Application Security

Context is crucial to application security
Total Access Control puts a premium on both.

Application Security

Context is crucial to application security

Total Access Control goes much further than simply verifying user authorizations. It is a proxy-based, Zero Trust access system that serves as a gatekeeper to the applications behind it.

TAC’s Zero Trust access control only allows access to those applications after considering not just the user, but the device, location, time of day and any other factors you deem to be important before allowing access to a given application. In other words, it considers the context surrounding the connection request.

A financial analyst uses her company-issued laptop to access the corporate financial system from within the walls of headquarters.

That’s a perfectly ordinary and acceptable context. Now say it’s lunchtime and the analyst takes the same laptop to a restaurant down the street. She wants to keep working and can connect via the restaurant’s public Wi-Fi network. Do you still want her accessing that financial app? You may not want to, because the context of the connection has completely changed; she’s no longer on a secure network.

 

Total Access Control goes much further than simply verifying user authorizations. It is a proxy-based, Zero Trust Access Control system that serves as a gatekeeper to the applications behind it.

TAC’s Zero Trust Access Control only allows access to those applications after considering not just the user, but the device, location, time of day and any other factors you deem to be important. TAC considers the full context of the end users when they make connection requests.

Take the case of a financial analyst who uses her company-issued laptop to access your corporate financial applications from within the walls of headquarters. That’s a perfectly ordinary and acceptable context. 

But now it’s lunchtime, and she takes the same laptop to the crowded restaurant down the street. She wants to keep working and connects via the restaurant’s public Wi-Fi network.

Do you still want her accessing that financial app? You may not want to, because the context of her connection has completely changed. She’s no longer on a secure network, and who knows who else is in the restaurant attempting to hack into applications coming across the public wi-fi?

 

TAC gives you the power to consider an end user's full context of access – in real time

For any applications, TAC gives you a wide-ranging combination of granular controls

Device Type

Operating
System

Device Jailbreak
or Root Status

Current Anti-Virus,
Spyware Detection

Applications
Installed on
Device

Employee or
Company-Owned
Device

User Group
or Department

Time of Day

Network Connection
Type - Public, Private, Encrypted

Location

TAC’S ZERO TRUST ACCESS CONTROL CAN TAKE INTO ACCOUNT ALL SORTS OF FACTORS THAT PLAY INTO APPLICATION SECURITY CONTEXT, INCLUDING:

TAC’s Zero Trust Access Control provides secure access to all applications,
local and cloud, according to rules you define.

YOU DON'T HAVE TO PLAY BY YOUR CLOUD PROVIDER'S SECURITY RULES

Cloud providers too often implement security policies that only frustrate employees – and don’t necessarily provide better security. Many force users to routinely change their passwords or use passwords that are so complicated users can’t remember them. Some lock users out after a few failed login attempts.

IS THAT ANY WAY TO RUN A BUSINESS?

YOU DON'T HAVE TO PLAY JUST BY YOUR CLOUD PROVIDER'S SECURITY RULES

Cloud providers too often implement security policies that only frustrate employees – and don’t necessarily provide better security. Many force users to routinely change their passwords or use passwords that are so complicated users can’t remember them. Some lock users out after a few failed login attempts.

IS THAT ANY WAY TO RUN A BUSINESS?

Security Shouldn’t Be a Burden on Employees

TAC takes away all that password complexity

Users visit a single URL to log on once to TAC – using whatever credentials you deem necessary, including multi-factor authentication.

After that, TAC provides access to all applications for which users are authorized. You are in complete control of security policies for each application, taking into account the context surrounding the access request.

You can even create separate rules for different instances of the same application.

A public-facing version of SharePoint, for example, may require just a username and password. Another that’s used for sensitive internal documents may require multi-factor authentication, and will block document uploads and downloads if the user is not on a corporate-issued computer.

Security Shouldn’t Be a Burden on Employees

TAC takes away all that password complexity

TAC users visit a single URL to log on with whatever credentials you deem necessary, including multi-factor authentication.

After that, TAC provides access to all applications for which users are authorized. You are in complete control of security policies for each application, taking into account the context surrounding the access request. You can even create separate rules for different instances of the same application.

A public-facing version of SharePoint, for example, may require just a username and password. Another version that’s used for sensitive internal documents may require multi-factor authentication, and will block document uploads and downloads if the user is not on a corporate-issued computer.

