Skip to content
remote access

remote access

Secure Remote Access to ERP Systems and Legacy Applications without a VPN

Enable secure remote access to your Enterprise Resource Planning (ERP) systems and extend the life cycle of legacy applications without a VPN. It is time to modernise your approach to access and security to protect against cyberattacks.

vpn-replacement-solution

What is ERP Security

Many organisations leverage ERP systems to centralise and manage business processes and operations across domains – from finance and human resources, to supply chain management and administration. The constant threat of cyberattacks is a top of mind issue for executives and has become a significant cyber risk as threats against ERP systems continue to escalate. 

Ensuring your ERP system has a strong cyber posture is essential for the security of the sensitive data powering your organisation.

Secure Remote Access to ERP with Agilicus AnyX

Agilicus AnyX leverages its foundation in Zero Trust to provide a more secure alternative to VPNs and perimeter-based network access. This is achieved by segmenting users and resources and enforcing least privilege access. In order to access corporate resources through Agilicus, users must verify their identity and have the necessary permissions. 

This is implemented in the front end through a friction-free single sign-on experience. Meanwhile administrators are equipped with centralised authorisation management and can easily add or remove user access and privileges through a single administrator portal. With Agilicus, organisations of all types and sizes can quickly and economically expand the reach of ERP systems, including legacy ERP applications, without compromising security.

Enhancing Security for ERP Systems While Enabling Secure Access

The pace of digital transformation and the shift towards “Work-From-Anywhere” means technology leaders are challenged with finding effective ways to enable remote access while also enhancing security for their ERP and legacy applications. These challenges are creating barriers for employees and could be holding back business initiatives and processes. Traditional tools such as the VPN or remote desktop protocol (RDP) have not only proven to be insufficient solutions, they are also often the source of cyber risk.

While VPNs have given organisations a way to enable remote access to certain corporate resources, they weren’t developed for security and haven’t kept up with the demands of the modern threat environment. Unfortunately, when a user gets access via the VPN, they are also getting access to an entire network, which is one of the ways ransomware propagates. In addition to security issues, they introduce unnecessary complexity for end users and don’t enable simple remote access to ERP systems and legacy applications.

compromised-credentials-cyber-attack

Enabling Secure Remote Access to ERP and Legacy Resources

agilicus-careers

Agilicus AnyX leverages Zero Trust to enable secure, least privileged remote access to shared corporate resources without exposing them to the public internet. Zero Trust is an “Always Verify” security framework that requires users to verify their identity and have the required permissions to gain access. 

With Agilicus, legacy applications and ERP systems can be made remotely accessible without a VPN, client, or network configuration. Agilicus empowers your organisation with the ability to enforce security controls necessary to keep sensitive customer, employee, and corporate information secure.

identity-single-sign-on

Identity-Based Access 

Easily integrate with native identity providers (Azure, GSuite, Okta) and extend secure access to internal and external users. Agilicus AnyX federates identity, meaning your can easily provide secure, identity-based access to employees and non-employees. No new user names, passwords or active directory licences.

role-based-access-controls

Least Privilege Access

Simplified User Management and Role-Based Access Controls allow administrators to grant least privilege access to users, ensuring they only have access to the files and resources they need. You can restrict what your authorised users can access and what they can do with that access (read, write, admin).

secure-access

Secure Access

Increase the cyber resilience of your ERP systems and applications with easy to implement security policies like multi-factor authentication, end-to-end encryption, and micro-segmentation of users and resources.

security-analysis-auditing

Enhanced Audit Logging

Reduce your cyber risk and perform detailed security analysis with per user, per application auditing. Get the visibility you need to provide perfect information on who accessed what, when, and for how long.

Provide your authorised employees and non-employees with secure, auditable access to only the resources and systems they need, keeping your ERP systems secure and extending the life cycle of legacy applications.

Agilicus AnyX for Access to Legacy Java Web Start Applications

Some legacy applications are built using Java Web Start and Agilicus AnyX combined with the Agilicus JNLP web browser extension ensures any authorised user can access their legacy ERP applications from any device.

