Software defined perimeter

Secure application access for remote workers

Introduction

As the world becomes much more digital and global, organizations are opening up their network and internal applications to the outside world (e.g. employees, customers, business partners, 3rd party vendors, mobile, IOT), much more than in the past.

But while the amount of external parties is ever growing and evolving, the common methods of providing external parties access, have stayed the same – S/FTP access, VPN and SSL VPN access, reverse-proxy access, RDP, etc. And they all have one common flaw, they provide access before the authenticate, essentially exposing your services to
both trusted and untrusted entities.

The Safe-T Solution

secure application access evolved

Built on Safe-T’s Software Defined Perimeter technology and reverse-access patent, it offers true secure and transparent access for all entities to internal applications and data.

By deploying Safe-T’s Software Defined Perimeter architecture organizations can now design and deploy the On-Demand Perimeter. The On-Demand perimeter creates access rules for authenticated users into applications and data, in a fully automated and dynamic fashion.

How it works

Secure Application Access solution can be deployed in four main architectures:

Web Based On-premises Deployment

As can be seen in figure 1 below, the Safe-T Secure Application Access solution is composed of three servers. The solution is deployed in multiple tiers within the organization and cloud:

  • Cloud tier – includes the Authentication Gateway which is deployed on-premises or in a cloud location (Amazon,Azure, etc)
  • DMZ tier – includes the Access Gateway
  • Lan tier – includes the Access Controller which connects to the organization’s backend applications, storages and authentication services (IDP, IAM, etc), and Safe-T Telepath UBA

IPSEC Based On-premises Deployment

As can be seen in figure 2 below, the Safe-T Secure Application Access solution is composed of three servers. The solution is deployed in multiple tiers within the organization and cloud:

  • Cloud tier – includes the Authentication Gateway which is deployed on-premises or in a cloud location (Amazon,
    Azure, etc)
  • DMZ tier –includes the Access Gateway
  • Lan tier – includes the Access Controller which connects to the organization’s backend applications, storages and authentication services (IDP, IAM, etc), and Safe-T Telepath UBA
Secure Application Access – IPSEC Based On-premises Deployment

SDP Cloud Service

As can be seen in figure 3 below, the Safe-T Secure Application Access is delivered as a cloud service. In such a deployment, the solution is deployed in two tiers within the organization and Safe-T’s cloud:

  • Safe-T SDP Cloud tier – includes the uthentication Gateway and the Access Gateway
  • Lan tier – includes the Access Controller which connects to the organization’s backend applications, storages and authentication services (IDP, IAM, etc), and Safe-T Telepath UBA
Secure Application Access – Cloud Service

Amazon AWS Deployment

Safe-T Secure Application Access can be purchased via the Amazon AWS Marketplace and can then be deployed within Amazon AWS cloud.
Safe-T Secure Application Access AWS Marketplace listing can be found here.
The Safe-T Secure Application Access solution is available on the AWS Marketplace in a “Bring Your Own License”
(BYOL) model. The Amazon AWS BYOL license works as follows, AWS Marketplace does not charge customers for usage of the software, but customers must supply a license key to activate the product. This key is purchased outside of AWS Marketplace. The entitlement/ licensing enforcement, as well as all pricing and billing are handled by you.
As can be seen in Figure 4 below, deploying Safe-T Secure Application Access solution is composed of three servers, deployed in multiple segments within the AWS VPC.

Secure Application Access Amazon AWS

Capabilities

Deploying Safe-T Secure Application Access provides the following capabilities:

  • Firewall is constantly in deny-all state, no open ports required for access
  • Bi-directional traffic is handled on outbound connections from the LAN to the outside world
  • Support any TCP based application or protocol – TCP, HTTP/S, SMTP, SFTP, APIs, RDP, WebDAV, SSH, SAP, etc
  • Allow IPSEC client or client-less access to applications and data
  • Support human users, applications, IOT
  • Robust authentication options – 3rd Party vendors (Microsoft AD, Microsoft Azure AD, Okta, DUO Security),
    protocols (SAML, RADIUS), built in MFA
  • Integrated User Behavioral Analysis (UBA)
  • Perform SSL decryption in a secure zone
  • Provide only direct application/service access, blocking network access
  • Remove the need for VPN access
  • Hide DMZ components which can be hacked and utilized to access the network

Benefits

Access only after trustworthiness has been validated

Access only after trustworthiness has been validated

Hide services from

unauthorized users

Reduce attack surface by closing incoming firewall ports

Reduce attack surface

by closing incoming firewall ports

Dynamically provide access to services

Dynamically provide access

to services

Customer firewall is constantly in deny-all state

Customer firewall is constantly in deny-all state

Support all users and all applications, with seamless user experience

Support all users and all applications, with seamless user experience

Protect and control data access and usage

Protect and control data

access and usage

Behavioral Analytics detects the presence of bots or authenticated malicious insiders

Behavioral Analytics detects the presence of bots or authenticated malicious insiders

End-to-end monitoring of application access flow

End-to-end monitoring of

application access flow

Scroll to Top