TAC PROVIDES A VIRTUALLY UNLIMITED COMBINATION OF GRANULAR CONTROLS FOR ALL SORTS OF APPLICATIONS, INCLUDING:

TAC provides a virtually unlimited combination of granular controls for all sorts of applications

Any Enterprise
Apps, including:

Microsoft365
Sharepoint
Exchange
Teams
Salesforce
Oracle
SAP
Adope
Zoom
Skype
Slack

Any Remote
Desktop,
Including:

RDP
Citrix
VMware
Web-based File Access

Any Local Apps

Connects in-house applications,
provides Single Sign-On (SSO)
for both local and cloud applications

Any Cloud
Applications

Enables you, not just the cloud
provider, to determine access
policies for any of your cloud
applications

VPN

Full VPN tunnel or
per-application
connections for
any applications,
including RDP,
Citrix or client/server.
Provides TLS tunnels for application-specific
connections

Pre-built application connectors for many popular productivity applications
make it a snap for you to connect them to TAC

They Include:

PORTSYS SUPPLIES PRE-BUILT APPLICATION CONNECTORS FOR MANY POPULAR APPLICATIONS, MAKING IT
A SNAP TO CONNECT THEM TO TAC

They Include:

TAC’s Zero Trust Access Control delivers
a more personalized SharePoint experience

If you have large Microsoft SharePoint installations, that more than likely means you have many different instances for each different user community – and each comes with its own different address. When users log in to TAC, they will see only those SharePoint instances that apply to their role within the organization, and nothing more. 

TAC’s zero trust access control delivers a more personalized SharePoint experience

Many organizations have large Microsoft SharePoint installations, with many different instances each serving different user communities – and each with a different address.

When users log in to TAC, they will see only those SharePoint instances that apply to their role within the organization. If you have 80 different SharePoint instances but only five of them apply to a given user, that user only sees five.

TAC Gateway also gives users a new level of SharePoint file sharing. SharePoint was originally intended for internal use within an organization, allowing employees to easily store and share documents. As such, links to SharePoint documents don’t have public IP addresses, only internal ones. So, if a user passes a link to a SharePoint document to someone outside the organization, the address will be broken – the remote user won’t be able to access the document.

The Total Access Control Gateway uses host address translation to turn that internal link into a public one. But that public link doesn’t connect directly to the SharePoint application. Instead, it terminates at the TAC Gateway, which can ensure the remote user is authorized to view and/or manipulate the document. If so, the gateway resolves the public address to one that SharePoint can understand and allows the user access to the document.

TAC Gateway also gives users a new level of SharePoint file sharing. SharePoint was originally intended for internal use within an organization, allowing employees to easily store and share documents. As such, links to SharePoint documents don’t have public IP addresses, only internal ones. So, if a user passes a link to a SharePoint document to someone outside the organization, the address will be broken – the remote user won’t be able to access the document.

The Total Access Control Gateway uses host address translation to turn that internal link into a public one. But that public link doesn’t connect directly to the SharePoint application. Instead, it terminates at the TAC Gateway, which can ensure the remote user is authorized to view and/or manipulate the document. If so, the gateway resolves the public address to one that SharePoint can understand and allows the user access to the document.

You can also take advantage of TAC Gateway’s policy enforcement features for all your SharePoint instances.

For public-facing instances, perhaps a username and password will suffice. For more sensitive data, maybe you want two-factor authentication. And perhaps you allow users on employee-owned mobile devices to view documents, but not download, upload or otherwise manipulate them. The choice is yours. All TAC Gateway policy controls are at your disposal.

You can also take advantage of TAC Gateway’s policy enforcement features for all your SharePoint instances.

For public-facing instances, perhaps a username and password will suffice. 

For more sensitive data, maybe you want two-factor authentication. And perhaps you allow users on employee-owned mobile devices to view documents, but not download, upload or otherwise manipulate them. The choice is yours. All TAC Gateway policy controls are at your disposal.

TAC Gateway also gives users a new level of SharePoint file sharing. SharePoint was originally intended for internal use within an organization, allowing employees to easily store and share documents. As such, links to SharePoint documents don’t have public IP addresses, only internal ones. So, if a user passes a link to a SharePoint document to someone outside the organization, the address will be broken – the remote user won’t be able to access the document.

The Total Access Control Gateway uses host address translation to turn that internal link into a public one. But that public link doesn’t connect directly to the SharePoint application. Instead, it terminates at the TAC Gateway, which can ensure the remote user is authorized to view and/or manipulate the document. If so, the gateway resolves the public address to one that SharePoint can understand and allows the user access to the document.

TAC Gateway also gives users a new level of SharePoint file sharing. SharePoint was originally intended for internal use within an organization, allowing employees to easily store and share documents. As such, links to SharePoint documents don’t have public IP addresses, only internal ones. So, if a user passes a link to a SharePoint document to someone outside the organization, the address will be broken – the remote user won’t be able to access the document.

