Skip to content
web application security

web application security

Secure Remote Access to ERP Systems and Legacy Applications without a VPN

Enable secure remote access to your Enterprise Resource Planning (ERP) systems and extend the life cycle of legacy applications without a VPN. It is time to modernise your approach to access and security to protect against cyberattacks.

vpn-replacement-solution

What is ERP Security

Many organisations leverage ERP systems to centralise and manage business processes and operations across domains – from finance and human resources, to supply chain management and administration. The constant threat of cyberattacks is a top of mind issue for executives and has become a significant cyber risk as threats against ERP systems continue to escalate. 

Ensuring your ERP system has a strong cyber posture is essential for the security of the sensitive data powering your organisation.

Secure Remote Access to ERP with Agilicus AnyX

Agilicus AnyX leverages its foundation in Zero Trust to provide a more secure alternative to VPNs and perimeter-based network access. This is achieved by segmenting users and resources and enforcing least privilege access. In order to access corporate resources through Agilicus, users must verify their identity and have the necessary permissions. 

This is implemented in the front end through a friction-free single sign-on experience. Meanwhile administrators are equipped with centralised authorisation management and can easily add or remove user access and privileges through a single administrator portal. With Agilicus, organisations of all types and sizes can quickly and economically expand the reach of ERP systems, including legacy ERP applications, without compromising security.

Enhancing Security for ERP Systems While Enabling Secure Access

The pace of digital transformation and the shift towards “Work-From-Anywhere” means technology leaders are challenged with finding effective ways to enable remote access while also enhancing security for their ERP and legacy applications. These challenges are creating barriers for employees and could be holding back business initiatives and processes. Traditional tools such as the VPN or remote desktop protocol (RDP) have not only proven to be insufficient solutions, they are also often the source of cyber risk.

While VPNs have given organisations a way to enable remote access to certain corporate resources, they weren’t developed for security and haven’t kept up with the demands of the modern threat environment. Unfortunately, when a user gets access via the VPN, they are also getting access to an entire network, which is one of the ways ransomware propagates. In addition to security issues, they introduce unnecessary complexity for end users and don’t enable simple remote access to ERP systems and legacy applications.

compromised-credentials-cyber-attack

Enabling Secure Remote Access to ERP and Legacy Resources

agilicus-careers

Agilicus AnyX leverages Zero Trust to enable secure, least privileged remote access to shared corporate resources without exposing them to the public internet. Zero Trust is an “Always Verify” security framework that requires users to verify their identity and have the required permissions to gain access. 

With Agilicus, legacy applications and ERP systems can be made remotely accessible without a VPN, client, or network configuration. Agilicus empowers your organisation with the ability to enforce security controls necessary to keep sensitive customer, employee, and corporate information secure.

identity-single-sign-on

Identity-Based Access 

Easily integrate with native identity providers (Azure, GSuite, Okta) and extend secure access to internal and external users. Agilicus AnyX federates identity, meaning your can easily provide secure, identity-based access to employees and non-employees. No new user names, passwords or active directory licences.

role-based-access-controls

Least Privilege Access

Simplified User Management and Role-Based Access Controls allow administrators to grant least privilege access to users, ensuring they only have access to the files and resources they need. You can restrict what your authorised users can access and what they can do with that access (read, write, admin).

secure-access

Secure Access

Increase the cyber resilience of your ERP systems and applications with easy to implement security policies like multi-factor authentication, end-to-end encryption, and micro-segmentation of users and resources.

security-analysis-auditing

Enhanced Audit Logging

Reduce your cyber risk and perform detailed security analysis with per user, per application auditing. Get the visibility you need to provide perfect information on who accessed what, when, and for how long.

Provide your authorised employees and non-employees with secure, auditable access to only the resources and systems they need, keeping your ERP systems secure and extending the life cycle of legacy applications.

Agilicus AnyX for Access to Legacy Java Web Start Applications

Some legacy applications are built using Java Web Start and Agilicus AnyX combined with the Agilicus JNLP web browser extension ensures any authorised user can access their legacy ERP applications from any device.

Get in Touch – Enable Secure Access to Your ERP Systems

Get in touch with our team and learn how to enhance security and enable simple, remote access to your ERP systems and extend the life cycle of legacy applications.

First Name
Last Name
Email
Message
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

Remote Access over Starlink without a VPN.

Enable secure, remote access to your Starlink network connected systems including cameras, routers, remote desktops, building control systems, and even industrial networks. 

Reduce the time, cost, and complexity of connecting with precise control over user access and permissions.

cyber-insurance-compliance
secure-remote-desktop-access

The lowest cost tier of Starlink doesn’t allow inbound VPN connections, port-forwarding, or any type of DMZ scheme as it uses IPv4 and Carrier-Grade NAT (CGNAT), meaning there are a limited number of public IP addresses (read more). Conventional workarounds for these connectivity constraints, such as a reverse VPN, are complex, expensive, and could introduce security risks.

The easiest way to achieve remote connectivity to Starlink enabled systems is through Agilicus AnyX.

role-based-access-controls

Pair Users with Resources.

