Skip to content


Secure Remote Access to ERP Systems and Legacy Applications without a VPN

Enable secure remote access to your Enterprise Resource Planning (ERP) systems and extend the life cycle of legacy applications without a VPN. It is time to modernise your approach to access and security to protect against cyberattacks.


What is ERP Security

Many organisations leverage ERP systems to centralise and manage business processes and operations across domains – from finance and human resources, to supply chain management and administration. The constant threat of cyberattacks is a top of mind issue for executives and has become a significant cyber risk as threats against ERP systems continue to escalate. 

Ensuring your ERP system has a strong cyber posture is essential for the security of the sensitive data powering your organisation.

Secure Remote Access to ERP with Agilicus AnyX

Agilicus AnyX leverages its foundation in Zero Trust to provide a more secure alternative to VPNs and perimeter-based network access. This is achieved by segmenting users and resources and enforcing least privilege access. In order to access corporate resources through Agilicus, users must verify their identity and have the necessary permissions. 

This is implemented in the front end through a friction-free single sign-on experience. Meanwhile administrators are equipped with centralised authorisation management and can easily add or remove user access and privileges through a single administrator portal. With Agilicus, organisations of all types and sizes can quickly and economically expand the reach of ERP systems, including legacy ERP applications, without compromising security.

Enhancing Security for ERP Systems While Enabling Secure Access

The pace of digital transformation and the shift towards “Work-From-Anywhere” means technology leaders are challenged with finding effective ways to enable remote access while also enhancing security for their ERP and legacy applications. These challenges are creating barriers for employees and could be holding back business initiatives and processes. Traditional tools such as the VPN or remote desktop protocol (RDP) have not only proven to be insufficient solutions, they are also often the source of cyber risk.

While VPNs have given organisations a way to enable remote access to certain corporate resources, they weren’t developed for security and haven’t kept up with the demands of the modern threat environment. Unfortunately, when a user gets access via the VPN, they are also getting access to an entire network, which is one of the ways ransomware propagates. In addition to security issues, they introduce unnecessary complexity for end users and don’t enable simple remote access to ERP systems and legacy applications.


Enabling Secure Remote Access to ERP and Legacy Resources


Agilicus AnyX leverages Zero Trust to enable secure, least privileged remote access to shared corporate resources without exposing them to the public internet. Zero Trust is an “Always Verify” security framework that requires users to verify their identity and have the required permissions to gain access. 

With Agilicus, legacy applications and ERP systems can be made remotely accessible without a VPN, client, or network configuration. Agilicus empowers your organisation with the ability to enforce security controls necessary to keep sensitive customer, employee, and corporate information secure.


Identity-Based Access 

Easily integrate with native identity providers (Azure, GSuite, Okta) and extend secure access to internal and external users. Agilicus AnyX federates identity, meaning your can easily provide secure, identity-based access to employees and non-employees. No new user names, passwords or active directory licences.


Least Privilege Access

Simplified User Management and Role-Based Access Controls allow administrators to grant least privilege access to users, ensuring they only have access to the files and resources they need. You can restrict what your authorised users can access and what they can do with that access (read, write, admin).


Secure Access

Increase the cyber resilience of your ERP systems and applications with easy to implement security policies like multi-factor authentication, end-to-end encryption, and micro-segmentation of users and resources.


Enhanced Audit Logging

Reduce your cyber risk and perform detailed security analysis with per user, per application auditing. Get the visibility you need to provide perfect information on who accessed what, when, and for how long.

Provide your authorised employees and non-employees with secure, auditable access to only the resources and systems they need, keeping your ERP systems secure and extending the life cycle of legacy applications.

Agilicus AnyX for Access to Legacy Java Web Start Applications

Some legacy applications are built using Java Web Start and Agilicus AnyX combined with the Agilicus JNLP web browser extension ensures any authorised user can access their legacy ERP applications from any device.

Get in Touch – Enable Secure Access to Your ERP Systems

Get in touch with our team and learn how to enhance security and enable simple, remote access to your ERP systems and extend the life cycle of legacy applications.

First Name
Last Name
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

Remote Access over Starlink without a VPN.

Enable secure, remote access to your Starlink network connected systems including cameras, routers, remote desktops, building control systems, and even industrial networks. 

Reduce the time, cost, and complexity of connecting with precise control over user access and permissions.


The lowest cost tier of Starlink doesn’t allow inbound VPN connections, port-forwarding, or any type of DMZ scheme as it uses IPv4 and Carrier-Grade NAT (CGNAT), meaning there are a limited number of public IP addresses (read more). Conventional workarounds for these connectivity constraints, such as a reverse VPN, are complex, expensive, and could introduce security risks.

The easiest way to achieve remote connectivity to Starlink enabled systems is through Agilicus AnyX.


Pair Users with Resources.

Create user-resource pairings to enable secure remote access to specific systems within your Starlink network.


Outbound Only Connection.

An outbound only connection from your Starlink network means zero unauthorised traffic reaches your systems.


Access Anywhere. No Client. No VPN.

Seamlessly deploy in minutes not days. No new hardware, clients, or network changes are required.


Enforce Security Controls for Access.

Implement security controls including multi-factor authentication, end-to-end encryption, detailed auditing and segmentation of users, resources, and systems.

Even though the business Tier Starlink subscriptions utilizes IPv6, allowing port forwarding and VPN access, these remote access methods still introduce cybersecurity risks to your business. With Agilicus AnyX you can ensure any connectivity over Starlink is simple, secure, and auditable. Your users can be given least privilege access to only the resources they need and must verify their identity to gain access.


Operated by SpaceX, Starlink provides high-speed, low-latency satellite internet coverage in 40 countries, empowering previously disconnected regions with internet access. Remote and rural businesses around the world have been able to connect to the internet and adopt new technologies that improve efficiency and operations.

As Starlink currently uses IPv4, there are less IP addresses available. Multiple Starlink subscribers could be sharing the same public IP address rendering traditional remote access tools like the VPN ineffective or overly complex.


Unable to connect via IPv4.

The basic Starlink subscriber tier uses IPv4 and has a limited number of public IP addresses, achieved through a process known as Carrier-Grade NAT (CGNAT).


No port forwarding due to CGNAT.

Port forwarding is complicated as IPv4 via CGNAT prevents traffic from properly rerouting to a specific device/machine in the network


No port forward prevents VPN access.

Due to the limited number of available IP addresses and CGNAT and the inability to properly reroute traffic, it’s not possible to establish a standard VPN connection to your systems via Starlink.


Traditional tools require a risky, always on connection.

Traditional remote access tools require your organisation to accept the risks of overprivileged, always on connections to your systems.

Agilicus AnyX is a modern, secure access platform that overcomes Starlink connectivity challenges and enables remote access to corporate resources without the need for a public IP or VPN.

What is Agilicus AnyX

Quickly and easily expand the reach of company resources without compromising on security, requiring a VPN, or juggling network changes. Agilicus AnyX is a Zero Trust Network Access platform that offers a secure alternative to perimeter-based network solutions and is suitable for organisations of all types and sizes. 

Enable simple, secure, and auditable access to shared resources with precise control of permissions for any authorised user with a low cost platform that scales with your organisation.

Without a routable IP address, using an inbound VPN is not an option for remotely connecting to systems over starlink. By using the Agilicus Connector on resources within your network, an outbound only connection to the Agilicus cloud can be established. Each user who requires access must verify their identity which is done via single sign-on and multi-factor authentication (OpenID connect + upstream identity providers). Direct access is achieved over HTTPS in any browser with a URL and a connection is only established once a user has verified their identity and has the required permissions for access.

Enhanced Security Through Zero Trust

Agilicus AnyX enables secure, identity-based, auditable access to specific resources with precise control of user permissions, while delivering a frictionless end-user experience.


Frictionless End-User Experience
Single sign-on and multi-factor authentication provide a seamless, intuitive login flow.


Simplified User Management
Centrally manage users and permissions through a single administrator portal.


Any User. Any Device. Anywhere.
Remote access over your Starlink network from anywhere, using any device.

There’s no need to setup a reverse VPN and worrying about Dynamic DNS, open ports, or setting up a DMZ. Remote access over Starlink through Agilicus AnyX not only makes it easy to connect to your systems, it empowers your organisation with access controls that keep your critical systems secure.

Get in touch with our team to get started with Agilicus AnyX to enable secure remote connectivity to resources within your Starlink network.

First Name
Last Name
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

Run JNLP Files from Anywhere Without a VPN or Network Changes

Run your Java Network Launch Protocol (JNLP) client applications and JNLP files from anywhere with Agilicus AnyX. Seamlessly avoid compatibility issues and enable secure remote access for your users without the need for a VPN.

Launch your applications as designed, with enhanced security, and provide full support for JNLP programs through Agilicus.


Securely Launching JNLP Applications

Agilicus AnyX is able to launch JNLP applications as designed and provides full support for the most commonly used JNLP standard features. This is achieved under a Zero Trust framework that both enhances security and delivers a seamless end-user experience. In order to launch a JNLP client application through Agilicus, users must verify their identity and have the necessary permissions to access the application. This is implemented in the front end through a friction-free single sign-on experience. Meanwhile administrators are equipped with centralised authorisation management and can easily add or remove user access and privileges through a single administrator portal.

Ensure your employees can easily and remotely access your legacy and JNLP applications without requiring rework from developers, a VPN, or network changes.

Running Legacy Applications and Java Client Software

Many organisations still rely on legacy applications that require Java Web Start (JWS) and utilise the JNLP file standard to function. The JNLP file allows java based applications to be launched on a desktop using resources hosted from a remote server that are launched from a Java ARchive (JAR) file.  

With the end of the bundling and support from Oracle’s Java JWS framework, these applications have become restricted to certain machines making it difficult for end-users to continue to leverage the robust software. Additionally, with the end of public support for JWS, there are no longer any security updates and fixes, making these applications susceptible to cyber threats. 

JNLP client software has become integrated in various workflows across numerous industries and is still widely used despite the lack of support for JWS. Agilicus AnyX ensures your organisation can continue using JWS and JNLP based applications, making them more secure and accessible from anywhere, for any authorised user.


How Agilicus AnyX Works to Securely Launch JNLP Applications without a VPN

When a user downloads a JNLP resource, the Agilicus browser extension takes control of the file, and launches the Java Web Start Component.

All of the JAR files described in the JNLP are downloaded and cached to disk.

