Skip to main content

Introduction to Cipherscale

Rohit Kalbag
Updated

Cipherscale is an AI-native Security Service Edge (SSE) platform that provides unified, secure access to private applications, the public internet, and SaaS environments. Delivered as a multi-tenant cloud service, Cipherscale authenticates identities, enforces granular Zero Trust policies, and orchestrates secure connections between endpoints and distributed Gateways.

Cipherscale utilizes a decoupled data and control plane to ensure maximum privacy and performance:

  • The Control Plane (Cipherscale Service): Manages authentication, policy distribution, and tunnel orchestration. It never touches your raw data.

  • The Data Plane (Cipherscale Gateways): Handles end-to-end encrypted (E2EE) traffic directly between the user device and the self-hosted Gateways. Gateways enforce access policies and forward traffic to the destination resource.

  • The Cipherscale Space: A dedicated administrative tenant created upon signup to manage Users, Devices, Gateways, and Policies via the Administration Portal.

AI-Native Orchestration & Operations

Cipherscale moves beyond manual configuration to an intent-based management model. The AI-native core allows administrators to use conversational prompts to troubleshoot, audit, and deploy resources.

Intent-Based Conversational Policy Creation

Instead of manually mapping IP ranges to user groups, administrators can define security intent in plain English.

  • Example Prompt:"Allow the DevOps group access to Bitbucket only via company-managed laptops during EST business hours."

  • Technical Execution: The AI engine parses this intent and automatically generates the corresponding Zero Trust Access (ZTA) policies, admission rules (Device Posture), and time-of-day constraints.

AI-Driven Deployment & Onboarding

  • Guided Environment Setup: Minimize manual UI clicks with AI-guided workflows that learn your environment needs and provision the cipherscale space.

  • Automated Gateway Deployment: AI integrations with cloud providers (e.g., GCP) automate the deployment of Data Plane Gateways, without requiring deep expertise.

Conversational Troubleshooting & Auditing

The conversational interface acts as a 24/7 security analyst, offering endless potential for operational efficiency:

  • Root Cause Analysis (RCA): If a user is denied access, an admin can ask: "Why can't User A access the Production Database?" The AI instantly correlates access policies, admission rules, gateway reachability, and real-time logs to surface the specific failure point.

  • Configuration Auditing and Recommendations Ask the AI to audit configurations, request recommendations for least-privileged access, or identify security gaps across the entire network. Admins can query their configuration effectiveness and get recommendations, such as: "How can I improve by zero-trust setup?"

  • Unlimited Potential: Admins can query the health of the network, users, activity, and much more using the power of AI.

Cipherscale in Comparison to Traditional SSE

Management Aspect

Traditional SSE

Cipherscale AI-Native

Policy Creation

Manual Rule Entry

Intent-based (Natural Language)

Deployment

Manual CLI/Scripting

AI-driven Cloud Integration

Troubleshooting

Manual Log Parsing

Conversational Root Cause Analysis

Zero Trust Network Access (ZTNA)

Cipherscale implements Least Privilege Access by ensuring that devices receive routes only to authorized applications. The Gateway enforces polices using identity-based firewall rules, effectively eliminating lateral movement.

Identity & Access Management

  • Native OIDC Support: Direct integration with Google and Microsoft identities.

  • Federated SSO: Support for any SAML 2.0 compliant Identity Provider (IdP).

  • Multi-Auth Support: Multiple authentication methods can be active simultaneously.

  • User Provisioning: Invite users via email; SCIM support for automated lifecycle management is coming soon.

  • Granular Access: Application access is governed by access policies based on the identity of the user, device, or user group. Access polices are linked to admission rules that are checked before making access decisions

  • Administration RBAC: Granular roles including Owner, Administrator, Auditor, and Billing.

Context-Aware Admission Rules

Access is governed by identity and continuous device posture checks, including:

  • Device Identity: OS Type (Android, iOS, macOS, Windows) and OS Version.