Create user-resource pairings to enable secure remote access to specific systems within your Starlink network.

cyber-security-policies

Outbound Only Connection.

An outbound only connection from your Starlink network means zero unauthorised traffic reaches your systems.

remote-connectivity

Access Anywhere. No Client. No VPN.

Seamlessly deploy in minutes not days. No new hardware, clients, or network changes are required.

identity-aware-web-application-firewall

Enforce Security Controls for Access.

Implement security controls including multi-factor authentication, end-to-end encryption, detailed auditing and segmentation of users, resources, and systems.

Even though the business Tier Starlink subscriptions utilizes IPv6, allowing port forwarding and VPN access, these remote access methods still introduce cybersecurity risks to your business. With Agilicus AnyX you can ensure any connectivity over Starlink is simple, secure, and auditable. Your users can be given least privilege access to only the resources they need and must verify their identity to gain access.

starlink-satellite-network-remote-access

Operated by SpaceX, Starlink provides high-speed, low-latency satellite internet coverage in 40 countries, empowering previously disconnected regions with internet access. Remote and rural businesses around the world have been able to connect to the internet and adopt new technologies that improve efficiency and operations.

As Starlink currently uses IPv4, there are less IP addresses available. Multiple Starlink subscribers could be sharing the same public IP address rendering traditional remote access tools like the VPN ineffective or overly complex.

shared-ip-starlink-access-issue

Unable to connect via IPv4.

The basic Starlink subscriber tier uses IPv4 and has a limited number of public IP addresses, achieved through a process known as Carrier-Grade NAT (CGNAT).

starlink-access-no-port-forwarding

No port forwarding due to CGNAT.

Port forwarding is complicated as IPv4 via CGNAT prevents traffic from properly rerouting to a specific device/machine in the network

starlink-remote-access-no-vpn

No port forward prevents VPN access.

Due to the limited number of available IP addresses and CGNAT and the inability to properly reroute traffic, it’s not possible to establish a standard VPN connection to your systems via Starlink.

starlink-remote-access-security-risks

Traditional tools require a risky, always on connection.

Traditional remote access tools require your organisation to accept the risks of overprivileged, always on connections to your systems.

Agilicus AnyX is a modern, secure access platform that overcomes Starlink connectivity challenges and enables remote access to corporate resources without the need for a public IP or VPN.

What is Agilicus AnyX

Quickly and easily expand the reach of company resources without compromising on security, requiring a VPN, or juggling network changes. Agilicus AnyX is a Zero Trust Network Access platform that offers a secure alternative to perimeter-based network solutions and is suitable for organisations of all types and sizes. 

Enable simple, secure, and auditable access to shared resources with precise control of permissions for any authorised user with a low cost platform that scales with your organisation.

Without a routable IP address, using an inbound VPN is not an option for remotely connecting to systems over starlink. By using the Agilicus Connector on resources within your network, an outbound only connection to the Agilicus cloud can be established. Each user who requires access must verify their identity which is done via single sign-on and multi-factor authentication (OpenID connect + upstream identity providers). Direct access is achieved over HTTPS in any browser with a URL and a connection is only established once a user has verified their identity and has the required permissions for access.

Enhanced Security Through Zero Trust

Agilicus AnyX enables secure, identity-based, auditable access to specific resources with precise control of user permissions, while delivering a frictionless end-user experience.

secure-access

Frictionless End-User Experience
Single sign-on and multi-factor authentication provide a seamless, intuitive login flow.

role-based-access-controls

Simplified User Management
Centrally manage users and permissions through a single administrator portal.

secure-remote-access-any-device

Any User. Any Device. Anywhere.
Remote access over your Starlink network from anywhere, using any device.

There’s no need to setup a reverse VPN and worrying about Dynamic DNS, open ports, or setting up a DMZ. Remote access over Starlink through Agilicus AnyX not only makes it easy to connect to your systems, it empowers your organisation with access controls that keep your critical systems secure.

Get in touch with our team to get started with Agilicus AnyX to enable secure remote connectivity to resources within your Starlink network.

First Name
Last Name
Email
Message
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

Run JNLP Files from Anywhere Without a VPN or Network Changes

Run your Java Network Launch Protocol (JNLP) client applications and JNLP files from anywhere with Agilicus AnyX. Seamlessly avoid compatibility issues and enable secure remote access for your users without the need for a VPN.

Launch your applications as designed, with enhanced security, and provide full support for JNLP programs through Agilicus.

vpn-replacement-solution

Securely Launching JNLP Applications

Agilicus AnyX is able to launch JNLP applications as designed and provides full support for the most commonly used JNLP standard features. This is achieved under a Zero Trust framework that both enhances security and delivers a seamless end-user experience. In order to launch a JNLP client application through Agilicus, users must verify their identity and have the necessary permissions to access the application. This is implemented in the front end through a friction-free single sign-on experience. Meanwhile administrators are equipped with centralised authorisation management and can easily add or remove user access and privileges through a single administrator portal.