Get in Touch – Enable Secure Access to Your ERP Systems

Get in touch with our team and learn how to enhance security and enable simple, remote access to your ERP systems and extend the life cycle of legacy applications.

First Name
Last Name
Email
Message
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

Remote Access over Starlink without a VPN.

Enable secure, remote access to your Starlink network connected systems including cameras, routers, remote desktops, building control systems, and even industrial networks. 

Reduce the time, cost, and complexity of connecting with precise control over user access and permissions.

cyber-insurance-compliance
secure-remote-desktop-access

The lowest cost tier of Starlink doesn’t allow inbound VPN connections, port-forwarding, or any type of DMZ scheme as it uses IPv4 and Carrier-Grade NAT (CGNAT), meaning there are a limited number of public IP addresses (read more). Conventional workarounds for these connectivity constraints, such as a reverse VPN, are complex, expensive, and could introduce security risks.

The easiest way to achieve remote connectivity to Starlink enabled systems is through Agilicus AnyX.

role-based-access-controls

Pair Users with Resources.

Create user-resource pairings to enable secure remote access to specific systems within your Starlink network.

cyber-security-policies

Outbound Only Connection.

An outbound only connection from your Starlink network means zero unauthorised traffic reaches your systems.

remote-connectivity

Access Anywhere. No Client. No VPN.

Seamlessly deploy in minutes not days. No new hardware, clients, or network changes are required.

identity-aware-web-application-firewall

Enforce Security Controls for Access.

Implement security controls including multi-factor authentication, end-to-end encryption, detailed auditing and segmentation of users, resources, and systems.

Even though the business Tier Starlink subscriptions utilizes IPv6, allowing port forwarding and VPN access, these remote access methods still introduce cybersecurity risks to your business. With Agilicus AnyX you can ensure any connectivity over Starlink is simple, secure, and auditable. Your users can be given least privilege access to only the resources they need and must verify their identity to gain access.

starlink-satellite-network-remote-access

Operated by SpaceX, Starlink provides high-speed, low-latency satellite internet coverage in 40 countries, empowering previously disconnected regions with internet access. Remote and rural businesses around the world have been able to connect to the internet and adopt new technologies that improve efficiency and operations.

As Starlink currently uses IPv4, there are less IP addresses available. Multiple Starlink subscribers could be sharing the same public IP address rendering traditional remote access tools like the VPN ineffective or overly complex.

shared-ip-starlink-access-issue

Unable to connect via IPv4.

The basic Starlink subscriber tier uses IPv4 and has a limited number of public IP addresses, achieved through a process known as Carrier-Grade NAT (CGNAT).

starlink-access-no-port-forwarding

No port forwarding due to CGNAT.

Port forwarding is complicated as IPv4 via CGNAT prevents traffic from properly rerouting to a specific device/machine in the network

starlink-remote-access-no-vpn

No port forward prevents VPN access.

Due to the limited number of available IP addresses and CGNAT and the inability to properly reroute traffic, it’s not possible to establish a standard VPN connection to your systems via Starlink.

starlink-remote-access-security-risks

Traditional tools require a risky, always on connection.

Traditional remote access tools require your organisation to accept the risks of overprivileged, always on connections to your systems.

Agilicus AnyX is a modern, secure access platform that overcomes Starlink connectivity challenges and enables remote access to corporate resources without the need for a public IP or VPN.

What is Agilicus AnyX

Quickly and easily expand the reach of company resources without compromising on security, requiring a VPN, or juggling network changes. Agilicus AnyX is a Zero Trust Network Access platform that offers a secure alternative to perimeter-based network solutions and is suitable for organisations of all types and sizes. 

Enable simple, secure, and auditable access to shared resources with precise control of permissions for any authorised user with a low cost platform that scales with your organisation.

Without a routable IP address, using an inbound VPN is not an option for remotely connecting to systems over starlink. By using the Agilicus Connector on resources within your network, an outbound only connection to the Agilicus cloud can be established. Each user who requires access must verify their identity which is done via single sign-on and multi-factor authentication (OpenID connect + upstream identity providers). Direct access is achieved over HTTPS in any browser with a URL and a connection is only established once a user has verified their identity and has the required permissions for access.