The Agilicus Agent starts locally in proxy mode and the Agilicus extension starts Java with the parameters described by the JNLP file.

An HTTP proxy configuration ensures Java runs its networking securely through the Agilicus Agent (java supports http proxy host and port).

The result is instant, secure, auditable access to the JNLP resources with all traffic fully encrypted by TLS.


Agilicus AnyX combined with the Agilicus JNLP web browser extension ensures any authorised user can launch a JNLP client application without a VPN while keeping the workflow unchanged. End-users will access the application like usual and verify their identity to launch the application, for example by clicking on a web page link to download the current JNLP file.

Enhanced Security for Java Client Applications


JNLP applications are being used by organisations everywhere and have become business critical. That means to keep up with the demands of the modern workforce they need to be remotely accessible and secure. Unfortunately because the JWS and JNLP standard are no longer actively maintained, these applications have a significant number of Common Vulnerability Exposures (CVE) that could be putting your organisation at risk. Additionally, traffic in a JNLP local environment can be intercepted making them susceptible to man in the middle attacks. 

With Agilicus, Java and JNLP client applications can be made remotely accessible and benefit from enhanced security through Zero Trust. Zero Trust is an “Always Verify” security framework that requires users to verify their identity and have the required permissions to gain access.

Agilicus will empower your organisation with the security controls necessary to keep sensitive customer, employee, and corporate information within these JNLP applications secure. The Agilicus AnyX extension leverages the Agilicus Agent and Connector to ensure all traffic is fully encrypted and requires your users to verify their identity through single sign-on and provide a second factor for authentication to gain access.

Get in Touch – Learn How to Enable Secure Access from Anywhere

Get in touch with our team and learn how to launch JNLP files and applications from anywhere, without a VPN.

First Name
Last Name
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

Eliminate Attack Vectors and Stop Cyber Threats in Their Tracks with a Zero Trust Architecture


Reducing Cyber Risk and Protecting Against Attacks

Cyber threats come from all angles these days, yet most businesses are still ill equipped to properly keep the bad actors out when they become the target of an attack. The Open Web Application Security Project (OWASP) produces a list of the top 10 threats that organisations must contend with to keep their web applications secure, but that is only the tip of the iceberg. While there are best practices that can help mitigate cyber risks, some of the most dangerous attack vectors are getting harder to defend against. They include everything from lateral network traversal and ransomware, all the way to employee vulnerabilities and denial of service attacks. 

A modern and proactive approach to access and security is a necessary shift organisations need to take in order to maintain a sufficient security posture, mitigate threats, and stop attackers in their tracks. Zero Trust Architecture offers just that. 

Zero Trust is the preferred way to introduce user resource segmentation while adopting a perimeter-less, “Never Trust, Always Verify” approach to security. That means every resource is isolated and access is only granted when a user has verified their identity and has the correct authorisation for access, effectively keeping bad actors out. 

What are the OWASP Top 10 Web Application Vulnerabilities

Every couple of years OWASP does a revamp of their Top 10 web application security threats. This list has become a standard document and is a great resource for organisations to size up their web application cyber posture and determine their level of vulnerability exposure. In 2021, OWASP updated their list of the top web application threats that businesses face as follows: 

  • Broken Access Control – Access controls enforce user privileges, preventing them from acting outside of their permissions. Failures can lead to unauthorised access, modification, release, and destruction of data or functions outside the user’s intended privileges.
  • Cryptographic Failures – Many web applications and their APIs do not impose strong encryption practices to properly protect sensitive corporate and customer data. This gives attackers an opportunity to intercept or modify data for criminal purposes. Strong encryption must be imposed when data is at rest or in transit.
  • Injection – Attackers will leverage flaws such as SQL, NoSQL, OS, and LDAP injection to try and trick the interpreter into allowing them to access data without proper authorization or execute unintended commands.
  • Insecure Design – In the design and development lifecycle of software and applications, inadequate budget for time and security requirements can allow critical vulnerabilities to pass through into live environments, introducing attack vectors the team never anticipated or addressed.
  • Security Misconfiguration – Ad hoc and insufficient configuration of software and infrastructure can lead to issues like misconfigured dHTTP headers, exposed cloud storage, admin or root access accounts being left in place, and even verbose error messages that leave sensitive information exposed. 
  • Vulnerable and Outdated Components – Vulnerable components, such as libraries, frameworks, and other software modules often lead to severe instances of data loss or server takeover. The inability to address CVE’s (Common Vulnerabilities and Exposures) undermines application security by enabling various attack vectors.
  • Identification and Authentication Failures – When incorrectly implemented, functions related to authentication and session management allow attackers to compromise session tokens, passwords, keys, and user credentials. Multi-Factor authentication is one of the easiest ways to prevent an attacker from assuming a user’s identity.
  • Software and Data Integrity Failures – Software and data integrity failures happen when applications rely on libraries and plugins from untrusted sources and insecure deployment pipelines allow these to be introduced without integrity check and create the potential for unauthorised access or system compromise.
  • Security Logging and Monitoring Failures – No or poor logging and monitoring pair with inadequate tools for incident response can let a breach become pervasive allowing attackers to persist, traverse to more systems, and tamper with or extract data. The average time to detect a breach is over 200 days. Fine-grained auditing and logging capabilities can substantially improve that.
  • Server-Side Request Forgery – Server-Side Request Forgery (SSRF) flaws allow attackers to trick applications into fetching a remote resource from an unexpected destination without validating it. Unfortunately this attack can be perpetrated even when protected by a conventional firewall, VPN, or another type of network access control list (ACL).

Broken access controls moved to the number one spot on the OWASP Top 10 and represent one of the most common vulnerabilities today. In fact, it is theorised by some security researchers that over half of all web applications have at least one OWASP vulnerability. This is where Zero Trust can give organisations an edge against the arsenal of tools malicious actors have at their disposal.

How Zero Trust Principles can Protect Against Web Application Vulnerabilities

Zero Trust as a principle offers enhanced protection against web application vulnerabilities by shifting the domains of access and control to a per user, per resource implementation. That means access and visibility for a given asset migrate from a traditional perimetered, digital moat, where all resources are accessible by default to a micro segmented infrastructure. This principle helps organisations protect resources and users from each other, making them independent. In the event one application, resource, or web server is compromised, the vulnerability is contained.


How Does Agilicus AnyX Protect Against the OWASP Top 10 with a Zero Trust Architecture

Agilicus AnyX is a culmination of cybersecurity standards that together deliver defence in depth, helping organisations adopt a Zero Trust Architecture that delivers a robust network security framework and access strategy. A well implemented Zero Trust Architecture can effectively protect organisations, their users, and most valuable assets from the OWASP Top 10 Web Application Vulnerabilities.

Agilicus AnyX is designed to eliminate an attacker’s visibility into the potential OWASP Top 10 web application vulnerabilities that could exist in a given application as resources are completely hidden from non-authenticated users. This is achieved with the patented Identity Aware Web Application Firewall which acts as a proxy server (reverse proxy) and protects web applications and resources by only allowing access on the basis of authenticated (verified) identity. 

Organisations can also leverage this component of the Agilicus AnyX platform to enhance security on the client side by modifying server headers or enforcing SSL (Secure Socket Layer) on all traffic. As a result, the Identity Aware Web Application Firewall ensures all traffic is encrypted and users are able to access designated resources from anywhere without making them accessible  on the public internet.

The Agilicus AnyX platform features that specifically protect against the OWASP Top 10 web application vulnerabilities and deliver a Zero Trust Architecture platform include:

• Role-Based Access Controls – Centralise the management of users and their roles to enact, strict least privilege access through fine-grained authorisation. Prevent (1) Broken Access Controls, (2) Cryptographic Failures, and (7) Identification and Authentication Failures.

• Detailed Audit Trails – All users, connections and actions audited. No more (9) Security Logging and Monitoring Failures that leave you unsure of who did what for how long . 

• Identity Aware Web Application Firewall – Blocks malicious and unauthenticated traffic, while protecting against (3) Injection (5) Security Misconfiguration (6) Vulnerable and Outdated Components (8) Software and Data Integrity Failures, (4) Insecure Design, (10) Server-side Request Forgery

• Multi-Factor Authentication – Second factor authentication requirements are built right into the login flow helping to address (7) Identification and Authentication Failures.

We recently held a webinar on this topic with Agilicus CEO and cybersecurity expert, Don Bowman. Watch the recording for a detailed look at how your organisation can adopt a defense in depth strategy through Zero trust to protect against the OWASP Top 10.

How Does Zero Trust Stand Up Against Other Attack Vectors

Defending against OWASP threats is a good start, but there is still a laundry list of attack vectors that organisations face today. Zero Trust is much more than simply enforcing multi-factor authentication on your users. It is a set of security principles that together work by leveraging an individual’s unique identity to introduce an authentication and authorisation workflow for access to a designated resource. 

By adopting a Zero Trust Architecture, organisations can take a proactive approach to security by default and effectivelyprotect critical resources from threats.

What is Lateral Network Traversal 

Lateral Network Traversal or lateral movement within a network occurs when a malicious actor gains access to a network (usually through a VPN) and moves deeper into the system in search of sensitive information, trade secrets, high-value assets, or to perpetrate a ransomware attack.


How Zero Trust Prevents Lateral Network Traversal

A key principle of zero trust is segmentation of users, resources, and the network(s). In the event of a breach, Agilicus AnyX leverages a Zero Trust Architecture to limit the attack surface by totally isolating organisation resources and users from each other by enforcing user to resource pairings. Without interfering with, or encumbering the end user, organisation resources are seamlessly segmented with explicit control over permissions, privileges, and a precise record of user activity with detailed audit trails: sensitive information and data can only be accessed by designated users and ransomware attacks can be blocked from spreading. With a proper implementation of Zero Trust, there is no available network to move east-west within, unlike a traditional perimeter-based solution (VPN). 


What is the Cyber Risk of Shared or Compromised Credentials

A compromised credential attack occurs when a malicious actor has guessed a password, intercepted it, retrieved it from a database, or mounts a successful brute-force or credential stuffing attack allowing them to gain access to your systems and resources. Many users tend to recycle passwords and share account credentials, increasing the likelihood of those details ending up in a database somewhere on the dark web. 