Ensure your employees can easily and remotely access your legacy and JNLP applications without requiring rework from developers, a VPN, or network changes.

Running Legacy Applications and Java Client Software

Many organisations still rely on legacy applications that require Java Web Start (JWS) and utilise the JNLP file standard to function. The JNLP file allows java based applications to be launched on a desktop using resources hosted from a remote server that are launched from a Java ARchive (JAR) file.  

With the end of the bundling and support from Oracle’s Java JWS framework, these applications have become restricted to certain machines making it difficult for end-users to continue to leverage the robust software. Additionally, with the end of public support for JWS, there are no longer any security updates and fixes, making these applications susceptible to cyber threats. 

JNLP client software has become integrated in various workflows across numerous industries and is still widely used despite the lack of support for JWS. Agilicus AnyX ensures your organisation can continue using JWS and JNLP based applications, making them more secure and accessible from anywhere, for any authorised user.

compromised-credentials-cyber-attack

How Agilicus AnyX Works to Securely Launch JNLP Applications without a VPN

When a user downloads a JNLP resource, the Agilicus browser extension takes control of the file, and launches the Java Web Start Component.

All of the JAR files described in the JNLP are downloaded and cached to disk.

The Agilicus Agent starts locally in proxy mode and the Agilicus extension starts Java with the parameters described by the JNLP file.

An HTTP proxy configuration ensures Java runs its networking securely through the Agilicus Agent (java supports http proxy host and port).

The result is instant, secure, auditable access to the JNLP resources with all traffic fully encrypted by TLS.

identity-aware-web-application-firewall

Agilicus AnyX combined with the Agilicus JNLP web browser extension ensures any authorised user can launch a JNLP client application without a VPN while keeping the workflow unchanged. End-users will access the application like usual and verify their identity to launch the application, for example by clicking on a web page link to download the current JNLP file.

Enhanced Security for Java Client Applications

agilicus-careers

JNLP applications are being used by organisations everywhere and have become business critical. That means to keep up with the demands of the modern workforce they need to be remotely accessible and secure. Unfortunately because the JWS and JNLP standard are no longer actively maintained, these applications have a significant number of Common Vulnerability Exposures (CVE) that could be putting your organisation at risk. Additionally, traffic in a JNLP local environment can be intercepted making them susceptible to man in the middle attacks. 

With Agilicus, Java and JNLP client applications can be made remotely accessible and benefit from enhanced security through Zero Trust. Zero Trust is an “Always Verify” security framework that requires users to verify their identity and have the required permissions to gain access.

Agilicus will empower your organisation with the security controls necessary to keep sensitive customer, employee, and corporate information within these JNLP applications secure. The Agilicus AnyX extension leverages the Agilicus Agent and Connector to ensure all traffic is fully encrypted and requires your users to verify their identity through single sign-on and provide a second factor for authentication to gain access.

Get in Touch – Learn How to Enable Secure Access from Anywhere

Get in touch with our team and learn how to launch JNLP files and applications from anywhere, without a VPN.

First Name
Last Name
Email
Message
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

Eliminate Attack Vectors and Stop Cyber Threats in Their Tracks with a Zero Trust Architecture

cyber-attack-vpn-compromise

Reducing Cyber Risk and Protecting Against Attacks

Cyber threats come from all angles these days, yet most businesses are still ill equipped to properly keep the bad actors out when they become the target of an attack. The Open Web Application Security Project (OWASP) produces a list of the top 10 threats that organisations must contend with to keep their web applications secure, but that is only the tip of the iceberg. While there are best practices that can help mitigate cyber risks, some of the most dangerous attack vectors are getting harder to defend against. They include everything from lateral network traversal and ransomware, all the way to employee vulnerabilities and denial of service attacks. 

A modern and proactive approach to access and security is a necessary shift organisations need to take in order to maintain a sufficient security posture, mitigate threats, and stop attackers in their tracks. Zero Trust Architecture offers just that. 

Zero Trust is the preferred way to introduce user resource segmentation while adopting a perimeter-less, “Never Trust, Always Verify” approach to security. That means every resource is isolated and access is only granted when a user has verified their identity and has the correct authorisation for access, effectively keeping bad actors out. 

What are the OWASP Top 10 Web Application Vulnerabilities

Every couple of years OWASP does a revamp of their Top 10 web application security threats. This list has become a standard document and is a great resource for organisations to size up their web application cyber posture and determine their level of vulnerability exposure. In 2021, OWASP updated their list of the top web application threats that businesses face as follows: 