Enhanced Security Through Zero Trust

Agilicus AnyX enables secure, identity-based, auditable access to specific resources with precise control of user permissions, while delivering a frictionless end-user experience.

secure-access

Frictionless End-User Experience
Single sign-on and multi-factor authentication provide a seamless, intuitive login flow.

role-based-access-controls

Simplified User Management
Centrally manage users and permissions through a single administrator portal.

secure-remote-access-any-device

Any User. Any Device. Anywhere.
Remote access over your Starlink network from anywhere, using any device.

There’s no need to setup a reverse VPN and worrying about Dynamic DNS, open ports, or setting up a DMZ. Remote access over Starlink through Agilicus AnyX not only makes it easy to connect to your systems, it empowers your organisation with access controls that keep your critical systems secure.

Get in touch with our team to get started with Agilicus AnyX to enable secure remote connectivity to resources within your Starlink network.

First Name
Last Name
Email
Message
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

Run JNLP Files from Anywhere Without a VPN or Network Changes

Run your Java Network Launch Protocol (JNLP) client applications and JNLP files from anywhere with Agilicus AnyX. Seamlessly avoid compatibility issues and enable secure remote access for your users without the need for a VPN.

Launch your applications as designed, with enhanced security, and provide full support for JNLP programs through Agilicus.

vpn-replacement-solution

Securely Launching JNLP Applications

Agilicus AnyX is able to launch JNLP applications as designed and provides full support for the most commonly used JNLP standard features. This is achieved under a Zero Trust framework that both enhances security and delivers a seamless end-user experience. In order to launch a JNLP client application through Agilicus, users must verify their identity and have the necessary permissions to access the application. This is implemented in the front end through a friction-free single sign-on experience. Meanwhile administrators are equipped with centralised authorisation management and can easily add or remove user access and privileges through a single administrator portal.

Ensure your employees can easily and remotely access your legacy and JNLP applications without requiring rework from developers, a VPN, or network changes.

Running Legacy Applications and Java Client Software

Many organisations still rely on legacy applications that require Java Web Start (JWS) and utilise the JNLP file standard to function. The JNLP file allows java based applications to be launched on a desktop using resources hosted from a remote server that are launched from a Java ARchive (JAR) file.  

With the end of the bundling and support from Oracle’s Java JWS framework, these applications have become restricted to certain machines making it difficult for end-users to continue to leverage the robust software. Additionally, with the end of public support for JWS, there are no longer any security updates and fixes, making these applications susceptible to cyber threats. 

JNLP client software has become integrated in various workflows across numerous industries and is still widely used despite the lack of support for JWS. Agilicus AnyX ensures your organisation can continue using JWS and JNLP based applications, making them more secure and accessible from anywhere, for any authorised user.

compromised-credentials-cyber-attack

How Agilicus AnyX Works to Securely Launch JNLP Applications without a VPN

When a user downloads a JNLP resource, the Agilicus browser extension takes control of the file, and launches the Java Web Start Component.

All of the JAR files described in the JNLP are downloaded and cached to disk.

The Agilicus Agent starts locally in proxy mode and the Agilicus extension starts Java with the parameters described by the JNLP file.

An HTTP proxy configuration ensures Java runs its networking securely through the Agilicus Agent (java supports http proxy host and port).

The result is instant, secure, auditable access to the JNLP resources with all traffic fully encrypted by TLS.

identity-aware-web-application-firewall

Agilicus AnyX combined with the Agilicus JNLP web browser extension ensures any authorised user can launch a JNLP client application without a VPN while keeping the workflow unchanged. End-users will access the application like usual and verify their identity to launch the application, for example by clicking on a web page link to download the current JNLP file.