How to Protect Against Compromised Credentials

Under a Zero Trust framework, any attempt to connect to a resource is treated as a potential breach until the end user proves otherwise. To ensure a seamless workflow that offers protection against compromised credentials, Agilicus AnyX leverages a single form of authentication by federating identity across unlike domains. Users and organisations only need to maintain a single set of credentials instead of an account per resource with multi-factor authentication requirements for access. This login flow and layer of identity verification offers enhanced protection against compromised credentials. Every user or user group has its assigned privileges and permissions that determine what resources they have access to, and what they can do with that access (read, write, admin).

What is an Insider Threat, Rogue Employees, and Employee Vulnerability

Similar to the issue of compromised credentials, employees can present security risks and attack vectors to your organisation. Generally they fall victim to social engineering, or are themselves compromised, but sometimes employees can go rogue and act maliciously against their employer. This attack vector is closely tied to compromised credentials and an over exposure to organisation resources.  


Protect Against Rogue Employees with Precise Authorisation

With centralised authorisation management, multi-factor authentication, and detailed auditing, Agilicus AnyX empowers organisations with fine grained control and visibility of who is accessing their resources, what they are doing with that access, and when. By design, Agilicus AnyX enacts strict, least privilege access and introduces granular user, resource segmentation. In the event that an employee goes rogue, Agilicus AnyX delivers complete visibility and allows you to stop guessing to determine exactly what changes were made to the assets and when. On top of that, fine-grained authorisation controls guardrails users and limits the blast radius in the event of employee vulnerability. Administrators and operators can easily restrict privileges or remove access all through an easy to use web-based portal.


What is a Man in the Middle Attack

A Man in the Middle Attack (MitM) is when a malicious actor positions themselves between a user and an application, oftentimes to spy on or intercept communications. A successful MitM could even let a threat actor pretend to be the end user or the application with the goal of stealing credentials, personal information, and even financial data such as credit card numbers.

How to Protect Against Man in the Middle Attacks

A hacker trying to wedge themselves into the traffic will have a hard time both intercepting and following traffic with a Zero Trust Architecture deployment with Agilicus AnyX. Agilicus AnyX ensures all data in transit is always end-to-end encrypted with TLS (Transport Layer Security). With the Identity Aware Web Application Firewall, two outbound only connections (one from the user, one from the resource) meet in the middle, preventing a malicious actor from being able to follow traffic, or emulate the parties involved to trick their way into the network. With Agilicus AnyX, resources are essentially taken off the public internet while all activity is auditable. As a result, traffic cannot easily be followed, stopping attackers in their tracks.

What is a Distributed Denial of Service (DDoS) Attack

A distributed denial-of-service (DDoS) attack is executed when a single target is attacked by multiple machines, or a botnet to flood a network with more traffic than it can handle. A successful DDoS attack will prevent legitimate users from being able to gain access by exhausting system resources, ultimately crashing the target server or the network equipment serving it. This type of attack could be used as a diversion, can lead to a loss in revenue, or even result in tangible safety risks.


How Zero Trust Mitigates DDoS Attacks

Under a Zero Trust model, any outside network or traffic is treated as an adversary. A Zero Trust Architecture through Agilicus AnyX can help mitigate Distributed Denial of Service (DDoS) attacks by moving resources behind a secure cloud. Agilicus AnyX keeps vital network resources off the public internet (no ip) without limiting accessibility to authorised users. The platform uses an agent connector to create an outbound-only connection for a given resource and likewise for the authenticated user, allowing them to meet in the middle.

How Does Zero Trust Through Agilicus Work

The Agilicus AnyX platform is designed to balance enhanced security with a frictionless end user experience. Employees benefit from simple, secure access and an invisible IT security experience. Likewise administrators and operators are able to unify authentication and leverage precise authorisation with granular control of privileges and permissions all through a single pane of glass.

With Agilicus AnyX organisations can enact strict, least privilege access for their employees with the ability to centrally manage users and resources. Administrators have the ability to give users access to the applications they need with the ability to monitor and manage all activity through detailed audit logs. Behind the scenes all users and resources are segmented from each other and hidden from the public internet preventing an intruder’s ability to move east-west within a network. Without the ability to hop across resources, organisations benefit from a matured cyber posture and can very effectively limit the blast radius of any breach.

Deploying the Agilicus AnyX to Adopt Zero Trust

Agilicus AnyX is designed to ensure adopting advanced security is both easy and economical. Organisations can incrementally deploy the platform and scale adoption of Zero Trust at their own pace without requiring a VPN, appliance, or client. This incremental deployment approach means organisations can take realistic steps to mature their cyber posture within their means and overcome budget, time, and capability constraints, instead of it being an all or nothing project.

User onboarding through Agilicus AnyX is made simple with federated identity and single sign-on. Federated identity leverages existing individual user identities (Azure, 0365, Gmail, etc.) to assign access privileges. Any user, even from a non-company domain can be given access without having to issue yet another account or username and password. Agilicus doesn’t store credentials and instead employs the token generated via single sign-on to authenticate a user’s identity and align their access privileges. Multi-factor authentication requirements are easily enforced for verification of a user’s identity, requiring not just what a user knows (Account Credentials), but what they have (eg, device, one time password) to perform authentication.

Through a single, web-based portal, administrators are empowered with precise authorisation controls and the ability to pair users and resources. Centralised authorisation management and role-based access controls ensure granular control over user permissions and privileges. Combined with detailed auditing, Agilicus AnyX delivers control and visibility of users and resources, their privileges, and what they are doing with that access. 


Boost security organisation-wide and protect your most valuable assets from cyber attacks by taking your most important resources off the public internet.


Reduce administrative overhead and help your IT or technical teams focus on high impact projects, with less time spent on administrative tasks.


Provide a safer way to collaborate across teams, departments, and external organisations with secure access to shared resources.


Reduce cyber risk without restricting efficiency or adding friction to your employee workflows.


End users are digitally enabled through simple, secure access with a frictionless experience with no changes to login workflows.


Organisations benefit from precise control of user and resource permissions with detailed audit trails to perform enhanced security analysis.

There seems to be an endless list of cyber threats that organisations have to face. Starting with the OWASP Top 10 and a slew of others, finding the right protection can be hard. Agilicus AnyX delivers a Zero Trust Architecture that shields your traffic from the public internet with precise control of permissions and privileges. Adopting a Zero Trust Architecture approach could offer your business the best line of defence against cyber threats.

A secure replacement to legacy perimeter-based network access, Agilicus AnyX provides a clear view of who is doing what, when, and for how long with an easy to access web-based portal for managing policies, roles, and access privileges. Your authorised users can get secure, frictionless access to applications, desktops, shares, and other corporate resources and services.

Get in Touch with Our Team

First Name
Last Name
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

Secure Access to Critical Infrastructure for Partners and Vendors

A Municipality set out to modernise their water treatment facility to better enable secure connectivity for various internal teams (IT, Public Works), partner organisation, and their systems integrator. The Municipality chose Agilicus AnyX, to adopt a Zero Trust Architecture that enabled simple, secure remote connectivity with precise control over privileges.

Fill out the form to read the technical case study and learn how Agilicus AnyX worked to enable secure remote connectivity for so many unique users.

Fill out the form below to read the case study.

First Name
Last Name
Read the Case Study below. ↓
There was an error. Please try again. Or email

Case Study:
Secure Access to Critical Infrastructure for Partners and Vendors

Executive Summary

A municipality located on the west coast in North America set out to modernise their water treatment facility to better enable secure connectivity for various internal teams (IT, Public Works), partner organisations, and their systems integrator. Facility management is shared with a partner municipality. A systems integrator needs access to perform maintenance and support. Given the number of internal and external individuals that need remote connectivity to the site, the municipality needed a secure solution that protected the critical infrastructure from external threats. 

Of particular importance was implementing a solution that did not require new accounts or interfere with the responsibilities or capabilities of all parties. The municipality chose Agilicus AnyX, to adopt a Zero Trust Architecture that enabled simple, secure connectivity and precise control over privileges leveraging the existing identity providers of each organisation. The result is a  matured cyber posture and VPN-less experience that creates a modern industrial air-gap for the water treatment facility. In turn, the municipality also benefited from detailed audit logs of all activity on the network, and the ability to extend just-in-time access for third parties and external vendors.

Protecting municipal critical infrastructure and shared resources.

How can I enable remote connectivity in a way that keeps my critical systems off the public internet but allow access for maintenance and support?

Municipal critical infrastructure is an essential service and citizens depend on the secure and reliable operation of municipal facilities. Remote connectivity and the ability to leverage data are two increasingly important requirements when it comes to successfully and safely operating critical infrastructure. The challenge is enabling remote connectivity in a way that protects the critical systems from online threats and attackers. It was particularly important for the municipality that they maintained a true air-gap without having to rework their entire network. 

To adequately support the water facility, individuals need to be able to remotely connect via Secure Shell (SSH), Remote Desktop Protocol (RDP), and access various SCADA web applications. However, governance, compliance, and the current threat environment made it especially complicated to use conventional technology such as a VPN or remote access tools like TeamViewer. While traditional access tools could partially solve internal remote needs, it would open the organisation and water treatment facility up to a host of attack vectors and cyber risk that was simply unacceptable. 

The team had several essential needs in addition to a secure remote connection:


On site machines needed to stay online at all times. These are systems that are unable to receive security updates and patches.


The systems integrator needed secure remote access but organisational security policies must be adhered to (no shared credentials, multi-factor authentication).


The SCADA (supervisory control and data acquisition) system at the facility needed to maintain an always on connection to city hall to export data for record keeping and analysis.


All access and activity need to be tracked and recorded through detailed logs with evidence if something were to go wrong.

Water treatment facilities and other critical infrastructure demand high security due to their vital role in society. The municipality needed a solution that offered a modern air-gap to deliver resource segmentation without limiting remote connectivity for operations, service, and support.


A Zero Trust Architecture by Agilicus AnyX proved to be the right solution for enabling secure remote connectivity while creating a virtual air-gap at the facility. Zero Trust consists of three central tenets – Identity, Authorisation, and Access.



Every user or operator must be individually known and authenticated. 



Every action an individual takes must be authorised based on their identity and privileges to interact with a resource



Authenticated and authorised user actions are routed only to the destination resources.

A modern air-gap was achieved with a 15 minute installation that did not require a full network rework.

Identity – Any User

Identity is the way a given user proves who they are. For example, employees have a corporate email address – that corporate email address allows individuals to prove who they are. Agilicus AnyX allows an unlimited number of corporate email addresses, from different organisations to work together as if they were part of the same organisation – this is called federated identity.