  • Broken Access Control – Access controls enforce user privileges, preventing them from acting outside of their permissions. Failures can lead to unauthorised access, modification, release, and destruction of data or functions outside the user’s intended privileges.
  • Cryptographic Failures – Many web applications and their APIs do not impose strong encryption practices to properly protect sensitive corporate and customer data. This gives attackers an opportunity to intercept or modify data for criminal purposes. Strong encryption must be imposed when data is at rest or in transit.
  • Injection – Attackers will leverage flaws such as SQL, NoSQL, OS, and LDAP injection to try and trick the interpreter into allowing them to access data without proper authorization or execute unintended commands.
  • Insecure Design – In the design and development lifecycle of software and applications, inadequate budget for time and security requirements can allow critical vulnerabilities to pass through into live environments, introducing attack vectors the team never anticipated or addressed.
  • Security Misconfiguration – Ad hoc and insufficient configuration of software and infrastructure can lead to issues like misconfigured dHTTP headers, exposed cloud storage, admin or root access accounts being left in place, and even verbose error messages that leave sensitive information exposed. 
  • Vulnerable and Outdated Components – Vulnerable components, such as libraries, frameworks, and other software modules often lead to severe instances of data loss or server takeover. The inability to address CVE’s (Common Vulnerabilities and Exposures) undermines application security by enabling various attack vectors.
  • Identification and Authentication Failures – When incorrectly implemented, functions related to authentication and session management allow attackers to compromise session tokens, passwords, keys, and user credentials. Multi-Factor authentication is one of the easiest ways to prevent an attacker from assuming a user’s identity.
  • Software and Data Integrity Failures – Software and data integrity failures happen when applications rely on libraries and plugins from untrusted sources and insecure deployment pipelines allow these to be introduced without integrity check and create the potential for unauthorised access or system compromise.
  • Security Logging and Monitoring Failures – No or poor logging and monitoring pair with inadequate tools for incident response can let a breach become pervasive allowing attackers to persist, traverse to more systems, and tamper with or extract data. The average time to detect a breach is over 200 days. Fine-grained auditing and logging capabilities can substantially improve that.
  • Server-Side Request Forgery – Server-Side Request Forgery (SSRF) flaws allow attackers to trick applications into fetching a remote resource from an unexpected destination without validating it. Unfortunately this attack can be perpetrated even when protected by a conventional firewall, VPN, or another type of network access control list (ACL).

Broken access controls moved to the number one spot on the OWASP Top 10 and represent one of the most common vulnerabilities today. In fact, it is theorised by some security researchers that over half of all web applications have at least one OWASP vulnerability. This is where Zero Trust can give organisations an edge against the arsenal of tools malicious actors have at their disposal.

How Zero Trust Principles can Protect Against Web Application Vulnerabilities

Zero Trust as a principle offers enhanced protection against web application vulnerabilities by shifting the domains of access and control to a per user, per resource implementation. That means access and visibility for a given asset migrate from a traditional perimetered, digital moat, where all resources are accessible by default to a micro segmented infrastructure. This principle helps organisations protect resources and users from each other, making them independent. In the event one application, resource, or web server is compromised, the vulnerability is contained.

cloud-native-security

How Does Agilicus AnyX Protect Against the OWASP Top 10 with a Zero Trust Architecture

Agilicus AnyX is a culmination of cybersecurity standards that together deliver defence in depth, helping organisations adopt a Zero Trust Architecture that delivers a robust network security framework and access strategy. A well implemented Zero Trust Architecture can effectively protect organisations, their users, and most valuable assets from the OWASP Top 10 Web Application Vulnerabilities.

Agilicus AnyX is designed to eliminate an attacker’s visibility into the potential OWASP Top 10 web application vulnerabilities that could exist in a given application as resources are completely hidden from non-authenticated users. This is achieved with the patented Identity Aware Web Application Firewall which acts as a proxy server (reverse proxy) and protects web applications and resources by only allowing access on the basis of authenticated (verified) identity. 

Organisations can also leverage this component of the Agilicus AnyX platform to enhance security on the client side by modifying server headers or enforcing SSL (Secure Socket Layer) on all traffic. As a result, the Identity Aware Web Application Firewall ensures all traffic is encrypted and users are able to access designated resources from anywhere without making them accessible  on the public internet.

The Agilicus AnyX platform features that specifically protect against the OWASP Top 10 web application vulnerabilities and deliver a Zero Trust Architecture platform include:

Role-Based Access Controls – Centralise the management of users and their roles to enact, strict least privilege access through fine-grained authorisation. Prevent (1) Broken Access Controls, (2) Cryptographic Failures, and (7) Identification and Authentication Failures.

Detailed Audit Trails – All users, connections and actions audited. No more (9) Security Logging and Monitoring Failures that leave you unsure of who did what for how long . 

Identity Aware Web Application Firewall – Blocks malicious and unauthenticated traffic, while protecting against (3) Injection (5) Security Misconfiguration (6) Vulnerable and Outdated Components (8) Software and Data Integrity Failures, (4) Insecure Design, (10) Server-side Request Forgery

Multi-Factor Authentication – Second factor authentication requirements are built right into the login flow helping to address (7) Identification and Authentication Failures.

We recently held a webinar on this topic with Agilicus CEO and cybersecurity expert, Don Bowman. Watch the recording for a detailed look at how your organisation can adopt a defense in depth strategy through Zero trust to protect against the OWASP Top 10.

