Skip to content
  • There are no suggestions because the search field is empty.

Tutorial: Securing access to the internet with cipherscale

Scenario

Rob is the CISO of PremAlarm, a physical asset security company based in Chicago. They install and monitor commercial security solutions like cameras, badge readers, and anti-burglary systems for businesses all over USA.

A majority of the employees are salespeople and security system installers who are always on the road. They use company-owned Windows tablet computers for their work. Rob wants to ensure that the internet access to these devices is secure, given that they may use untrusted public Wi-Fi hotspots. In addition, he wants to use a self-hosted internet security solution that he is an expert on to monitor and protect the internet traffic from cyber threats.

He wants to achieve the following:

  1. Securely transport all the traffic from the Windows tablets (end-to-end encrypted) to multiple locations where he plans to deploy the self-hosted internet security solution.

  2. Complete control over the number of locations, capacity, and performance of the solution used to transport the internet traffic.

  3. Provide access only to company-owned devices.

Solution

Rob determines that cipherscale meets his business needs and plans to use cipherscale in the following manner:

  • Deploy cipherscale gateways in a public cloud data center near San Francisco, Chicago, and Boston. The internet security stack (IDS/IPS, deep packet inspection, etc.) will be co-located in those locations with the gateways. These gateway locations were chosen to be in the markets where they do the most business.

  • Configure cipherscale admission rules to check that the device possesses a specific digital certificate. He plans to use a digital certificate to identify company-owned devices.

Configuration

  1. Rob signs up for cipherscale, provides ‘premalarm’ as a name for his cipherscale space, and starts using the administration portal for configuration.

  2. Next, Rob creates an Admission Rule named internet allowed. See add admission rule

    1. He adds a Device Posture rule that checks that the device is running Windows OS, has a certificate whose common name matches premalarm.com.

  3. He then creates and deploys two gateway in a public cloud data center near San Francisco, Chicago, and Boston and colocates the internet security solution there. See add gateway.

  4. Rob, next creates an Internet Access Point and names it bos-sf-chicago-internet and connects it to all the six gateways.

  5. He creates an internet access policy, named all have internet, with the internet mode set to ‘Internet Access Point’ applicable for all groups. The ‘Internet Access Point’ to use is bos-sf-chicago-internet. The all have internet access policy uses the internet allowed admission rule. See adding internet access point

Employee experience

Employees use the cipherscale app on the device and sign in with their Microsoft account.

Cipherscale permits only devices with the digital certificate and Windows OS to access the internet as per the admission rule internet allowed. For the internet, because the Internet Access Point bos-sf-chicago-internet was connected to all six gateways, cipherscale will use one of the six gateways with the best-estimated data throughput performance and load balance among any other gateway offering estimated equivalent performance.

Internet traffic is examined by the third-party internet security solution co-located with the cipherscale gateways.