Skip to content

Hybrid Protection Flow


Imagine you have an application. You want to make it easy to use by everyone, from everywhere, on every device. The default choice is to add a DMZ to your firewall, exposing this application externally, and allowing it restricted access to internal resources such as authentication and datastore.

Your security team has run a scan and has some concerns. Perhaps you should keep it internal only and force users to use a VPN? Is there another way?

If there was a way that the application could be exposed such that only authenticated users (users who have some privilege to use it) could talk to it? E.g. no other traffic would be present. If there could be a web-application-firewall in the path. If this could be done for little or no effort. If these things were true, we could have higher security and higher accessibility. Everyone would be happy.


In this flow the application is either not public available (available via VPN only), or, is made available via DMZ.
The challenges with the DMZ model are:
We lose a public IP, or, we have to install a Reverse Proxy and manage vhosts
We have to manually manage another SSL certificate
100% of public Internet users can access the application, we are solely relying on its internal security (since the firewall is only layer 4)
The application has some east-west access into the main network (for authentication, for datastore), allowing traversal


In this model we introduce an authenticating gateway, providing role-based-access-control (RBAC) and a web-application firewall. This is a managed service on the public Internet, meaning no additional servers or software to setup.
The key benefit is there is no network traffic to the application except for authenticated, valid users. This dramatically reduces the risk envelope. No scanners looking for vulnerabilities, no concern about how strong the back-end authentication is. In addition the Web Application Firewall blocks common attack vectors around cross-site-scripting and SQL injection, hardening the clients.
SSL certificates are 100% managed, all flows are SSL/TLS only. Proper Content-Security-Policy and Cross-Origin-Request-Sharing, XSS-* headers are present, further hardening the application.


In this model we get all of the benefits of #2 above. In addition the application is hosted on high-bandwidth (>10Gbps), low-latency public cloud. Further economic savings are had since there are no software licenses (e.g. Microsoft, Citrix, VMWARE).
A hybrid model is users where the backend data storage stays on premise. A workload-based firewall (based around application identity using mutual TLS and SPIFFE) ensures that only this application accesses those resources, and that only the exposed resources are accessed.


In this model 100% of the application and its resources are hosted and managed. All of the earlier benefits are present as well as no longer needing backup or disaster recovery.


SSL/TLS certificate request/revocation/rotation/managementUser identitySafely expose Active Directory (or Active Directory Federation) without exposing it to InternetSeamlessly federate user identity with Social loginAudit all connections and actionsSeamless, no impact, in service upgradeStrong encryption on all componentsFull data sovereigntyDisaster recovery, High-Availability across multiple data centresHigh end user performanceSelf-served, self-enabled for upgrades, user-management, new application onboarding


  • Digitally enable an external, contractor-based work-force with any device
  • Comply with data sovereignty requirements
  • Enable 2-factor authentication to all end-users to reduce phishing
  • Dramatically reduce cost of launching and managing applications
  • No ongoing firewall maintenance or reverse proxy management
  • Managed Security Operations Centre for applications
  • Simple staging environment: try new versions with live users, toggle upgrades with no effort

More information is available on the overall platform.