How Does Zero Trust Stand Up Against Other Attack Vectors

Defending against OWASP threats is a good start, but there is still a laundry list of attack vectors that organisations face today. Zero Trust is much more than simply enforcing multi-factor authentication on your users. It is a set of security principles that together work by leveraging an individual’s unique identity to introduce an authentication and authorisation workflow for access to a designated resource. 

By adopting a Zero Trust Architecture, organisations can take a proactive approach to security by default and effectivelyprotect critical resources from threats.

What is Lateral Network Traversal 

Lateral Network Traversal or lateral movement within a network occurs when a malicious actor gains access to a network (usually through a VPN) and moves deeper into the system in search of sensitive information, trade secrets, high-value assets, or to perpetrate a ransomware attack.

cyber-attack-vpn-compromise

How Zero Trust Prevents Lateral Network Traversal

A key principle of zero trust is segmentation of users, resources, and the network(s). In the event of a breach, Agilicus AnyX leverages a Zero Trust Architecture to limit the attack surface by totally isolating organisation resources and users from each other by enforcing user to resource pairings. Without interfering with, or encumbering the end user, organisation resources are seamlessly segmented with explicit control over permissions, privileges, and a precise record of user activity with detailed audit trails: sensitive information and data can only be accessed by designated users and ransomware attacks can be blocked from spreading. With a proper implementation of Zero Trust, there is no available network to move east-west within, unlike a traditional perimeter-based solution (VPN). 

compromised-credentials-cyber-attack

What is the Cyber Risk of Shared or Compromised Credentials

A compromised credential attack occurs when a malicious actor has guessed a password, intercepted it, retrieved it from a database, or mounts a successful brute-force or credential stuffing attack allowing them to gain access to your systems and resources. Many users tend to recycle passwords and share account credentials, increasing the likelihood of those details ending up in a database somewhere on the dark web. 

How to Protect Against Compromised Credentials

Under a Zero Trust framework, any attempt to connect to a resource is treated as a potential breach until the end user proves otherwise. To ensure a seamless workflow that offers protection against compromised credentials, Agilicus AnyX leverages a single form of authentication by federating identity across unlike domains. Users and organisations only need to maintain a single set of credentials instead of an account per resource with multi-factor authentication requirements for access. This login flow and layer of identity verification offers enhanced protection against compromised credentials. Every user or user group has its assigned privileges and permissions that determine what resources they have access to, and what they can do with that access (read, write, admin).

What is an Insider Threat, Rogue Employees, and Employee Vulnerability

Similar to the issue of compromised credentials, employees can present security risks and attack vectors to your organisation. Generally they fall victim to social engineering, or are themselves compromised, but sometimes employees can go rogue and act maliciously against their employer. This attack vector is closely tied to compromised credentials and an over exposure to organisation resources.  

ransomware-cyber-attack

Protect Against Rogue Employees with Precise Authorisation

With centralised authorisation management, multi-factor authentication, and detailed auditing, Agilicus AnyX empowers organisations with fine grained control and visibility of who is accessing their resources, what they are doing with that access, and when. By design, Agilicus AnyX enacts strict, least privilege access and introduces granular user, resource segmentation. In the event that an employee goes rogue, Agilicus AnyX delivers complete visibility and allows you to stop guessing to determine exactly what changes were made to the assets and when. On top of that, fine-grained authorisation controls guardrails users and limits the blast radius in the event of employee vulnerability. Administrators and operators can easily restrict privileges or remove access all through an easy to use web-based portal.

hacked-machine-vpn-trust

What is a Man in the Middle Attack

A Man in the Middle Attack (MitM) is when a malicious actor positions themselves between a user and an application, oftentimes to spy on or intercept communications. A successful MitM could even let a threat actor pretend to be the end user or the application with the goal of stealing credentials, personal information, and even financial data such as credit card numbers.

How to Protect Against Man in the Middle Attacks

A hacker trying to wedge themselves into the traffic will have a hard time both intercepting and following traffic with a Zero Trust Architecture deployment with Agilicus AnyX. Agilicus AnyX ensures all data in transit is always end-to-end encrypted with TLS (Transport Layer Security). With the Identity Aware Web Application Firewall, two outbound only connections (one from the user, one from the resource) meet in the middle, preventing a malicious actor from being able to follow traffic, or emulate the parties involved to trick their way into the network. With Agilicus AnyX, resources are essentially taken off the public internet while all activity is auditable. As a result, traffic cannot easily be followed, stopping attackers in their tracks.

What is a Distributed Denial of Service (DDoS) Attack

A distributed denial-of-service (DDoS) attack is executed when a single target is attacked by multiple machines, or a botnet to flood a network with more traffic than it can handle. A successful DDoS attack will prevent legitimate users from being able to gain access by exhausting system resources, ultimately crashing the target server or the network equipment serving it. This type of attack could be used as a diversion, can lead to a loss in revenue, or even result in tangible safety risks.

weak-vpn-server-security

How Zero Trust Mitigates DDoS Attacks

Under a Zero Trust model, any outside network or traffic is treated as an adversary. A Zero Trust Architecture through Agilicus AnyX can help mitigate Distributed Denial of Service (DDoS) attacks by moving resources behind a secure cloud. Agilicus AnyX keeps vital network resources off the public internet (no ip) without limiting accessibility to authorised users. The platform uses an agent connector to create an outbound-only connection for a given resource and likewise for the authenticated user, allowing them to meet in the middle.

