Skip to content
  • There are no suggestions because the search field is empty.

Tutorial: Seamless access to private resources, SaaS, and the Internet

Scenario

Rob is the CTO of AIStar, an AI startup based in Chicago. Some days, his team works from the office, but he also has remote teams from the San Francisco and Boston areas. In his office, he has located high-performance servers optimized for AI workloads. The application code is in repositories managed using BitBucket. He has provided his team with company-owned laptops. They use Microsoft services and Microsoft Entra Identity as an IDaaS provider. Aside from developers, other departments in the company primarily work from the office. He uses different vendors for IDS/IPS, cyber threat protection using deep packet inspection for internet security, and endpoint protection and management.

Rob wants an all-in-one solution that can be used seamlessly at the office and away using the same security policies without duplicating network security infrastructure.

He wants to achieve the following:

  1. Use the same security policies regardless of location. One solution should provide secure zero-trust access in the office and out.

  2. Provide access only to company-owned devices that are running the endpoint protection software.

  3. Provide access to devices located in the USA and only during business hours.

  4. The above two criteria should apply to all types of access: Internet, SaaS, and private resources.

  5. Provide access to the AI development environment in the office and Bitbucket only to developers.

  6. All internet traffic needs to be examined by the IDS/IPS and deep packet inspection security solution.

  7. Microsoft Entra ID should be used for SSO.

  8. Least privilege access rights should be granted for other on-prem applications and SaaS tools based on the department.

  9. Exceptions to department-based privileges should be made for specific users and devices.

  10. All data communications should be encrypted end-to-end from the device to an access point controlled by the company’s IT department.

Solution

Rob determines that cipherscale meets his business needs and plans to use cipherscale in the following manner:

  • Isolate the application servers on the office network by only allowing them to communicate with the cipherscale gateways deployed on the office network. This prevents direct access from the office devices to the application servers. He plans to deploy two gateways at the office for redundancy.

  • Deploy cipherscale gateways in a public cloud data center near San Francisco and Boston. The internet security stack (IDS/IPS, deep packet inspection, etc.) will be co-located in those locations with the gateways. These gateways located closer to the remote employees will improve their internet speeds.

  • Configure cipherscale admission rules to check for user location, time of day, and device posture to meet the location, time, and device requirements. He plans to use a digital certificate to identify company-owned devices.

  • Push the digital certificate and the cipherscale app to the company devices using the endpoint management system.

  • Configure the office applications as cipherscale private resources connected to the two gateways in the office, and configure an internet access point and SaaS applications that use all the deployed gateways.

  • Add the public IP address of the networks on which the gateways are deployed as the allowed IP ranges from which logins can be accepted for all approved SaaS tools like BitBucket. This setting isolates the SaaS apps from all other login attempts from the internet and only accepts and authenticates those coming from cipherscale gateways.

  • Create cipherscale groups corresponding to the departments and use them in cipherscale access policies, providing them the least privileged access to the configured private apps and SaaS applications. Allow all groups to access the internet from the configured internet access points and associate the admission rules with all the access policies.

  • Add specific access policies to grant or deny access to resources as an exception to group policies to users/devices and order them before the group policies in priority.

  • Use SAML to authenticate with Entra ID and map the department attribute values to the corresponding cipherscale groups.

Configuration

  1. Rob signs up for cipherscale, provides ‘aistar’ as a name for his cipherscale space, and starts using the administration portal for configuration.

  2. He creates Groups for all departments in his company. See adding groups

  3. He disables Google and Microsoft OAuth for user authentication because that will not provide the user's department information. See changing user authentication

  4. He configures SAML for user authentication with Microsoft Entra ID and enables it to be the only user authentication method.

  5. He maps the values sent from Entra ID for the department to the cipherscale Groups. See SAML configuration.

  6. Next, Rob creates an Admission Rule named aistar allowed. See add admission rule

    1. He adds a Location Context rule that only allows users from the USA.

    2. He adds a Time Constraint rule that only allows access during business hours.

    3. He adds a Device Posture rule that checks that the device is running Windows OS, has a certificate whose common name matches asistar.com, and uses Avast antivirus.

  7. He adds a Private Resource for each service/application on the office network. While configuring the first one, he created two gateways and an access policy. The Access Policy uses the Admission Rule named aistar allowed. See adding private resource, adding gateway, and adding access policy.

  8. Rob adds all internal resources to cipherscale and configures appropriate access policies.

  9. Rob, next creates an Internet Access Point and names it bos-sf-chicago-internet using the two gateways in the office and adds two gateways, one deployed on a public cloud in the Boston area and one in the San Francisco area. He creates an internet access policy, named all have internet, with the internet mode set to ‘Internet Access Point’ applicable for all groups. The ‘Internet Access Point’ to use is bos-sf-chicago-internet. The all have internet access policy uses the aistar allowed admission rule. See adding internet access point

  10. Rob deploys the same third-party internet security stack in Boston and San Francisco that is in use at the office for internet security.

  11. He adds BitBucket as a SaaS application with the four gateways. He creates a new access policy developer_only which only allows the Developer group access to it. The aistar allowed admission rule continues to be used.

  12. On Bitbucket, from the Access controls page, he selects the Restrict access to certain IP addresses option and enters the public IP address of the four gateways. NAT will be used by these gateways to change the source IP address of the traffic going to BitBucket.

  13. Rob adds all the SaaS applications in use and adds the appropriate access policies.


Employee experience while in the office

While in the office, the employees cannot access the office resources directly through the LAN because firewalls/VLANs have been used to allow access only from the two cipherscale gateways deployed on the office network. All employees have to use the cipherscale app and sign in using SSO.

Cipherscale permits only devices with the digital certificate, Windows OS, and other criteria as per the admission rule aistar allowed. Cipherscale load balances the employee's traffic to private resources, SaaS applications, and the internet using the two office cipherscale gateways.

Internet traffic gets examined by the third-party internet security solution located at the office, and SaaS tools allow access because the traffic is coming from one of the allowed IP address ranges.

Employee experience while outside the office

All employees have to use the cipherscale app and sign in using SSO. Cipherscale permits only devices with the digital certificate, Windows OS, and other criteria as per the admission rule aistar allowed. Cipherscale load balances the employee's traffic to private resources using the two office cipherscale gateways. For internet and SaaS apps, cipherscale will use one of the four gateways with the best-estimated data throughput performance and load balance among any other gateway offering estimated equivalent performance.

Internet traffic is examined by the third-party internet security solution co-located with the cipherscale gateways, and SaaS tools allow access because the traffic comes from one of the allowed IP address ranges.

The employee's device will simultaneously conduct encrypted communications with multiple cipherscale gateways: the gateways at the office for private resource access and a gateway in Boston or San Francisco for SaaS and internet if the user’s location is closer to them.