Enhanced Security for Java Client Applications

agilicus-careers

JNLP applications are being used by organisations everywhere and have become business critical. That means to keep up with the demands of the modern workforce they need to be remotely accessible and secure. Unfortunately because the JWS and JNLP standard are no longer actively maintained, these applications have a significant number of Common Vulnerability Exposures (CVE) that could be putting your organisation at risk. Additionally, traffic in a JNLP local environment can be intercepted making them susceptible to man in the middle attacks. 

With Agilicus, Java and JNLP client applications can be made remotely accessible and benefit from enhanced security through Zero Trust. Zero Trust is an “Always Verify” security framework that requires users to verify their identity and have the required permissions to gain access.

Agilicus will empower your organisation with the security controls necessary to keep sensitive customer, employee, and corporate information within these JNLP applications secure. The Agilicus AnyX extension leverages the Agilicus Agent and Connector to ensure all traffic is fully encrypted and requires your users to verify their identity through single sign-on and provide a second factor for authentication to gain access.

Get in Touch – Learn How to Enable Secure Access from Anywhere

Get in touch with our team and learn how to launch JNLP files and applications from anywhere, without a VPN.

First Name
Last Name
Email
Message
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

A VPN Alternative for Securing Remote Access to Legacy Applications

A municipality in Southern Ontario was seeking a method of securing remote access to legacy applications – responsible for the treasury, billing, and permit functions. Cyber insurance requirements mandated that all remote access must have multi-factor authentication and privileged access management. The IT team was challenged with meeting these new requirements but keeping the user experience simple.

Their current VPN required the addition of two separate solutions for multi-factor and privileged access management. This was not acceptable due to the added complexity for their user base and the combined added costs.

data-custody

Objectives

The municipality set out to meet 4 main goals:

pam-multi-factor-authentication

Implement multi-factor authentication and privileged access management to achieve cyber insurance requirements

third-party-access

Meet budget constraints for buying, implementing, and operating the systems

role-based-access-controls

Simplify the user experience for a non-technical user base

weak-vpn-server-security

Ensure access to critical application currently not accessible remotely due to the requirement of a thick client

Zero Trust Network Access With Agilicus AnyX

The municipality selected Zero Trust Network Access (ZTNA) with Agilicus AnyX which comes complete with multi-factor authentication and privileged access enforcement. The Agilicus AnyX platform provides a VPN-less and clientless experience for users to connect to their work securely from anywhere, on any device.

By choosing Agilicus, the municipality was able to leverage ZTNA which pairs their user specifically to the legacy application rather than to the network. Upon a connection being made, the user is challenged for a second factor of authentication and admitted through privileged access management.

The municipality achieved the following results:

identity-aware-web-application-firewall

Simplified access allowing users to connect to legacy application from any device or location

cyber-security-policies

Enhanced session security achieved via an outbound only connection not visible on the public internet

detailed-auditing

Met cyber insurance requirements by seamlessly integrating multi-factor authentication and privileged access management

role-based-access-controls

Improved user experience by simply connecting as they would in the office while using their existing employee credentials for single sign-on

As a result, the costs and extra steps to connect to a VPN were avoided by the municipality. This allowed them to achieve their cyber insurance requirements while remaining within the limited budget and avoiding added complexity. Deployment was achieved company wide in under an hour.

Business Impacts

Through implementing Zero Trust Network Access with Agilicus AnyX, the municipality achieved secure remote access to their legacy application without the use of a VPN. The Agilicus AnyX platform provided robust security while remaining light, simple, and qualifying them for cyber insurance through extra layers of protection. The municipality was also able to simplify their administrative process by choosing a solution that could be quickly installed without the necessity of network changes or added hardware.

Since deploying the Agilicus AnyX platform was for securing their legacy application for remote users, the Muncipality expanded adoption of the platform to enable access to all city resources for employees whether remote or not. With the ease of bringing on new users, the municipality was able to improve the security of their entire organisation with a frictionless deployment and deliver an invisible IT security experience for their end users.