Authentication across so many organisations without issuing new accounts or passwords was achieved by federating identity and leveraging the Agilicus Open ID Connect proxy for session management and to enable single sign-on. 

Authentication is performed by known upstream issuers (Azure, O365, GMail, Okta, etc.) or a customer’s known identity provider. As a result, Agilicus uses an authenticated user’s JSON Web Token (JWT) and never requires or stores passwords and credentials.

A simple identity layer on top of the OAuth 2.0 protocol, OpenID Connect (OIDC) allows the verification of an identity and can request and receive information about authentication, sessions, and end-users. 

Within the Agilicus AnyX Authentication Issuer, the Municipality had several configuration options:

  1. Configure the sign-in screen theming with Municipal logo and branding.
  2. Select from a set of Agilicus-Managed Upstream Identity Providers (Apple, Google, Linkedin).
  3. Add their own Identity Providers and that of their partners (Azure Active Directory, Microsoft Active Directory, etc) – In this case the municipality used Azure Active Directory. Their partner organisation was able to use Okta, and their systems integrator was able to use GSuite.
  4. Configure and enforce multi-factor authentication
  5. Control rules regarding when/how/who can authenticate to the system

A detailed example of how Agilicus uses OpenID Connect can be found here.

Authorisation – Least Privilege


Through Agilicus AnyX, the municipality gained precise control over resources and user privileges. Every resource (network, server, application, etc.) has a set of permissions that are both role and resource specific – Owner, Editor, Viewer, Self. For each resource the municipality could select a user or user group and delegate necessary privileges. 

In order to fold those resources into the Zero Trust Architecture, Agilicus AnyX uses a connector to facilitate the connection between a network and the authorised end-users. The Agilicus Connector is installed on a device to create a unidirectional pathway to the Agilicus Cloud. This outbound only connection blocks all ports and remote connectivity unless achieved through the authorised path, Agilicus AnyX. The Agilicus connector is self updating and follows The Update Framework (TUF Framework). The TUF Framework offers a means of protecting mechanisms involved in automatically downloading software updates. A changelog is readily available to ensure the municipal team is informed of any updates that have occurred.  

Each Agilicus Connector uses a Globally Universally Unique Identifier (GUUID) to individually identify the resource and an OpenID connect issuer to control its authentication domain. This ensures Agilicus AnyX can confirm the identity of a given resource and enforce privileges. Once installed on the destination resource, new directories and services to share or expose are managed entirely from the administrative web interface. Combined with Role-Based Access Controls, users and user groups at the Municipality could be paired with only the resources they need with strict, least privilege access. 

Complete, micro-segmentation of users, resources, and sites are also achieved by the Agilicus Connector. The Agilicus Connector can be installed at different points in the network or on individual systems allowing for a per-site, or per-resource approach to micro-segmentation. As a result, users and resources are protected from themselves and cannot connect unless authorised.

In order to achieve the objective of creating a secure, always on connection between the water treatment facility SCADA system and city hall, a small router with a firewall that denied all inbound and outbound traffic except through the Agilicus Connector was installed on site. This introduced a service forwarder where only an authorised and authenticated connection can be established. All data such as chlorine levels could now be recorded and transmitted under a Zero Trust security framework, with complete end-to-end encryption.

Access – Simply and Securely

secure access solutions

The Agilicus AnyX platform centralises authorisation management ensuring municipal operators and administrators can easily add or remove users and enable or disable access privileges through a single web-based portal. Meanwhile, the various end-users perform authentication using their designated accounts via Single Sign-On through the Agilicus AnyX platform to gain access to only the applications and resources they have permissions for.

The authentication workflow performed by end users, and the outbound only connection from the resource meet in the middle (The Agilicus Cloud) where a connection is only established if all authentication and authorisation parameters are met (user identity, multi-factor authentication, privileges).

Agilicus AnyX easily supports SSH, RDP, and Virtual Network computing (VNC), Web Applications, and even access to PLCs. These access methods to specific resources are created through the administrative portal. Each resource is further secured by the patented Identity Aware Firewall which acts as an HTTP-proxy. This ensures SSL and TLS are enforced for every connection and protects the resources from various issues such as server misconfiguration. The Identity Aware Firewall blocks all traffic unless authenticated and authorised adhering to the never trust, always verify Zero Trust principle.



Least Privilege Access



The municipal team was able to adopt a virtual air-gap and implement a Zero Trust Architecture to secure the water treatment facility achieving their goal of enabling secure, least privilege access for all authorised parties – internal users, partner organisations, and their systems integrator. Agilicus AnyX also equipped the municipal team with detailed audit logs of all activity on municipal water infrastructure. The team now has a clear view of who is accessing their systems, what they are doing with that access, and when they are accessing facility resources.


Federating Identity with OIDC ensured no new identity management services or licences were required. Passwords stay with the users and are never passed to, or stored by Agilicus AnyX. This also means if an employee leaves, their access is instantly revoked as soon as they are deleted from their own company.


Multi-Factor Authentication is easily enforced across all users for access to any resource, including non-participating systems, such as the machine hosting the facility Human Machine Interface (HMI).


Complete, micro-segmentation of both users and resources was achieved via the Agilicus Connector, preventing network traversal and requiring authentication and authorisation for access.


The Agilicus Connector was used to establish a secure, always on connection to the city hall for data collection from the water treatment facility. The data is necessary for record keeping as well as management and monitoring of the facility resources to ensure proper function.

The Agilicus Connector enabled secure accessibility to the resources without needing a public IP, VPN, or client. That means while the various teams were able to establish a secure and convenient remote connection, water treatment facility resources are neither exposed to nor visible on the public internet.


The Water Treatment facility cyber posture was greatly enhanced through the Identity Aware Firewall and Agilicus Connector. That means no lateral traversal, enforced SSL, and the blocking of peripheral devices on facility machines.


Both the systems integrator and the partner organisation no longer needed to send workers to site for troubleshooting, maintenance, and operation leading to cost and labour savings.

What is Agilicus AnyX 

Agilicus AnyX is an easy to deploy, all-in-one Zero Trust Network Access platform that allows organisations to improve security and equip employees with frictionless access to only the resources they need. The platform ensures organisations can micro-segment resources and infrastructure while ensuring authorised users can get simple, secure access to applications, desktops, shares, and other resources. A secure alternative to perimeter-based network access, Agilicus AnyX provides a clear view of who is doing what, when, and for how long with an easy to access web-based portal for managing policies, roles, and access privileges.

Enabling Secure Remote Connectivity to 100 Critical Infrastructure Sites, Nationwide

A major systems integrator that services critical infrastructure across the United States seamlessly transformed their service model through Zero Trust, to reduce costs while enabling secure remote connectivity to over 100 customer sites.

Fill out the form below to read the case study.

First Name
Last Name
Read the Case Study below. ↓
There was an error. Please try again. Or email

Case Study:
Enabling Secure Remote Connectivity to 100 Critical Infrastructure Sites, Nationwide

A major systems integrator that services critical infrastructure across the United States seamlessly transformed their service model through Zero Trust, to reduce costs while enabling secure remote connectivity to over 100 customer sites.


A major systems integrator that primarily supports water treatment facilities across the United States needed a way to remotely connect to over 100 on-site systems to perform support, maintenance, and troubleshooting. In order to do that, the systems integrator also had to comply with customer security requirements for remote access (no shared credentials, multi-factor authentication, privileged access). Agilicus AnyX, a Zero Trust Network Access platform, enabled remote connectivity for the systems integrator without requiring any new hardware, clients, or a VPN. As a result, access was simplified for the systems integrator while ensuring they could adhere to each customers expectations on security.

Network Modification Using Agilicus AnyX to Create an Outbound Only Connection at IEC 62443 Level 3.


Challenges with enabling remote connectivity for support and maintenance.


Remote access was particularly important for the systems integrator with over 100 sites located coast to coast. The systems integrator had so far been forced to send technicians to site in order to support customers. The ability for technicians to remotely connect for immediate support from anywhere, on any device represented significant cost savings and higher customer satisfaction. 

Due to growing cyber threats and attacks targeting critical infrastructure and operational technology, it was not an option to use traditional remote access tools such as TeamViewer or LogMeIn. Neither the systems integrator nor their customers were comfortable with using these remote access tools because of shared credentials, no multi-factor authentication, and lack of auditability.  

Likewise, the VPN was both impractical for the systems integrator and risky for their customers due to cyber risks such as lateral network traversal. For the systems integrator, VPNs limit efficiency at scale (e.g, 100 VPNs for 100 customers). When it comes to providing support, VPNs can be unreliable and limit the ability to connect to and provide support for multiple sites at once. For operators, VPNs break the air gap and can become a doorway for cyber attacks like ransomware.

Enabling secure remote connectivity without compromising on security.


Water treatment facilities and municipal critical infrastructure require strict security policies to protect the citizens and communities they serve. In order to comply with these security requirements and best serve their customers while achieving their own business objectives, the systems integrator implemented Agilicus AnyX. The platform empowered the systems integrator with precise control over permissions and detailed audit logs for a complete view of technician activity for each site and system. 

With Agilicus AnyX, the systems integrator was able to enable access for authorised technicians without requiring yet another set of credentials or shared access between users. The platform also made it possible to enforce multi-factor authentication for access to any system by any user. The result was remote connectivity through a Zero Trust Network Access framework that complied with customer policies as well as a greatly improved cyber posture for the systems integrator and the sites they manage.

Improved business efficiency with remote connectivity.


Faster site commissioning, faster support and troubleshooting responses, fewer site visits and the potential for 24/7 live monitoring.


Micro-segmented down to the device level with a single click to ensure techs did not access something out of scope.


Multi-factor authentication enforced in a way that meant secure access but did not add complexity for the support techs.


Detailed audit logs which provide perfect evidence of who accessed the systems, what change they made, and how long they were connected.


Ensured the entire site was off the public internet and air-gapped by leveraging the Agilicus outbound only connection. This meant that no VPN or no public IP address was needed (even on cellular sites).

Deployment Architecture

User Flow


What is Agilicus AnyX 

Agilicus AnyX is an easy to deploy, all-in-one Zero Trust Network Access platform that allows organisations to improve security and equip employees with frictionless access to only the resources they need. The platform ensures organisations can micro-segment resources and infrastructure while ensuring authorised users can get simple, secure access to applications, desktops, shares, and other resources. A secure alternative to perimeter-based network access, Agilicus AnyX provides a clear view of who is doing what, when, and for how long with an easy to access web-based portal for managing policies, roles, and access privileges.