How Does Zero Trust Through Agilicus Work

The Agilicus AnyX platform is designed to balance enhanced security with a frictionless end user experience. Employees benefit from simple, secure access and an invisible IT security experience. Likewise administrators and operators are able to unify authentication and leverage precise authorisation with granular control of privileges and permissions all through a single pane of glass.

With Agilicus AnyX organisations can enact strict, least privilege access for their employees with the ability to centrally manage users and resources. Administrators have the ability to give users access to the applications they need with the ability to monitor and manage all activity through detailed audit logs. Behind the scenes all users and resources are segmented from each other and hidden from the public internet preventing an intruder’s ability to move east-west within a network. Without the ability to hop across resources, organisations benefit from a matured cyber posture and can very effectively limit the blast radius of any breach.

Deploying the Agilicus AnyX to Adopt Zero Trust

Agilicus AnyX is designed to ensure adopting advanced security is both easy and economical. Organisations can incrementally deploy the platform and scale adoption of Zero Trust at their own pace without requiring a VPN, appliance, or client. This incremental deployment approach means organisations can take realistic steps to mature their cyber posture within their means and overcome budget, time, and capability constraints, instead of it being an all or nothing project.

User onboarding through Agilicus AnyX is made simple with federated identity and single sign-on. Federated identity leverages existing individual user identities (Azure, 0365, Gmail, etc.) to assign access privileges. Any user, even from a non-company domain can be given access without having to issue yet another account or username and password. Agilicus doesn’t store credentials and instead employs the token generated via single sign-on to authenticate a user’s identity and align their access privileges. Multi-factor authentication requirements are easily enforced for verification of a user’s identity, requiring not just what a user knows (Account Credentials), but what they have (eg, device, one time password) to perform authentication.

Through a single, web-based portal, administrators are empowered with precise authorisation controls and the ability to pair users and resources. Centralised authorisation management and role-based access controls ensure granular control over user permissions and privileges. Combined with detailed auditing, Agilicus AnyX delivers control and visibility of users and resources, their privileges, and what they are doing with that access. 

cyber-security-policies

Boost security organisation-wide and protect your most valuable assets from cyber attacks by taking your most important resources off the public internet.

cyber-security

Reduce administrative overhead and help your IT or technical teams focus on high impact projects, with less time spent on administrative tasks.

end-to-end-encryption

Provide a safer way to collaborate across teams, departments, and external organisations with secure access to shared resources.

role-based-access-controls

Reduce cyber risk without restricting efficiency or adding friction to your employee workflows.

remote-connectivity

End users are digitally enabled through simple, secure access with a frictionless experience with no changes to login workflows.

identity-aware-web-application-firewall

Organisations benefit from precise control of user and resource permissions with detailed audit trails to perform enhanced security analysis.

There seems to be an endless list of cyber threats that organisations have to face. Starting with the OWASP Top 10 and a slew of others, finding the right protection can be hard. Agilicus AnyX delivers a Zero Trust Architecture that shields your traffic from the public internet with precise control of permissions and privileges. Adopting a Zero Trust Architecture approach could offer your business the best line of defence against cyber threats.

A secure replacement to legacy perimeter-based network access, Agilicus AnyX provides a clear view of who is doing what, when, and for how long with an easy to access web-based portal for managing policies, roles, and access privileges. Your authorised users can get secure, frictionless access to applications, desktops, shares, and other corporate resources and services.

Get in Touch with Our Team

First Name
Last Name
Email
Message
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

Digitally Enabling Workers with Secure Access to Web Applications through Zero Trust

One of Canada’s smartest cities is using the Agilicus AnyX platform to digitally enable mobile workers with secure access to web applications through a Zero Trust framework. Our customer provisioned a series of web applications to digitise analog processes, achieve compliance requirements, and deliver secure access for its diverse workforce, but faced a number of security and deployment challenges.

Read the case study and learn how Agilicus AnyX has been used to onboard over 1000 users and deliver frictionless secure access to custom web applications without the need for a VPN, new users names, passwords, or active directory licences.

Fill out the form to reveal the case study.

First Name
Last Name
Read the Case Study below. ↓
There was an error. Please try again. Or email info@agilicus.com

Enabling the Modern Workforce with Secure Access to Web Applications through Zero Trust

Summary

Situated outside of the Greater Toronto Area, our customer is recognised as one of Canada’s smartest cities and is home to many leading technology companies and universities. With a shared mandate of workplace health and safety, leadership, compliance, and fiscal responsibility, our customer is dedicated to ensuring service excellence for its citizens and employees. Our customer’s IT organisation provides technology support to the team of elected officials, staff, and volunteers to help achieve these mandates and deliver municipal services. 