Contact us

First Name
Last Name
Email
Message
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

Secure Access to Critical Infrastructure for Partners and Vendors

A Municipality set out to modernise their water treatment facility to better enable secure connectivity for various internal teams (IT, Public Works), partner organisation, and their systems integrator. The Municipality chose Agilicus AnyX, to adopt a Zero Trust Architecture that enabled simple, secure remote connectivity with precise control over privileges.

Fill out the form to read the technical case study and learn how Agilicus AnyX worked to enable secure remote connectivity for so many unique users.

Fill out the form below to read the case study.

First Name
Last Name
Read the Case Study below. ↓
There was an error. Please try again. Or email info@agilicus.com
smart-city-water-security

Case Study:
Secure Access to Critical Infrastructure for Partners and Vendors

Executive Summary

A municipality located on the west coast in North America set out to modernise their water treatment facility to better enable secure connectivity for various internal teams (IT, Public Works), partner organisations, and their systems integrator. Facility management is shared with a partner municipality. A systems integrator needs access to perform maintenance and support. Given the number of internal and external individuals that need remote connectivity to the site, the municipality needed a secure solution that protected the critical infrastructure from external threats. 

Of particular importance was implementing a solution that did not require new accounts or interfere with the responsibilities or capabilities of all parties. The municipality chose Agilicus AnyX, to adopt a Zero Trust Architecture that enabled simple, secure connectivity and precise control over privileges leveraging the existing identity providers of each organisation. The result is a  matured cyber posture and VPN-less experience that creates a modern industrial air-gap for the water treatment facility. In turn, the municipality also benefited from detailed audit logs of all activity on the network, and the ability to extend just-in-time access for third parties and external vendors.

Protecting municipal critical infrastructure and shared resources.

How can I enable remote connectivity in a way that keeps my critical systems off the public internet but allow access for maintenance and support?

Municipal critical infrastructure is an essential service and citizens depend on the secure and reliable operation of municipal facilities. Remote connectivity and the ability to leverage data are two increasingly important requirements when it comes to successfully and safely operating critical infrastructure. The challenge is enabling remote connectivity in a way that protects the critical systems from online threats and attackers. It was particularly important for the municipality that they maintained a true air-gap without having to rework their entire network. 

To adequately support the water facility, individuals need to be able to remotely connect via Secure Shell (SSH), Remote Desktop Protocol (RDP), and access various SCADA web applications. However, governance, compliance, and the current threat environment made it especially complicated to use conventional technology such as a VPN or remote access tools like TeamViewer. While traditional access tools could partially solve internal remote needs, it would open the organisation and water treatment facility up to a host of attack vectors and cyber risk that was simply unacceptable. 

The team had several essential needs in addition to a secure remote connection:

weak-vpn-server-security

On site machines needed to stay online at all times. These are systems that are unable to receive security updates and patches.

third-party-access

The systems integrator needed secure remote access but organisational security policies must be adhered to (no shared credentials, multi-factor authentication).

compromised-credentials-cyber-attack

The SCADA (supervisory control and data acquisition) system at the facility needed to maintain an always on connection to city hall to export data for record keeping and analysis.

pam-multi-factor-authentication

All access and activity need to be tracked and recorded through detailed logs with evidence if something were to go wrong.

Water treatment facilities and other critical infrastructure demand high security due to their vital role in society. The municipality needed a solution that offered a modern air-gap to deliver resource segmentation without limiting remote connectivity for operations, service, and support.

Solution

A Zero Trust Architecture by Agilicus AnyX proved to be the right solution for enabling secure remote connectivity while creating a virtual air-gap at the facility. Zero Trust consists of three central tenets – Identity, Authorisation, and Access.

identity-aware-firewall

Identity

Every user or operator must be individually known and authenticated. 

role-based-access-controls

Authorisation

Every action an individual takes must be authorised based on their identity and privileges to interact with a resource

secure-remote-access-any-device

Access

Authenticated and authorised user actions are routed only to the destination resources.

A modern air-gap was achieved with a 15 minute installation that did not require a full network rework.

Identity – Any User

Identity is the way a given user proves who they are. For example, employees have a corporate email address – that corporate email address allows individuals to prove who they are. Agilicus AnyX allows an unlimited number of corporate email addresses, from different organisations to work together as if they were part of the same organisation – this is called federated identity.