Adopting Zero Trust with Agilicus AnyX

Learn how organisations are using Agilicus AnyX to adopt Zero Trust. Read more about industry best practices with our white papers, and learn why the platform stands out when it comes to enhancing security with our brochures.



Leveraging Agilicus AnyX to adopt an enterprise-grade, Zero Trust Architecture to enhance security and resolve access challenges. Learn more, read the case studies, brochures, white papers, and articles.

1 2

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Third Party and Vendor Access Management for Critical Infrastructure

Located in the heart of one of largest economic regions on the west coast in North America, our customer is a municipality with a very active industrial and commercial services sector. The team at the municipality needed to adopt Vendor Access Management (VAM) and enforce Multi-Factor Authentication on the SCADA system at their water treatment facility. With Agilicus AnyX, the team was able to achieve their goals and adopt a Zero Trust security framework to enable secure access for all internal users and third party vendors.

secure access solutions

Vendor Access and Multi-Factor Authentication Enforcement Challenges

Due to their scale of operations, our customer works with third parties to ensure critical infrastructure resources are operating optimally. However, third parties and vendors introduce inherited cyber risks for municipalities, which is especially dangerous for critical infrastructure. 

Our customer set out to introduce multi-factor authentication requirements and Vendor Access Management for all city resources, including their critical infrastructure. The SCADA system supporting the water facility had several limitations that interfered with the adoption of those secure access policies.

Budget constraints prevented the IT team from changing the licensing for the SCADA software to integrate identity into the application.

A single, shared login was not acceptable and it was not possible to provide individual active directory licenses to vendors.

Multi-Factor Authentication was required for access by user groups.

Remote access to the SCADA system was a requirement for all internal and external users.

It was critical that any solution would provide the Information Technology team with precise control over permissions and privileges for such a diverse user group (internal users, vendors, third parties). A large and costly upgrade of the SCADA system was simply not possible. The Municipality needed a SaaS solution that could deliver Vendor Access Management and introduce authentication and authorisation as a layer instead of as an add on to the SCADA software integration. 

Vendor Access Management (VAM) with Agilicus AnyX

The Agilicus AnyX introduces authentication and authorisation policies across user groups to enable simple access without exposing resources to the public internet. Our customer seamlessly and affordably enabled secure access for vendor support of the SCADA system at the water treatment facility with Agilicus AnyX.


Vendor Access Management

Agilicus AnyX was used to quickly and easily onboard third party vendors without issuing new accounts or credentials. Fine-grained authorisation is paired with detailed audit logs, ensuring the team has complete control and visibility over when their users and vendors are accessing the SCADA system.

Multi-Factor Authentication

Multi-factor authentication can be enforced on any resource, requiring a second factor as part of the login flow to gain access to any designated resource.


Federated Identity

Agilicus AnyX federates identity, allowing users from different organisations to use their individual user ID for access to their permissioned applications. Single Sign-On delivers a simple end user access experience while the platform works behind the scenes to unify authentication, putting administrators in full control of who can onboard into their system.


Centralised Authorisation Management

Through a single pane of glass, administrators can easily add or remove users and precisely adjust authorisation permissions, whether it’s for an internal employee or third party vendor.


Identity Aware Web Application Firewall

In addition to the above security The Agilicus AnyX Identity Aware Web Application firewall makes resources accessible to authorised users without making them visible on the public internet, where access is only permitted on the basis of authenticated identity.

Our customer was able to implement Vendor Access Management and enforce multi-factor authentication to ensure the SCADA system could only be remotely accessed by authorised users without exposing the water treatment facility to external risks.

Business Impact

With Agilicus AnyX our customer adopted vendor access management with precise control of authorisations and permissions across user groups without having to issue new accounts for their vendors. Precise authorisation controls enabled permissions and privileges per user, simplifying access without giving up ground on control or visibility of who was accessing the SCADA system. 

Vendor Access Management was effectively achieved without interrupting water services for citizens or burdening internal users and third party vendors.


Centralised Authorisation Management for Internal Users and Third Party Vendors


Least Privilege Access Controls and Detailed Audit Logs


Remote Access with Enhanced Cyber Resilience


Authentication via Federated Identity and Single Sign-On


Enforcement of Multi-Factor Authentication

Get in Touch

Interested in learning more about how the Agilicus AnyX platform works to deliver Vendor Access Management (VAM) across IT and operational technology resources? Fill out the form below to get in touch with our team.

First Name
Last Name
Thanks! Someone will contact you.
There was an error. Email web-info @ if you need assistance.

Adding Multi-Factor Authentication to Legacy Systems and SCADA with Agilicus AnyX

A municipality in Eastern Canada was seeking a method for securing access to the SCADA systems in their water treatment facility through the implementation of Multi-Factor Authentication. This was driven by pressures from city council to improve security, qualify for cyber insurance, and support the different levels of access needed by stakeholders supporting the facility.

The IT team specifically needed to balance security with accessibility – they needed to ensure that the teams supporting the SCADA system had remote access to the Human Machine Interface’s (HMI) thin client without sacrificing the security of the network.

Security Challenges

The IT department had various hurdles to overcome on their path to support the water team and provide them with secure access to the SCADA application. The municipality was facing four key problems:


Their SCADA systems was exposed and reachable via the public internet


Pressures to meet cyber insurance requirements from council


A workforce that did not like to change the way they do things


The system in question was a critical system that always had to be connected to the internet and could never be logged out, updated, or shut down

After doing some research the municipality identified it is possible to keep these systems off the public internet and allow access without using a VPN.  What was most interesting to them is that this could be done with zero changes to their network or the way employees access the systems.

Using Multi-Factor Authentication and Zero Trust Network Access to Increase Security with Agilicus AnyX

Working with Agilicus, the municipality implemented the AnyX platform and was able to achieve secure access to their water management and SCADA systems as well as adding an extra layer of protection through enforcing multi-factor authentication.

The municipality was able to achieve the following:


Enhanced security by providing a platform that removed the exposed URL to behind a firewall while leaving their systems fully accessible, but not visible to the public internet


Achieved a quick and frictionless implementation without network changes in under an hour

Fulfilled cyber insurance requirements by ensuring each user is challenged with the second factor before access is granted and seamlessly allowed the continued use of existing USB security keys


Added enhanced protection against common security threats including blocking lateral traversal, restricting user privileges, and producing a full audit log

As a result, the municipality was able to avoid a project that would have normally taken months and met their incoming multi-factor requirements for all users in under an hour. This was all achieved while allowing employees to use their existing credentials, be seamlessly authorised, and require no additional training through Agilicus’ robust solution.

Business Impact

By securing remote access with multi-factor authentication and implementing Zero Trust Network Access the municipality was able to protect their critical systems while simplifying administration. All of this was achieved without the necessity of making changes to the network or installing new hardware. The region was able to achieve the multi-factor authentication they sought after without the use of drastically different technologies and personal device changes. In addition, the municipality established a secure encrypted connection to the Agilicus cloud giving them total control over who had access to the SCADA system and what each user was able to access, all while reducing the time to connect.

In the end, the municipality was able to become more secure, lower their administrative overhead, and have a single pane of glass strategy to control access.


Increased Cyber Resilience


No Network Changes or Additional Systems


Reduced time to connect


Met Cyber Insurance Requirements


Reduced Administrative Overhead

Get in Touch

Interested in learning more about how the Agilicus AnyX platform works to enforce multi-factor authentication across IT and operational technology resources? Fill out the form below to get in touch with our team.

First Name
Last Name
Thanks! Someone will contact you.
There was an error. Email web-info @ if you need assistance.

Digitally Enabling Workers with Secure Access to Web Applications through Zero Trust

One of Canada’s smartest cities is using the Agilicus AnyX platform to digitally enable mobile workers with secure access to web applications through a Zero Trust framework. Our customer provisioned a series of web applications to digitise analog processes, achieve compliance requirements, and deliver secure access for its diverse workforce, but faced a number of security and deployment challenges.

Read the case study and learn how Agilicus AnyX has been used to onboard over 1000 users and deliver frictionless secure access to custom web applications without the need for a VPN, new users names, passwords, or active directory licences.

Fill out the form to reveal the case study.

First Name
Last Name
Read the Case Study below. ↓
There was an error. Please try again. Or email

Enabling the Modern Workforce with Secure Access to Web Applications through Zero Trust


Situated outside of the Greater Toronto Area, our customer is recognised as one of Canada’s smartest cities and is home to many leading technology companies and universities. With a shared mandate of workplace health and safety, leadership, compliance, and fiscal responsibility, our customer is dedicated to ensuring service excellence for its citizens and employees. Our customer’s IT organisation provides technology support to the team of elected officials, staff, and volunteers to help achieve these mandates and deliver municipal services. 

In order to deliver on these mandates, our customer commissioned several productivity and compliance applications from a third party, but faced considerable challenges in securely deploying them to the workforce.


Application deployment challenges

  • Firewall could not handle inbound traffic as reverse proxy for multiple sites/apps
  • Needed to keep app data in existing on-site system
  • Wanted to get app in hand of users without new logins to existing system, new passwords, or active directory licences 
  • Users needed to be able to access the applications from anywhere, without a VPN

Leveraging Web Applications to Digitally Enable Mobile Workers and Improve Productivity

Our customer commissioned three business applications from a third party to improve productivity and help meet compliance requirements by digitally enabling end-user employees, contractors, and other personnel who are mobile and have no fixed workspace or location. These applications were critical for the organisation to digitise analog processes, streamline record keeping, manage costs, empower mobile users, improve productivity, and achieve various compliance requirements such as hours of service for commercial vehicle operators.

In order to achieve this objective, the IT organisation at our customer had to overcome several key implementation roadblocks and end-user challenges:



The existing firewall was not capable of handling inbound traffic as a reverse proxy for multiple sites and applications.


Data Custody

Requirement to keep data and application hosting on-site at the town hall.


User Security

There could be no new passwords, usernames, or active directory licences involved in the application deployment to avoid costs and weak credentials.


End-User Challenges

Nomadic, mobile, and deskless workforces without a fixed location where work is conducted needed to be able to connect without a company issued device or a VPN.