In order to deliver on these mandates, our customer commissioned several productivity and compliance applications from a third party, but faced considerable challenges in securely deploying them to the workforce.

smart-city-web-application

Application deployment challenges

  • Firewall could not handle inbound traffic as reverse proxy for multiple sites/apps
  • Needed to keep app data in existing on-site system
  • Wanted to get app in hand of users without new logins to existing system, new passwords, or active directory licences 
  • Users needed to be able to access the applications from anywhere, without a VPN

Leveraging Web Applications to Digitally Enable Mobile Workers and Improve Productivity

Our customer commissioned three business applications from a third party to improve productivity and help meet compliance requirements by digitally enabling end-user employees, contractors, and other personnel who are mobile and have no fixed workspace or location. These applications were critical for the organisation to digitise analog processes, streamline record keeping, manage costs, empower mobile users, improve productivity, and achieve various compliance requirements such as hours of service for commercial vehicle operators.

In order to achieve this objective, the IT organisation at our customer had to overcome several key implementation roadblocks and end-user challenges:

weak-vpn-server-security

Deployment

The existing firewall was not capable of handling inbound traffic as a reverse proxy for multiple sites and applications.

cyber-attack-vpn-compromise

Data Custody

Requirement to keep data and application hosting on-site at the town hall.

pam-multi-factor-authentication

User Security

There could be no new passwords, usernames, or active directory licences involved in the application deployment to avoid costs and weak credentials.

federated-identity-login

End-User Challenges

Nomadic, mobile, and deskless workforces without a fixed location where work is conducted needed to be able to connect without a company issued device or a VPN.

End-User Challenges

Many staff at the city are part of a mobile workforce that does not require a company issued device or they do not have tasks that require regular access to computers. However, the ability to leverage technology and productivity applications would significantly streamline the administrative duties that they must comply with.

Commercial Vehicle Operators

These users are off-premise and mobile. They do not have or require corporate issued devices to perform their duties and some may work as part-time contractors for the city. All commercial vehicle operators must log their driving hours for compliance with the Ministry of Transportation of Ontario. Our customer developed an application that would modernise this record keeping and better ensure compliance without burdening the end user operator.

Seasonal Workers

Seasonal workers such as the lifeguards, park workers, and city maintenance personnel for our customer are required to complete online safety training. This compliance requirement is in place to help create a safe environment for staff and citizens. It is impractical to issue corporate devices or active directory licences to seasonal workers.

Volunteers and Extended Teams

The workforce for our customer comprises part-time employees, contractors, and volunteers in addition to the full-time staff. Technology solutions ensure that organisation resources could be digitised, preserve the privacy of city personnel, and help the volunteers and extended team members be more effective in their roles. The volunteers and extended team members do not require active directory licences or company issued devices to support the city.

Taking a digital first approach was only natural for our customer, but getting their users onboarded to the various productivity web applications was met with several implementation and cybersecurity roadblocks.

Implementation Roadblocks

Stakeholders from the IT and Business Applications teams would be involved in the deployment process, each with their own unique requirements. In working with the IT organisation at the city there were several unique needs that were quickly identified, which had to date prevented the organisation from adopting web applications for productivity:  

  1. “We think to keep our data we must host it. But, that means our firewall needs to handle multiple unique systems behind it by host name, which is a type of reverse proxy. It doesn’t handle that, our team doesn’t know how to make that happen, so we are blocked.”
  2. “We don’t want/won’t allow new usernames or passwords, they get written down.”
  3. “We must hold our data.”

While the applications created by the third party were built to spec and capable of driving new efficiency and productivity for the city, there were a number of implementation roadblocks that had to be overcome in order for deployment to the end users.

data-custody

Data Custody

Like all municipalities, our customer must adhere to the Municipal Freedom of Information and Protection of Privacy Act and retain data to meet regulatory obligations. As a result, the city has chosen to be the custodian of its own data which also aligns with the internal backup strategy, need for data integrity, and self management of enterprise applications.

User Security

People are maintaining an incredible number of usernames and passwords. Having end-users manage yet another set of access credentials was viewed as both a burden and a cyber risk. The risk of weak and shared credentials being used would leave private applications open to brute force and credential stuffing attacks. Likewise, enforcing strict password policies would lead to the use of weak passwords, the credentials being written down, or stored insecurely.

user-security
user-management

User Management

The ability to manage user access and privileges was important to the IT team. Unfortunately adding licences to the active directory would be both expensive and impractical due to the transitory nature of some of the users (e.g, seasonal workers, volunteers, etc.). Considering a significant portion of the end-users would be seasonal, volunteer, or in the field, it also didn’t make sense to issue licences that came with business applications such as document editors. However, the team still needed the ability to add or remove users and manage their access privileges without adding new active directory licences.


Digital Workforce Enablement through a Zero Trust Architecture

Technology plays a pivotal role in the strategy and execution of municipal services at the city. The ability to extend secure access to remote and mobile workforces would only benefit the city in its mission to deliver service excellence for the citizens while fostering a safe work environment. 