Authentication across so many organisations without issuing new accounts or passwords was achieved by federating identity and leveraging the Agilicus Open ID Connect proxy for session management and to enable single sign-on. 

Authentication is performed by known upstream issuers (Azure, O365, GMail, Okta, etc.) or a customer’s known identity provider. As a result, Agilicus uses an authenticated user’s JSON Web Token (JWT) and never requires or stores passwords and credentials.

A simple identity layer on top of the OAuth 2.0 protocol, OpenID Connect (OIDC) allows the verification of an identity and can request and receive information about authentication, sessions, and end-users. 

Within the Agilicus AnyX Authentication Issuer, the Municipality had several configuration options:

  1. Configure the sign-in screen theming with Municipal logo and branding.
  2. Select from a set of Agilicus-Managed Upstream Identity Providers (Apple, Google, Linkedin).
  3. Add their own Identity Providers and that of their partners (Azure Active Directory, Microsoft Active Directory, etc) – In this case the municipality used Azure Active Directory. Their partner organisation was able to use Okta, and their systems integrator was able to use GSuite.
  4. Configure and enforce multi-factor authentication
  5. Control rules regarding when/how/who can authenticate to the system

A detailed example of how Agilicus uses OpenID Connect can be found here.

Authorisation – Least Privilege

agilicus-cybersecurity-platform

Through Agilicus AnyX, the municipality gained precise control over resources and user privileges. Every resource (network, server, application, etc.) has a set of permissions that are both role and resource specific – Owner, Editor, Viewer, Self. For each resource the municipality could select a user or user group and delegate necessary privileges. 

In order to fold those resources into the Zero Trust Architecture, Agilicus AnyX uses a connector to facilitate the connection between a network and the authorised end-users. The Agilicus Connector is installed on a device to create a unidirectional pathway to the Agilicus Cloud. This outbound only connection blocks all ports and remote connectivity unless achieved through the authorised path, Agilicus AnyX. The Agilicus connector is self updating and follows The Update Framework (TUF Framework). The TUF Framework offers a means of protecting mechanisms involved in automatically downloading software updates. A changelog is readily available to ensure the municipal team is informed of any updates that have occurred.  

Each Agilicus Connector uses a Globally Universally Unique Identifier (GUUID) to individually identify the resource and an OpenID connect issuer to control its authentication domain. This ensures Agilicus AnyX can confirm the identity of a given resource and enforce privileges. Once installed on the destination resource, new directories and services to share or expose are managed entirely from the administrative web interface. Combined with Role-Based Access Controls, users and user groups at the Municipality could be paired with only the resources they need with strict, least privilege access. 

Complete, micro-segmentation of users, resources, and sites are also achieved by the Agilicus Connector. The Agilicus Connector can be installed at different points in the network or on individual systems allowing for a per-site, or per-resource approach to micro-segmentation. As a result, users and resources are protected from themselves and cannot connect unless authorised.

In order to achieve the objective of creating a secure, always on connection between the water treatment facility SCADA system and city hall, a small router with a firewall that denied all inbound and outbound traffic except through the Agilicus Connector was installed on site. This introduced a service forwarder where only an authorised and authenticated connection can be established. All data such as chlorine levels could now be recorded and transmitted under a Zero Trust security framework, with complete end-to-end encryption.

Access – Simply and Securely

secure access solutions

The Agilicus AnyX platform centralises authorisation management ensuring municipal operators and administrators can easily add or remove users and enable or disable access privileges through a single web-based portal. Meanwhile, the various end-users perform authentication using their designated accounts via Single Sign-On through the Agilicus AnyX platform to gain access to only the applications and resources they have permissions for.

The authentication workflow performed by end users, and the outbound only connection from the resource meet in the middle (The Agilicus Cloud) where a connection is only established if all authentication and authorisation parameters are met (user identity, multi-factor authentication, privileges).