End-User Challenges

Many staff at the city are part of a mobile workforce that does not require a company issued device or they do not have tasks that require regular access to computers. However, the ability to leverage technology and productivity applications would significantly streamline the administrative duties that they must comply with.

Commercial Vehicle Operators

These users are off-premise and mobile. They do not have or require corporate issued devices to perform their duties and some may work as part-time contractors for the city. All commercial vehicle operators must log their driving hours for compliance with the Ministry of Transportation of Ontario. Our customer developed an application that would modernise this record keeping and better ensure compliance without burdening the end user operator.

Seasonal Workers

Seasonal workers such as the lifeguards, park workers, and city maintenance personnel for our customer are required to complete online safety training. This compliance requirement is in place to help create a safe environment for staff and citizens. It is impractical to issue corporate devices or active directory licences to seasonal workers.

Volunteers and Extended Teams

The workforce for our customer comprises part-time employees, contractors, and volunteers in addition to the full-time staff. Technology solutions ensure that organisation resources could be digitised, preserve the privacy of city personnel, and help the volunteers and extended team members be more effective in their roles. The volunteers and extended team members do not require active directory licences or company issued devices to support the city.

Taking a digital first approach was only natural for our customer, but getting their users onboarded to the various productivity web applications was met with several implementation and cybersecurity roadblocks.

Implementation Roadblocks

Stakeholders from the IT and Business Applications teams would be involved in the deployment process, each with their own unique requirements. In working with the IT organisation at the city there were several unique needs that were quickly identified, which had to date prevented the organisation from adopting web applications for productivity:  

  1. “We think to keep our data we must host it. But, that means our firewall needs to handle multiple unique systems behind it by host name, which is a type of reverse proxy. It doesn’t handle that, our team doesn’t know how to make that happen, so we are blocked.”
  2. “We don’t want/won’t allow new usernames or passwords, they get written down.”
  3. “We must hold our data.”

While the applications created by the third party were built to spec and capable of driving new efficiency and productivity for the city, there were a number of implementation roadblocks that had to be overcome in order for deployment to the end users.


Data Custody

Like all municipalities, our customer must adhere to the Municipal Freedom of Information and Protection of Privacy Act and retain data to meet regulatory obligations. As a result, the city has chosen to be the custodian of its own data which also aligns with the internal backup strategy, need for data integrity, and self management of enterprise applications.

User Security

People are maintaining an incredible number of usernames and passwords. Having end-users manage yet another set of access credentials was viewed as both a burden and a cyber risk. The risk of weak and shared credentials being used would leave private applications open to brute force and credential stuffing attacks. Likewise, enforcing strict password policies would lead to the use of weak passwords, the credentials being written down, or stored insecurely.


User Management

The ability to manage user access and privileges was important to the IT team. Unfortunately adding licences to the active directory would be both expensive and impractical due to the transitory nature of some of the users (e.g, seasonal workers, volunteers, etc.). Considering a significant portion of the end-users would be seasonal, volunteer, or in the field, it also didn’t make sense to issue licences that came with business applications such as document editors. However, the team still needed the ability to add or remove users and manage their access privileges without adding new active directory licences.

Digital Workforce Enablement through a Zero Trust Architecture

Technology plays a pivotal role in the strategy and execution of municipal services at the city. The ability to extend secure access to remote and mobile workforces would only benefit the city in its mission to deliver service excellence for the citizens while fostering a safe work environment. 

The Agilicus AnyX platform offers a Zero Trust Network Access solution that quickly and easily allowed our customer to onboard users, retain custody of their data, and deliver end to end security, all without the need for new usernames, passwords, or active directory licences. 

By using the Agilicus AnyX platform, our customer would be able to scale adoption of its business and productivity applications, getting them into the hands of their remote and mobile end users.


What is Agilicus AnyX

AnyX removes the complexity of extending secure access to web applications for authorised employees and non-employees. The platform puts organisations in full control with role-based access controls and granular auditing logs. 

Users can easily self-onboard as the platform federates identity and enables single sign-on. Organisations can maintain their native active directory and preferred identity providers of their partner organisations.

The AnyX platform ensures any user can securely connect to any application, resource, or desktop from any device while bolstering defences with a modern approach to cybersecurity.

No VPN – No Hardware – No Client

Data Custody

To ensure our customer could be the custodian of its data and be in control of their own fate, Agilicus introduced a hybrid cloud architecture through a three-tier approach to hosting the applications.

The web application runs in the web browser, while a database is hosted on site at our customer and serves as the ultimate data repository. A web server sits in the middle and acts as an API (application program interface), connecting the end user’s application with the hosted database.

These connections are each secured through Agilicus’ unique, identity aware web application firewall which sits between the end user and the web server. Another sits between the web server and the database backend ensuring the city could self host the databases. In this hybrid model where the backend data stays on premise, a workload firewall that uses mutual TLS and SPIFFE ensures only the specified application can access only the specified resources in the database.

User Security

The AnyX platform easily federates identity so that organisations like our customer can quickly onboard users and link an electronic identity with a given user’s privileges to specific applications and resources. Our customer was able to extend secure, convenient access via single sign-on to its users without having to add active directory licences by enabling social login.

That means, when a seasonal worker, part-time hire, or volunteer joins the organisation, they simply have to provide a Gmail or other such ID to be given access. Every user that needed to onboard was able to do so without requiring a single new password or username. This is an integral function of the Agilicus AnyX platform where by design no user names or passwords are stored.

In addition to Agilicus being able to federate identity, the AnyX platform provides administrators with the capability to enforce multi-factor authentication for any resource or application. Our customer’s users could easily be required to authenticate through a second factor to prove their identity and gain access to their business and productivity applications.

User Management

By leveraging a user’s electronic identity to provide access, our customer is able to benefit from role-based access controls and fine-grained authorisation capabilities. The result is simplified user management, where administrators can easily add or remove end-users from any application, instantly.


Role Based Access Controls

Role-based access controls allow administrators to grant privileges to users so that they may access information and resources they need for their jobs while preventing them from accessing unrelated resources that they do not have permissions for.


Simplified User Management

Users can be added or removed from any application instantly (seasonal workers, part-time employees, contractors, or other job actions). 

Business Impact


1000+ Users

The city quickly scaled the adoption of web applications onboarding over 1000 users without requiring new usernames, passwords, or active directory licences.


10 Applications

The Zero Trust framework through Agilicus AnyX was so effective the IT organisation soon delivered secure access to 10 web applications across city workers.


$100K Savings Per Year

Our customer was able to find considerable cost savings of at least $100 per user, per year by not having to purchase additional active directory licences or adopt another identity provider.


Digitising Analog Process

Additionally, shifting analog record keeping to digital better equipped city team members for meeting compliance requirements.


User Privacy

Some use cases included phone lists and directories, which when delivered via web application through AnyX enhanced individual personal privacy and data security without limiting accessibility to authorised staff and volunteers.

Our customer was able to quickly scale adoption of web applications across the city and onboard over 1000 mobile users and enable secure access to the respective business and productivity applications. That has allowed the city to accomplish compliance requirements, streamline administrative tasks, and drive productivity by leveraging technology and web applications. Most significant was the ability to achieve those objectives without compromising on cybersecurity standards and without having to purchase and issue new active directory licences.

The value of getting these mobile workforces online quickly became apparent with demonstrable business impact. The various teams at the city were suddenly able to shift from analog and in person methods of performing specific job functions to entirely digital, 24/7 accessible resources that would be available on any device. After the adoption of the initial run of applications and due to the scalable nature of the Agilicus AnyX platform, our customer quickly went from three productivity applications to 10

Agilicus AnyX allowed the IT team to introduce web applications across departments with use cases varying from administrative services (payroll, HR, training, inventory management, directories and phone lists) to more tactile use cases such as fire services and bylaw enforcement. In fact, the Agilicus AnyX platform became a marquee solution for the Bylaw Department within the city and allowed this organisation to retire legacy handheld devices in favour of modern smart devices. This significantly reduced the cost of delivering bylaw services for the city while adding increased flexibility for the bylaw officers.

Get in touch with our team to learn more about leveraging Zero Trust to adopt and deliver secure access to productivity applications and streamline the workforce.

Quickly Meet Cyber Security Insurance Requirements with Agilicus AnyX

Accelerate cyber readiness and reduce risk by adopting a network access and security strategy that meets compliance criteria while bolstering cyber defences organisation wide.

Cyber Insurance Eligibility in the Modern Threat Environment

The number of cyber attacks being perpetrated on a daily basis is reaching new heights and it is no surprise that cyber security has become a top of mind priority for business leaders everywhere. Each successfully executed attack on an organisation can have a devastating impact from loss of revenue or compromised company data, to public safety risks and economic ramifications. That is where a strong commercial cyber insurance policy can help protect organisations when a security or data breach happens.

In this new era of heightened cyber risk, zero day exploits, and an uprising of sophisticated and state-sponsored malicious actors, limiting the blast radius of a cyber attack has never been more important. To combat this new threat environment, cyber security insurance providers are tightening the terms of their policies and requiring organisations adopt and apply modern security policies across their entire organisation. 


A key component of compliance for cyber insurance is adopting and enforcing security policies and tools organisation-wide, such as multi-factor authentication, detailed auditing, and role-based access controls. When organisations take a proactive approach to security they can not only comply with cyber insurance requirements, they benefit from a matured cyber posture as well as the opportunity for more comprehensive coverage and protection from cyber risks and liabilities.

About Agilicus

At Agilicus we are helping our customers transform their network access and security strategy through a Zero Trust Architecture to become more agile, efficient, and secure. We deliver a dependable security solution without sacrificing the end-user experience. The result, better protection against cyber threats, simply and affordably. 

The Agilicus AnyX platform equips organisations with a cloud-native, enterprise-grade Zero Trust Architecture that delivers simple, secure access for any authorised user, on any device, anywhere in the world. Zero Trust shifts network access from the perimeter to an identity-based access boundary and has become the new, internationally recommended network and security standard for securing organisation resources and data. 

Top Cyber Security Insurance Requirements

Cyber security insurance providers all have specific requirements for their commercial policy holders. However, there are several common requirements that every organisation could implement to help meet cyber insurance compliance requirements, become eligible, reduce risk, and significantly improve cyber resilience.


Multi-factor Authentication – A strong Multi-Factor Authentication policy helps secure your organisation against attacks that stem from compromised credentials. That makes it a necessary component of obtaining or renewing commercial cyber insurance and could be required on everything from emails and web applications to operational technology.


