Skip to content
  • There are no suggestions because the search field is empty.

Tutorial: Zero trust access to private resources using cipherscale

Scenario

Rob is the CTO of AIStar, an AI startup based in Chicago. Some days, his team works from the office, but he also has remote teams from the San Francisco and Boston areas. In his office, he has located high-performance servers optimized for AI workloads and other common apps for general use, such as file shares and other internal web applications. He has provided his team with company-owned laptops. They use Microsoft services and Microsoft Entra Identity as an IDaaS provider. Aside from developers, other departments in the company primarily work from the office.

Rob wants an all-in-one ZTNA solution that can be used seamlessly at the office and away, using the same security policies without duplicating network security infrastructure. These solutions are also known as Universal ZTNA.

He wants to achieve the following:

  1. Use the same security policies regardless of location. One solution should provide secure zero-trust access in the office and out.

  2. Provide access only to company-owned devices.

  3. Provide access to devices located in the USA and only during business hours.

  4. Provide access to the AI development environment in the office only to developers.

  5. Microsoft Entra ID should be used for SSO.

  6. Least privilege access rights should be granted for other on-prem applications

  7. Exceptions to department-based privileges should be made for specific users and devices.

  8. All data communications should be encrypted end-to-end from the device to an access point under the control of the company’s IT department.

Solution

Rob determines that cipherscale meets his business needs and plans to use cipherscale in the following manner:

  • Isolate the application servers on the office network by only allowing them to communicate with the cipherscale gateways deployed on the office network. This prevents direct access from the office devices to the application servers. He plans to deploy two gateways at the office for redundancy.

  • Configure cipherscale admission rules to check for user location, time of day, and device posture to meet the location, time, and device requirements. He plans to use a digital certificate to identify company-owned devices.

  • Push the digital certificate and the cipherscale app to the company devices using an endpoint management system.

  • Create cipherscale groups corresponding to the departments and use them in cipherscale access policies, providing them the least privileged access to the configured private apps.

  • Add specific access policies to grant or deny access to resources as an exception to group policies to users/devices and order them before the group policies in priority.

  • Use SAML to authenticate with Entra ID and map the department attribute values to the corresponding cipherscale groups.

Configuration

  1. Rob signs up for cipherscale, provides ‘aistar’ as a name for his cipherscale space, and starts using the administration portal for configuration.

  2. He creates Groups for all departments in his company. See adding groups

  3. He disables Google and Microsoft OAuth for user authentication because that will not provide the user's department information. See changing user authentication

  4. He configures SAML for user authentication with Microsoft Entra ID and enables it to be the only user authentication method.

  5. He maps the values received from Entra ID for the department to the cipherscale Groups. See SAML configuration.

  6. Next, Rob creates an Admission Rule named aistar allowed. See add admission rule

    1. He adds a Location Context rule that only allows users from the USA.

    2. He adds a Time Constraint rule that only allows access during business hours.

    3. He adds a Device Posture rule that checks that the device is running Windows OS, has a certificate whose common name matches asistar.com.

  7. He adds a Private Resource for each service/application on the office network. While configuring the first one, he created two gateways and an access policy. The Access Policy uses the Admission Rule named aistar allowed. See adding private resource, adding gateway, and adding access policy.

  8. Rob adds all internal resources to cipherscale and configures appropriate access policies. For example, allowing only the Developers group access to the AI development applications.

Employee experience while in the office

While in the office, the employees cannot access the office resources directly through the LAN because firewalls/VLANs have been used to allow access only from the two cipherscale gateways deployed on the office network. All employees have to use the cipherscale app and sign in using SSO.

Cipherscale permits only devices with the digital certificate, Windows OS, and other criteria as per the admission rule aistar allowed. Cipherscale load balances the employee's traffic to private resources using the two office cipherscale gateways.

Employee experience while outside the office

All employees have to use the cipherscale app and sign in using SSO. Cipherscale permits only devices with the digital certificate, Windows OS, and other criteria as per the admission rule aistar allowed. Cipherscale load balances the employee's traffic to private resources using the two office cipherscale gateways.