Agilicus AnyX easily supports SSH, RDP, and Virtual Network computing (VNC), Web Applications, and even access to PLCs. These access methods to specific resources are created through the administrative portal. Each resource is further secured by the patented Identity Aware Firewall which acts as an HTTP-proxy. This ensures SSL and TLS are enforced for every connection and protects the resources from various issues such as server misconfiguration. The Identity Aware Firewall blocks all traffic unless authenticated and authorised adhering to the never trust, always verify Zero Trust principle.

Deployment

remote-connectivity-water

Least Privilege Access

integrator-remote-access-flow

Outcome

The municipal team was able to adopt a virtual air-gap and implement a Zero Trust Architecture to secure the water treatment facility achieving their goal of enabling secure, least privilege access for all authorised parties – internal users, partner organisations, and their systems integrator. Agilicus AnyX also equipped the municipal team with detailed audit logs of all activity on municipal water infrastructure. The team now has a clear view of who is accessing their systems, what they are doing with that access, and when they are accessing facility resources.

federated-identity

Federating Identity with OIDC ensured no new identity management services or licences were required. Passwords stay with the users and are never passed to, or stored by Agilicus AnyX. This also means if an employee leaves, their access is instantly revoked as soon as they are deleted from their own company.

cyber-insurance-requirements

Multi-Factor Authentication is easily enforced across all users for access to any resource, including non-participating systems, such as the machine hosting the facility Human Machine Interface (HMI).

secure-access

Complete, micro-segmentation of both users and resources was achieved via the Agilicus Connector, preventing network traversal and requiring authentication and authorisation for access.

secure-remote-desktop-access

The Agilicus Connector was used to establish a secure, always on connection to the city hall for data collection from the water treatment facility. The data is necessary for record keeping as well as management and monitoring of the facility resources to ensure proper function.

The Agilicus Connector enabled secure accessibility to the resources without needing a public IP, VPN, or client. That means while the various teams were able to establish a secure and convenient remote connection, water treatment facility resources are neither exposed to nor visible on the public internet.

cybersecurity-no-vpn

The Water Treatment facility cyber posture was greatly enhanced through the Identity Aware Firewall and Agilicus Connector. That means no lateral traversal, enforced SSL, and the blocking of peripheral devices on facility machines.

Agilicus-Platform

Both the systems integrator and the partner organisation no longer needed to send workers to site for troubleshooting, maintenance, and operation leading to cost and labour savings.

What is Agilicus AnyX 

Agilicus AnyX is an easy to deploy, all-in-one Zero Trust Network Access platform that allows organisations to improve security and equip employees with frictionless access to only the resources they need. The platform ensures organisations can micro-segment resources and infrastructure while ensuring authorised users can get simple, secure access to applications, desktops, shares, and other resources. A secure alternative to perimeter-based network access, Agilicus AnyX provides a clear view of who is doing what, when, and for how long with an easy to access web-based portal for managing policies, roles, and access privileges.

Enabling Secure Remote Connectivity to 100 Critical Infrastructure Sites, Nationwide

A major systems integrator that services critical infrastructure across the United States seamlessly transformed their service model through Zero Trust, to reduce costs while enabling secure remote connectivity to over 100 customer sites.

Fill out the form below to read the case study.

First Name
Last Name
Read the Case Study below. ↓
There was an error. Please try again. Or email info@agilicus.com
vpn-replacement-solution

Case Study:
Enabling Secure Remote Connectivity to 100 Critical Infrastructure Sites, Nationwide

A major systems integrator that services critical infrastructure across the United States seamlessly transformed their service model through Zero Trust, to reduce costs while enabling secure remote connectivity to over 100 customer sites.

Summary

A major systems integrator that primarily supports water treatment facilities across the United States needed a way to remotely connect to over 100 on-site systems to perform support, maintenance, and troubleshooting. In order to do that, the systems integrator also had to comply with customer security requirements for remote access (no shared credentials, multi-factor authentication, privileged access). Agilicus AnyX, a Zero Trust Network Access platform, enabled remote connectivity for the systems integrator without requiring any new hardware, clients, or a VPN. As a result, access was simplified for the systems integrator while ensuring they could adhere to each customers expectations on security.