  • Security Posture: Presence of digital certificates, Disk Encryption status, and Antivirus software state.

  • Application Environment: Detection of specific running applications or processes.

  • Contextual Factors: Rules based on the device's geographic location and time of day.

Universal ZTNA (Seamless Secure Access)

Cipherscale can provide a single, unified security solution for both remote and on-premises access. The same on-premise gateways provide zero-trust access, enabling consistent policy enforcement regardless of the user's physical location. Unlike centralized cloud-delivered models that require traffic backhauling, cipherscale utilizes distributed local gateways to handle both north-south and east-west traffic.

  • Unified Policy Engine: A single set of Identity and context-aware policies is applied to a user, whether they are connecting from a remote public network or a local corporate VLAN.

  • Local Edge Processing: On-premise gateways always enforce policy. When a user is detected on-premises, the gateway facilitates direct access to protected resources.

  • Hairpinning Mitigation: By processing requests locally, the architecture eliminates the latency overhead associated with "hairpinning" traffic to a regional Point of Presence (PoP). This ensures that on-premise traffic remains within the local network perimeter while still undergoing full ZTNA inspection.

Secure Access Use Cases

All the below use cases rely on self-hosted Gateways. Gateways act as software routers to securely broker access to internal resources within your private network, the internet, and specific SaaS destinations.

There are various options to deploy the gateways:

  • Conversational AI-driven Cloud Deployments (Fastest - Recommended): GCP (Google Cloud Platform), and Azure (Microsoft Azure)

  • Manual scripts: Ubuntu and Docker

  • Infrastructure-as-Code:

    • Terraform– GCP, Azure, AWS EC2, AWS ECS

    • CloudFormation– AWS EC2, AWS ECS

    • AWS CloudFormation Launch URL– Direct deployment in AWS console

Private Application Access

  • Protocol Support: Full support for all TCP and UDP applications.

  • DNS & IP Support: Configure resources via domain names or IP addresses.

  • Protocol Hardening: Restrict access to specific application protocols.

Internet Access Security (Secure Web Gateway)

  • Access Control: Restrict internet access by User, Device, or Group.

  • Deep Packet Inspection (Third-party): Force all traffic through Cipherscale gateways to distributed locations housing your third-party internet security stack.

  • Content Filtering: Block access to 43+ categories of malicious or undesirable content is coming soon.

  • Threat Protection: Automated blocking of known malicious IP destinations is coming soon.

  • Global Distribution: Deploy Gateways across multiple sites, IaaS, or VPS providers to distribute traffic based on the user's physical location to minimize latency.

Protected SaaS Access

  • IP Pinning: Forces SaaS traffic through specific Cipherscale Gateways. By configuring your SaaS provider to only accept logins from Gateway IPs, you ensure all Zero Trust controls are applied.

  • Compliance: Ensures that "off-network" SaaS access is eliminated.

  • Least Privilege: Apply granular access policies to SaaS applications to minimize exposure.

Advanced Networking & Connectivity

Feature

Description

Site-to-Site

Full-mesh topology coordinating direct tunnels between all deployed Gateways, avoiding single points of failure is coming soon.

High Availability

Supports Active-Active load balancing and Failover modes for mission-critical apps.

Dual Stack

Native support for both IPv4 and IPv6.

Carrier Grade NAT

Utilizes CGNAT IP ranges for internal operations to avoid address space conflicts.

Operations & Visibility

  • Cipherscale Client: Lightweight agents for Android, iOS, macOS, and Windows with silent background updates. Ubuntu client is coming soon.

  • Monitoring: Detailed connection logs for users and devices.

  • Alarming: Email alerts are sent for critical events

  • Auditability: Admin audit logs track all configuration changes.

  • SIEM Integration: Stream logs to external systems is coming soon.

  • Automation: Full Public API for programmatic configuration is coming soon.

Additional Resources

Comments

0 comments

Article is closed for comments.