Data Hygiene and EncryptionAs stewards of customer data, personally identifiable information, and confidential corporate information, every organisation needs a strong data security and encryption policy. Data hygiene policies are important for limiting the blast radius and severity of an attack and are often a key consideration for cyber insurance eligibility.


Privileged Access ManagementPrivileged Access Management, or PAM, is a common network security policy that helps organisations manage user access privileges and access rights. Access privileges, user restrictions, and user management are central to a strong cyber posture and can also affect your eligibility for cyber insurance.


AuditingA mechanism to perform detailed security analysis and user activity auditing has become increasingly important for cyber security insurance. Detailed auditing means in the event of a breach or an incident organisations can evaluate the extent of compromise, identify affected resources, and fix problem areas for the future.

Agilicus AnyX

A secure alternative to perimeter-based network access, the Agilicus AnyX platform provides a clear view of who is doing what, when, and for how long with an easy to access web-based portal for managing policies, roles, and access privileges. The entire platform can be deployed in a single afternoon without the need for VPNs, gateways, appliances, or end-user clients.

With the Agilicus AnyX platform, end-to-end security, multi-factor authentication, role-based access controls, and fine-grained auditing can be applied to any user and resource. Meanwhile, end-users benefit from a friction free experience while accessing only the resources they need to do their job.


Enhanced Security Policies

Whether it’s to access remote files or a remote desktop hosting a Legacy Application or SCADA System, easily enable Multi-Factor Authentication for every user, no matter the device.


Role-Based Access Controls

Enable secure, permission-based  access policies for any user, user groups or application with Role-Based Access Controls to manage user, resource privileges.


Identity Aware Web Application Firewall

Enable web application access with an Identity-Based Web Application Firewall (WAF) that enhances cybersecurity and control, offering DDOS and ransomware protection.


Detailed Auditing

Improve Risk and Security Analysis with per user, per application auditing capability. Get visibility with accurate information on who accessed what, when, and for how long.


Data Security and Encryption

With Agilicus there is no requirement for new passwords and credentials. All traffic that happens through Agilicus is end-to-end encrypted.


Centralised Authorisation Management

An automated access request workflow means no more micromanaging access and making modifications to individual applications.

Customer Story – Secure Remote Access at a Water Treatment Facility


Our customer is the IT organization for a municipal government and is responsible for supporting key services at the city including critical infrastructure such as the SCADA system at their water treatment facilities. 


Multiple user groups needed secure online access to the SCADA systems at remote water treatment facilities. Limited by the physical locations, our customer installed a remotely accessible machine that can monitor operations, control the system, and transmit data back to the town hall. This machine can never turn off or receive security patches and updates.

Because the users who needed access to the system included external, non-employees, adding client software (VPNs) and dictating new workflows, practices and protocols was not a feasible solution. With so many different user groups needing access and the inability to implement traditional security mechanisms was creating immense cyber risk.

It was critical for our customer to solve these problems securely to maintain their cyber security insurance eligibility.


The Agilicus AnyX platform allowed our customer to deliver third party access, maintain continuous connectivity to transmit data to the town hall, and enable secure remote access to their broad user groups and third party partners.

To avoid disruption, the Agilicus AnyX platform was deployed in parallel and integrated with the municipalities native active directory and that of their partner organisations to institute single sign-on and enforce multi-factor authentication for access.

Or customer is using the AnyX platform to: 

Secure access to the SCADA system web application interface.
Block all inbound and outbound traffic to the host machine unless authorised.
Disable the use of peripheral devices on the host machine.
Enact strict, least privilege and role-based access controls.
Maintain a granular audit trail of user activity.


Cyber insurance is mandatory for municipalities but difficult to obtain when it comes to operational technology and SCADA systems, a challenge our customer was able to overcome by implementing the AnyX platform. 

AnyX is used to allow remote access for authorised personnel to securely manage the SCADA systems, harden cyber defences at the water treatment facility, and drastically improve workflow for the end user operators.


Onboarded all internal users and 14 third parties


Deployed in a Single Afternoon


Parallel Implementation for Seamless Migration


No Network Changes, Appliances, or New Licences


Friction-Free User Experience

How AnyX Works

Agilicus AnyX is uniquely capable of federating identity to integrate with an organisation’s native active directory and that of partner organisations to enable single sign-on. Users can easily onboard while administrators and IT teams are outfitted with fine-grained authorisation management and role-based access controls. The entire Agilicus AnyX platform can be deployed at your own pace without a VPN, client, or configuration.


AnyX helps organisations provide simple, secure, access for any user, on any device, anywhere in the world without compromising on cybersecurity. The result:

Any application, any desktop, any share or other resource can be securely accessed from anywhere without being exposed to the public internet.
All authorised users must authenticate by providing a second factor in order to gain access to specified resources.
East-West connections are eliminated, reducing the possibility of lateral network traversal.
All users, resources, and privileges are micro-segmented
Access is no longer a function of network permission, but bound to a users electronic identity
Access can be securely extended to employees, non-employees, partners, third parties, contractors, and vendors.

Get in Touch

Harden your cyber posture and meet your cyber insurance compliance requirements quickly and affordably.

First Name
Last Name
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

White Paper

Remote Desktop Access

Managing Cyber Risk with Zero Trust Network Access


For many businesses and organizations around the world, Remote Desktop Access has become an essential tool for both providing and maintaining services. IT personnel and other technical workers depend on the ability to remotely access certain machines to perform their job function. However, without adequate modern security systems and practices it is no longer a minor inconvenience when a cyber breach occurs on these remotely accessed devices. The damage can be immeasurable and even ruinous for people and businesses. 

It is becoming increasingly important for businesses and organizations to implement modern, cybersecurity tools that mitigate threats and turn the tables on the unmanaged cyber risk that can result from Remote Desktop Access. A future-forward approach to cybersecurity practices can help protect businesses, organizations, and public and shareholder interests.


Most organizations are still using antiquated technology solutions to enable Remote Desktop Access and are increasingly unable to contend with sophisticated malicious actors. Even more problematic is the way most conventional security solutions are unable to accommodate Remote Desktop Access in a manner that ensures only authorized and authenticated access can be gained. 

When Remote Desktop Access is performed via a corporate Virtual Private Network (VPN), the risk increases with inbound and outbound network gateways wide open. In this case, there’s nothing stopping a local attack or breach from becoming widespread. 

Implementing secure processes and protocols for Remote Desktop Access has historically increased the burden on IT resources or required increased technical capability from the end-user or operator. Adopting a modern approach to cybersecurity can help ensure only the authorized person or persons are able to gain Remote Desktop Access while balancing convenience, control, and security.

What is Remote Desktop Access

Methods and Tools for Remote Access

Remote Desktop Services and Solutions have had many iterations over the years but were first introduced to the world in the late 90s with Microsoft’s Remote Desktop Protocol (RDP) as part of the Windows NT 4.0 Server, Terminal Server Edition1. One of the original intentions of RDP was to allow less powerful machines to remote into more powerful Microsoft Servers to perform tasks. 

There are now many common tools for achieving remote access. Windows RDP is a widely adopted method of Remote Desktop Access that works on both Windows and Linux operating systems. Other tools that enable Remote Desktop Access include remote access via VPN, Desktop Sharing, and other remote control and systems management tools. TeamViewer, RemotePC, and LogMeIn are all examples of the various types of Remote Access Software and Tools (RATs) for commercial use that exist today. Each method of Remote Desktop Access brings with it a tradeoff between security and convenience. 

Today, being able to remotely access machines brings with it immense cost savings and efficiency for many organizations, especially in a 24/7, global society. However, this constant connectivity also presents numerous risks and challenges, especially in the context of cybersecurity.

How Does Remote Desktop Access Work?

Remote Desktop Access enables someone to connect to a host machine from their client machine located anywhere in the world over the internet, gaining control of the interface and access to applications and file systems. 

Whether it’s 5, 500, or 5000 miles away, connecting from a home or office device lets a user access the host machine without having to physically be there. The host machine could be a desktop, computer system, server, or virtual environment.


Business Application of Remote Desktop Access

Remote Desktop Access is a now widely adopted concept and network functionality, especially for it’s obvious business applications (most recently being leveraged by IT organizations in response to the COVID-19 pandemic2). The network functionality is being put to work across industry verticals. Remote Desktop Access helps technicians gain access to the machines they need to perform their duties without having to physically be on-premise.

Remote Technical and Customer Support

People most commonly associate Remote Desktop Access with providing remote technical support to employees or customers. That means an IT, technical, or other support representative gains access to a customer’s host machine over the internet. From their own machine, the IT or technical support person now has control over the customer host device and can provide any necessary support or maintenance. In gaining Remote Desktop Access, the support representative also has access to the applications, file system, and data stored on the host machine.

Remote Desktop Access for Server Applications, Maintenance, and Deployment

The host device does not always have to be a PC and in fact, Remote Desktop Access is commonly used by IT technicians as a way of accessing servers or virtual desktop environments without having to physically be in the server room. These machines can be critical to corporate infrastructure, host data and applications, or they can be virtual environments used to develop, test, and deploy new applications.

Remote Desktop Access for Legacy Applications

Legacy applications are typically obsolete or outdated systems that either perform a critical function or are embedded within critical infrastructure. These applications or the systems they can run on are typically unable to stay up to date with the latest operating systems or security software. While a suitable replacement could be under development for a legacy environment, the current instance performs a specific function and may need to be securely accessed by remote technicians and employees.

Remote Access for SCADA Systems

Remote Desktop Access can be an essential tool for technicians to interact with Supervisory Control and Data Acquisition (SCADA) systems, be it in industrial, energy, manufacturing or the public sector. Remote access to a SCADA system by employees, vendors, partners, or third parties is often operationally important. These SCADA systems can be found in public utilities like energy or water treatment and provide a control system architecture that enables the supervision and control of machines and processes by technicians.

Remote Desktop Attacks

There are numerous cyber attack vectors and vulnerabilities that come with Remote Desktop Access and other Remote Access Software and Tools. One of the most prominent cybersecurity issues is the use of shared accounts and access credentials. For example, when Remote Desktop Access is achieved using a RAT, the attack is direct remote access and the shared credentials are compromised. If Windows RDP is used, it can lead an attacker to accessing an entire network, especially when the system is exposed to the internet.

No matter the type of tools used to achieve Remote Desktop Access, the variety in the type of cyber attacks that can be mounted presents a persistent threat.


