Secure Exposed Access

Overview

The Agilicus Secure Municipal Cloud Platform provides a Platform-as-a-Service model, taking simple applications and making them widely available on any device, any location, without the need for VPN. This secure exposed access allows direct Internet access, with high security, without rework or re-architecture. It provides seamless and simple authentication and identity, and world-class security.

In some cases it is desirable to keep the hosting of the application within the private component of a hybrid cloud, but still provide direct Internet Access. The Secure Exposed Access feature provides this ability, allowing you to expose, with a full front-ended authentication, authorisation, and web application firewall layer in advance, protecting the vulnerable web app.

Key Features

  • Safely expose internal web application directly to the Internet: no vpn or inbound firewall rules needed
  • SSL/TLS certificate request/revocation/rotation/management
  • User identity
  • Web Application Firewall
  • Safely expose Active Directory (or Active Directory Federation) without exposing it to Internet
  • Seamlessly federate user identity with Social login
  • Audit all connections and actions
  • Strong encryption on all components

Key Benefits

  • Simplify access to formerly internal-only resources, without VPN or Active Directory costs
  • Digitally enable an external, contractor-based work-force with any device
  • Comply with data sovereignty requirements
  • Enable 2-factor authentication to all end-users to reduce phishing
  • Dramatically reduce cost of launching and managing applications
  • No ongoing firewall maintenance or reverse proxy management
  • Manage and protect inherent weakness of web applications

Use Case

Imagine you have an internal-only web application. A wiki, an HR portal, a timesheet system. Your staff must VPN to it to access. You have gone down the path of VPN clients on mobile devices. But you have run into 3 main problems:

  • Credentials are in your Active Directory. This causes you to created Named Users for your temps and contractors, incurring cost
  • BYOD. Staff want to/must use devices you cannot install your VPN on
  • Device update/management. Updates to the devices are managed by the manufacturer, breaking your VPN

You desire to make the internal-only website behave as if it were on the public Internet. But you are concerned: is the built-in security strong enough? What else does it have access to that if it were breached would be at risk?

We have a solution: Secure Exposed Access. Zero Trust for the rest of us.

Key Principles

Defense In Depth

The Agilicus Secure Municipal Cloud is based around the key principle of Defense in Depth. This is discussed in more detail in “Agilicus Secure Municipal Cloud Platform”.

For the Secure Exposed Access, we prevent all access absent an authenticated user. This dramatically lowers the attack surface: there will be 0 accesses except from your users after a proper login.

For each access, a web application firewall guarantees the user has the role-based permission.

In addition, the web application firewall protects against previously known cross-site scripting attacks and acts to harden the underlying server.

The net effect is the native security of the underlying server is augmented: it is not visible except to authenticated users, its internal role-based-access-control is fact-checked in the network, and, newer, more modern attacks that might have come out since it was deployed are blocked or mitigated.

Strong Identity, Multi-Factor, Single-Sign-On, Without Passwords

The key to strong security is to make it simple enough that the end-users can use it. We have built a system that federates multiple identity providers (Active Directory, Social). This removes the need for new identities or new passwords. In fact, the Agilicus system does not store nor have access to the end-user passwords. This is part of the defense in depth: if our system is breached, the user’s password is not available; we never see it.

The system uses a standard called OpenID Connect. This allows the user to simply select which Identity provider to use. Their authentication is then done entirely with that provider, returning an ID Token. If their Identity provider uses 2-Factor Authentication (e.g. as Google does), this step is performed automatically. There is no separate password, password reset, etc., required.

The Identity is enriched with an Authorisation layer, providing role-based and group-based access control. E.g. I can say “alice@gmail is an admin of Inventory, a viewer of Training. There is no difference in capability regardless of the upstream identity (e.g. Active Directory and Gmail provide the same capability and security).

For most applications there is no code change: this can be done either with built-in configuration, with a transparent proxy in front, or with the injection of a single line of JavaScript. All of the security is handled in the Platform framework.

Identity

For more information on Identity and groups, refer to Agilicus Secure Municipal Cloud Platform section on Identity.

For the Secure Exposed Access feature, the Web Application Firewall uses Identity and Authorisation to decide which traffic to forward. The Authorisation may be configured to mirror what is in the application (e.g.  ‘Editors can POST to /updates’, ‘Viewers cannot access /admin’).

Identity is known in advance of any HTTP access to the exposed protected service: no requests will hit its input or logs except from authenticated, allowed, users.

Audit

All connections and actions are audited. On the user side, the audit trail includes the user identity and request type. On the workload side the audit trail includes the specific workload and destination.

Skills

Posted on

2020-01-15

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share this post with your friends!