Network Modification Using Agilicus AnyX to Create an Outbound Only Connection at IEC 62443 Level 3.

OT-Agilicus-Connector

Challenges with enabling remote connectivity for support and maintenance.

cyber-attack-vpn-compromise

Remote access was particularly important for the systems integrator with over 100 sites located coast to coast. The systems integrator had so far been forced to send technicians to site in order to support customers. The ability for technicians to remotely connect for immediate support from anywhere, on any device represented significant cost savings and higher customer satisfaction. 

Due to growing cyber threats and attacks targeting critical infrastructure and operational technology, it was not an option to use traditional remote access tools such as TeamViewer or LogMeIn. Neither the systems integrator nor their customers were comfortable with using these remote access tools because of shared credentials, no multi-factor authentication, and lack of auditability.  

Likewise, the VPN was both impractical for the systems integrator and risky for their customers due to cyber risks such as lateral network traversal. For the systems integrator, VPNs limit efficiency at scale (e.g, 100 VPNs for 100 customers). When it comes to providing support, VPNs can be unreliable and limit the ability to connect to and provide support for multiple sites at once. For operators, VPNs break the air gap and can become a doorway for cyber attacks like ransomware.

Enabling secure remote connectivity without compromising on security.

cyber-insurance-requirements

Water treatment facilities and municipal critical infrastructure require strict security policies to protect the citizens and communities they serve. In order to comply with these security requirements and best serve their customers while achieving their own business objectives, the systems integrator implemented Agilicus AnyX. The platform empowered the systems integrator with precise control over permissions and detailed audit logs for a complete view of technician activity for each site and system. 

With Agilicus AnyX, the systems integrator was able to enable access for authorised technicians without requiring yet another set of credentials or shared access between users. The platform also made it possible to enforce multi-factor authentication for access to any system by any user. The result was remote connectivity through a Zero Trust Network Access framework that complied with customer policies as well as a greatly improved cyber posture for the systems integrator and the sites they manage.

Improved business efficiency with remote connectivity.

cyber-security-policies

Faster site commissioning, faster support and troubleshooting responses, fewer site visits and the potential for 24/7 live monitoring.

remote-connectivity

Micro-segmented down to the device level with a single click to ensure techs did not access something out of scope.

role-based-access-controls

Multi-factor authentication enforced in a way that meant secure access but did not add complexity for the support techs.

detailed-auditing

Detailed audit logs which provide perfect evidence of who accessed the systems, what change they made, and how long they were connected.

identity-aware-web-application-firewall

Ensured the entire site was off the public internet and air-gapped by leveraging the Agilicus outbound only connection. This meant that no VPN or no public IP address was needed (even on cellular sites).

Deployment Architecture


User Flow

integrator-remote-access-flow

What is Agilicus AnyX 

Agilicus AnyX is an easy to deploy, all-in-one Zero Trust Network Access platform that allows organisations to improve security and equip employees with frictionless access to only the resources they need. The platform ensures organisations can micro-segment resources and infrastructure while ensuring authorised users can get simple, secure access to applications, desktops, shares, and other resources. A secure alternative to perimeter-based network access, Agilicus AnyX provides a clear view of who is doing what, when, and for how long with an easy to access web-based portal for managing policies, roles, and access privileges.

Industrial Air Gap – A Tale Of 2 Users

Devices on industrial control system networks are ill-equipped for the hardships associated with the Internet and remote access. Low-speed processors, infrequent firmware upgrades, spotty security research, Common Vulnerabilities and Exposures (CVE) publishing, etc.

This leads to a natural conflict: the operator is responsible for the security, and they are not willing to sacrifice security for accessibility since their business and reputation is at stake. The vendor wants the opposite – to have the least constraints and the most simplicity across their customer base.

Is there a better way? One that meets the security requirements of the operator’s IT department as well as the access requirements of the vendors?

Yes: a Zero-Trust Industrial Network Architecture.