Credential Stuffing Attacks

When a credential stuffing cyber attack is performed, the malicious actor uses a list of stolen account credentials to try and gain access to a system. The lists can contain usernames, emails, passwords, or other login credentials, which are used to gain unauthorized access to the targeted system or account. The process of mounting this type of attack is usually automated through the use of bots. This type of attack is possible as many users tend to reuse credentials across both personal and work accounts.3

A Lack of Password Protection and Authentication

Whether a malicious actor has guessed a password, intercepted it, or retrieved it from a database or through a brute-force attack, the absence of Multi-Factor Authentication could allow free reign over a system. Weak passwords could be anything from something simplistic, common across accounts, shared with other users (technicians and employees), or previously compromised in a data breach. A strong Multi-Factor Authentication policy could be the difference between getting hacked or not.


Employee Vulnerability

Employees can unintentionally present security risks, whether they fall victim to social engineering, introduce a small oversight, or they themselves become the victim of compromise, such as through a data breach.


Man-In-The-Middle Attacks

During a man-in-the-middle attack4 on a remote session, a malicious actor will try to intercept communication between systems. The intent could be anything from intercepting or harvesting credentials, to spreading malware or ransomware within an organization.

Denial of Service Attacks

Another Remote Desktop Access attack method used by malicious actors is to determine the IP address and open ports on a host machine where a brute-force attack5 is mounted and designed to reveal credentials for remote access. Often, the byproduct of mounting such an attack, intended or not, is a denial of service (DOS)6, which not only disrupts the function of the host machine, but can prevent authorized users from accessing it.


Software Based Permissions Vulnerabilities

Applications require permissions7 that are granted by the administrator of a machine, this includes RATs. From time to time there are bugs in these permissions that result in vulnerabilities that can be exploited by malicious actors. One of the most recent and relevant examples was a critical exploit discovered in TeamViewer’s administrator permissions8 that could have allowed malicious payloads to be persistently executed every time the service ran. Fortunately, this vulnerability in TeamViewer has since been patched.


Remote Access Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposure (CVE) is a list of publicly-known security vulnerabilities, exposures, and exploits.9 This list provides a common point of reference for IT administrators to help secure systems. The list of CVEs is constantly expanding and regularly updated as new vulnerabilities and exploits are discovered. Remote Desktop Access exploits through Windows RDP, Desktop Connection, and more are included in this list. For example a number of Denial of Service CVE’s for Windows RDP were discovered in 2020.10

There is a pressing need to mitigate threats against remotely accessed machines and the risk and consequences that go along with them.

Remote Desktop Access in a Corporate Environment

In most enterprise and business corporate network environments, Remote Desktop Access tasks are actually performed over a corporate VPN which can amplify cyber risk. Traditionally the VPN served as a way to create a secure tunnel to the host machine that needed to be accessed. However, the method of attack and risk climate has changed significantly over the years and if remote access is achieved through a VPN the client machine, host machine, or network, the risk is no longer localized and can spread across environments. 

When an attacker gains access to a client machine, remote host machine, or corporate VPN, that access may be trusted by default, which means the infiltration can go undetected. The VPN by its very nature is an all-or-nothing perimeter-based security solution. It’s either access to the entire network or none of the network, which is why lateral traversal within an organization’s network is possible.

Securing Remote Desktop Access to Manage Cyber Risk and Mitigate Threats

Remote Desktop Access has become an essential function for most organizations, however, with the frequency of cyber attacks only accelerating,11 exceptional security around Remote Desktop Access is not discretionary. Legacy applications and SCADA systems for example have come under frequent attack. The breach of the Florida water treatment plant in 202112 is an example of the security and public risk unsecured Remote Desktop Access presents.

IT Organizations need to provide Remote Desktop Access to specific host machines for specific users, even those outside the organization like contractors, vendors, and third parties. In order to secure these environments an authorization, authentication, access approach can help manage cyber risk more effectively through a Zero Trust Architecture.  

What is Zero Trust Security

Zero Trust Network Access and Security means switching from outdated perimeter-based (firewall and VPN) models of access to an identity-based model of access. That means authorization, authentication, and access privileges are determined based on the identity of a person (user) and the identity of a resource (device/machine). 

Identity-based access means decoupling identity from a corporation or organization and binding it to the user, creating a single identity. This allows IT administrators to enforce entitlements and authorizations within the network, effectively segmenting access.

Segmentation of access is simple, more secure, and doesn’t inhibit the accessibility of employees to their work. It does however significantly mitigate the risk of cyber attacks like lateral-traversal within a network, malware, and ransomware. Adopting a modern cloud-native security platform empowers users to work from any device, anywhere in the world while ensuring the organization has granular auditing capabilities, Role Based Access Controls, Privilege Management, and the ability to restrict access with Multi-Factor Authentication.  

A Zero Trust Architecture is economical, scalable, and most importantly more secure than conventional methods of network cloaking and inflexible, restrictive policy.

Remote Desktop Access Via Zero Trust

Zero Trust Network Access (ZTNA) ensures IT organizations and administrators have the granular security controls needed to manage per-user authorizations. Limiting end-user, authenticated access to the specific resource, application, or work they need protects the broader corporate network and machines from being exposed to attackers, keeping compromises localized. 

When Zero Trust is applied to Remote Desktop Access the risk profile and exposure of applications, systems, networks, and corporate resources is significantly reduced without inhibiting the productivity of the employee or technician who requires access to the host machine. In essence, Zero Trust allows the IT organization to require authentication and authorization from both the user and the designated device. That means a technician must prove their identity before being allowed to gain Remote Desktop Access.

Users are commonly identified via OpenID Connect and SAML, where resources are commonly identified by Client Certificates. Single Sign-On and Multi-Factor Authentication paired with these core tenants of Zero Trust (Authorization, Authentication, and Access) means that strong password policies and authentication methods are innate to the security equation.

Zero Trust ensures that Remote Desktop Access is available to any authorized employee using any designated device without risking the entire network. This method of secure access will also prohibit any unauthorized access to the host machine, by unauthorized users or devices.

Securing Remote Desktop Access Through Agilicus’ Any X Platform

You can set up 1-click remote access from client to host machine within minutes through Agilicus’ Any X platform. You can enable Remote Desktop Access via a Zero Trust Architecture without configuration on-site and with no change to the host machine or firewall. A detailed step-by-step guide on setting up Agilicus’ Zero Trust platform is available here.

This means that the cyber risk and threats can be heavily mitigated for any resource that must be accessed remotely, whether it’s a server, virtual environment, or physical desktop device hosting a legacy application, or a SCADA system.

How Zero Trust Remote Desktop Access Works with Agilicus

Zero Trust Remote Desktop Access allows any user to connect from any device to the host machine they need to perform their job. The Zero Trust framework ensures access is granted on the basis of identity. Agilicus’ Any X platform features fine-grained controls and authorization for Remote Desktop Access and allows any device to remotely access machines using Windows RDP (Windows and Linux OS). Any X also features Single-Sign On, Multi-Factor Authentication, full-audit trails, and end-to-end encryption, which only enhances the security surrounding Remote Desktop Access.


Reign in Unmanaged Cyber Risk with Zero Trust Remote Desktop Access

While most applications are modern and accessible through web browsers, there is still a need for native desktop applications and therefore Remote Desktop Access to various machines and resources around the world, whether it is through civilian networks or over corporate VPNs. Remote Desktop Access is widely used by IT professionals and technicians across industry verticals to access servers, perform maintenance, access on premise machines, perform maintenance, and other operational tasks.

Without adequate security or a continuation of the status quo of legacy security practices, Remote Desktop Access creates huge unmanaged cyber risks for IT organizations. Those same remote resources can also be critically important to both private and public interests and in the event of a compromise, there could be significant consequences and very real public safety risks.

Some examples of remote resources that a technician or operator must access are: 

• SCADA systems (controlling the power grid, local water treatment facility, etc) 

• Servers or virtual machines that host or perform a business function

• Machines that run legacy applications. 

• Employee or customer machines and devices to provide support or maintenance

Implementing Zero Trust and its core tenets of authorization, authentication, and access to secure Remote Desktop Access puts the IT organization back in control of its cyber risk profile. 

Zero Trust works by trusting no user or device by default and enacts a strict policy that ensures only authorized individuals and devices can gain access to critical resources after authenticating their identity. This differs from a perimeter-based security policy (VPN) where anyone who has gained access to a network is trusted by default. 

The security landscape is rapidly evolving, but your requirements of providing convenient and secure access while managing costs aren’t. Agilicus can help you implement an identity-based secure solution that enables Remote Desktop Access for workers while empowering the IT organization with the controls to manage cyber risk for Any Desktop by implementing Authorization, Authentication, and Access.

Contact Us

Secure Remote Desktop Access at your organization and protect against cyber attacks with Agilicus and empower your workforce with secure access to the resources they need to do their work.

First Name
Last Name
Thanks! Someone will contact you.
There was an error. Email web-info @ if you need assistance.

Works Cited

1 Deland-Han. “Understanding Remote Desktop Protocol (RDP) – Windows Server.” Microsoft Docs, Microsoft, 24 Sept. 2021,

2 Statista. “Remote Access Technology Use Increase 2020, by Region.” Statista, Statista, 15 June 2021,

3 “Credential Stuffing Software Attack | OWASP Foundation.” The OWASP® Foundation, 2021,

4 “MitM – Glossary | CSRC.” CSRC, 2020,

5 “Brute Force Password Attack – Glossary | CSRC.” CSRC, 2020,

6 “Denial of Service (DoS) – Glossary | CSRC.” CSRC, 2020,

7 “Permissions – Glossary | CSRC.” CSRC, 2020,

8 SafeBreach Inc. “TeamViewer Windows Client (V11 to V14) – DLL Preloading and Potential Abuses (CVE-2019-18196).” Safebreach, SafeBreach Inc. 2021, 15 Nov. 2019,

9 “CVE – Glossary | CSRC.” CSRC, 2020,

10 “Security Update Guide – Microsoft Security Response Center.” Microsoft, 2020,

11 Quadros, Sharron. “RDP Attacks on the Rise During COVID-19 Pandemic.” Security Boulevard, Techstrong Group Inc., 6 Jan. 2021,

12 Goodin, Dan. “Florida Water Plant Compromise Came Hours after Worker Visited Malicious Site.” Ars Technica, Condé Nast, 18 May 2021,