The Agilicus AnyX platform offers a Zero Trust Network Access solution that quickly and easily allowed our customer to onboard users, retain custody of their data, and deliver end to end security, all without the need for new usernames, passwords, or active directory licences. 

By using the Agilicus AnyX platform, our customer would be able to scale adoption of its business and productivity applications, getting them into the hands of their remote and mobile end users.

vpn-replacement-solution

What is Agilicus AnyX

AnyX removes the complexity of extending secure access to web applications for authorised employees and non-employees. The platform puts organisations in full control with role-based access controls and granular auditing logs. 

Users can easily self-onboard as the platform federates identity and enables single sign-on. Organisations can maintain their native active directory and preferred identity providers of their partner organisations.

The AnyX platform ensures any user can securely connect to any application, resource, or desktop from any device while bolstering defences with a modern approach to cybersecurity.

No VPN – No Hardware – No Client

Data Custody

To ensure our customer could be the custodian of its data and be in control of their own fate, Agilicus introduced a hybrid cloud architecture through a three-tier approach to hosting the applications.

The web application runs in the web browser, while a database is hosted on site at our customer and serves as the ultimate data repository. A web server sits in the middle and acts as an API (application program interface), connecting the end user’s application with the hosted database.

These connections are each secured through Agilicus’ unique, identity aware web application firewall which sits between the end user and the web server. Another sits between the web server and the database backend ensuring the city could self host the databases. In this hybrid model where the backend data stays on premise, a workload firewall that uses mutual TLS and SPIFFE ensures only the specified application can access only the specified resources in the database.

User Security

The AnyX platform easily federates identity so that organisations like our customer can quickly onboard users and link an electronic identity with a given user’s privileges to specific applications and resources. Our customer was able to extend secure, convenient access via single sign-on to its users without having to add active directory licences by enabling social login.

That means, when a seasonal worker, part-time hire, or volunteer joins the organisation, they simply have to provide a Gmail or other such ID to be given access. Every user that needed to onboard was able to do so without requiring a single new password or username. This is an integral function of the Agilicus AnyX platform where by design no user names or passwords are stored.

In addition to Agilicus being able to federate identity, the AnyX platform provides administrators with the capability to enforce multi-factor authentication for any resource or application. Our customer’s users could easily be required to authenticate through a second factor to prove their identity and gain access to their business and productivity applications.

User Management

By leveraging a user’s electronic identity to provide access, our customer is able to benefit from role-based access controls and fine-grained authorisation capabilities. The result is simplified user management, where administrators can easily add or remove end-users from any application, instantly.

role-based-access-controls

Role Based Access Controls

Role-based access controls allow administrators to grant privileges to users so that they may access information and resources they need for their jobs while preventing them from accessing unrelated resources that they do not have permissions for.

least-privilege-access

Simplified User Management

Users can be added or removed from any application instantly (seasonal workers, part-time employees, contractors, or other job actions). 


Business Impact

user-onboarding

1000+ Users

The city quickly scaled the adoption of web applications onboarding over 1000 users without requiring new usernames, passwords, or active directory licences.

fast-deployment

10 Applications

The Zero Trust framework through Agilicus AnyX was so effective the IT organisation soon delivered secure access to 10 web applications across city workers.

seamless

$100K Savings Per Year

Our customer was able to find considerable cost savings of at least $100 per user, per year by not having to purchase additional active directory licences or adopt another identity provider.

no-network-configuration

Digitising Analog Process

Additionally, shifting analog record keeping to digital better equipped city team members for meeting compliance requirements.

friction-free-user

User Privacy

Some use cases included phone lists and directories, which when delivered via web application through AnyX enhanced individual personal privacy and data security without limiting accessibility to authorised staff and volunteers.

Our customer was able to quickly scale adoption of web applications across the city and onboard over 1000 mobile users and enable secure access to the respective business and productivity applications. That has allowed the city to accomplish compliance requirements, streamline administrative tasks, and drive productivity by leveraging technology and web applications. Most significant was the ability to achieve those objectives without compromising on cybersecurity standards and without having to purchase and issue new active directory licences.

The value of getting these mobile workforces online quickly became apparent with demonstrable business impact. The various teams at the city were suddenly able to shift from analog and in person methods of performing specific job functions to entirely digital, 24/7 accessible resources that would be available on any device. After the adoption of the initial run of applications and due to the scalable nature of the Agilicus AnyX platform, our customer quickly went from three productivity applications to 10

Agilicus AnyX allowed the IT team to introduce web applications across departments with use cases varying from administrative services (payroll, HR, training, inventory management, directories and phone lists) to more tactile use cases such as fire services and bylaw enforcement. In fact, the Agilicus AnyX platform became a marquee solution for the Bylaw Department within the city and allowed this organisation to retire legacy handheld devices in favour of modern smart devices. This significantly reduced the cost of delivering bylaw services for the city while adding increased flexibility for the bylaw officers.

Get in touch with our team to learn more about leveraging Zero Trust to adopt and deliver secure access to productivity applications and streamline the workforce.