access management and multi-factor authentication. 

Beyond the business requirements of management and council, the Agilicus platform is securely connecting authorized technicians to the SCADA system with an invisible IT security experience. Technicians can now perform their duties from any device, on-site or remote, without having to manage new credentials or install software to gain access. Technicians from the partner organisations can use single sign-on for the instant access they need to get the job done. 

Through Agilicus AnyX, our customer has successfully managed to meet compliance requirements and enable secure remote access to their shared SCADA system at the water treatment facility while improving their cyber posture and resistance to attacks.

Get in touch with our team to learn how we can help your organisation secure operational technology.