The Total Access Control Gateway uses host address translation to turn that internal link into a public one. But that public link doesn’t connect directly to the SharePoint application. Instead, it terminates at the TAC Gateway, which can ensure the remote user is authorized to view and/or manipulate the document. If so, the gateway resolves the public address to one that SharePoint can understand and allows the user access to the document.

You can also take advantage of TAC Gateway’s policy enforcement features for all your SharePoint instances.

For public-facing instances, perhaps a username and password will suffice. For more sensitive data, maybe you want two-factor authentication. And perhaps you allow users on employee-owned mobile devices to view documents, but not download, upload or otherwise manipulate them. The choice is yours. All TAC Gateway policy controls are at your disposal.

You can also take advantage of TAC Gateway’s policy enforcement features for all your SharePoint instances.

For public-facing instances, perhaps a username and password will suffice. 

For more sensitive data, maybe you want two-factor authentication. And perhaps you allow users on employee-owned mobile devices to view documents, but not download, upload or otherwise manipulate them. The choice is yours. All TAC Gateway policy controls are at your disposal.

Exchange / Email

Employees send all sorts of sensitive data via email, making email applications a veritable treasure trove for intruders. Yet many organizations still protect their email installations with nothing more than a simple username and password. Should those credentials get compromised, an intruder can log on to the user’s email account from any device and gain unfettered access.

It’s likely only a matter of time before at least some of your user credentials are compromised. According to the 2017 Verizon Data Breach Investigation Report, 7.3% of users were successfully phished, either clicking on a link or opening an attachment. More bad news: “15% of all unique users who fell victim once, also took the bait a second time,” the report says.

Typically, the bad actors will quickly install malware on a compromised system that can collect username/password combinations, launch ransomware attacks, extract proprietary information, and any number of other nefarious actions.

In the face of such persistent and pervasive threats, it’s clear a username/password combination is not sufficient to protect your email accounts. 

It’s likely only a matter of time before at least some of your user credentials are compromised. According to the 2017 Verizon Data Breach Investigation Report, 7.3% of users were successfully phished, either clicking on a link or opening an attachment. More bad news: “15% of all unique users who fell victim once, also took the bait a second time,” the report says.

Typically, the bad actors will quickly install malware on a compromised system that can collect username/password combinations, among other nefarious actions. In the face of such threats, it’s clear a username/password combination is not sufficient to protect your email accounts. 

TAC Gateway brings Exchange/ email security to a new level through zero trust access

No matter what email application you use – Exchange with Outlook, Outlook Web App or any other web or premises-based email server – TAC Gateway offers protection against compromised user credentials.

With Exchange, the TAC Gateway can capture a user’s ActiveSync ID and bind it to the user’s mobile device ID (or multiple IDs). If a user attempts to log on from a device that’s not known to the gateway, access is denied. And the user doesn’t have to do a thing to gain this added security – it all happens behind the scenes. That’s the kind of simplicity that makes security truly effective.

TAC Gateway offers additional security for any email application in other ways, as well. They include device validation, which enables you to ensure the user’s device meets all your security policies around antivirus status, jailbreak/rooting, registry keys, operating systems and more.

You can also require the use of multi-factor authentication, using PortSys’ own picture-based SafeLogin or the multi-factor authentication method of your choosing.

EMAIL IS TOO IMPORTANT TO BE PROTECTED ONLY BY A SIMPLE USERNAME/PASSWORD COMBINATION

Microsoft 365, including all the Office 365 applications, continues to dominate the productivity solutions enterprise organizations rely upon today. Whether you use Microsoft 365, Google Apps, or any other productivity solutions, you need to take a hard look at how you are protecting access to them.

Think about all the documents, presentations and other data users store in their OneDrive environments. Is it protected as well as your in-house data? If you’re relying solely on a username and password to grant access, the chances are your answer is no.

Today, hackers are constantly relying on social engineering attacks so they can attack any web-based applications with your organization’s own credentials. Hackers increasingly use all sorts of social engineering approaches to get those credentials, including phishing, brute force, pretexting, baiting, quid pro quo and tailgating attacks.

TAC's Zero Trust Access Control offers stronger protection for Office 365, Google Apps and any
other web-based productivity tools you use today.

Web-based productivity tools such as Windows 365 and Google Apps can offer protection against social engineering attacks – they can lock your users out after a certain number of failed login attempts. But often, your legitimate users will end up locked out of their own accounts as well.

Why? Given all the different passwords they need to remember for various applications, it can be hard for your end users to keep them all straight.

TAC’s proxy-based solution offers your organization much stronger protection against hackers’ social engineering attacks. When anyone – a legitimate user or would-be intruder – tries to access a protected web-based account, they are directed to TAC’s gateway URL. The gateway then verifies the user is legitimate, according to your specific security policies, before connecting to the web-based app.

If the user doesn’t pass muster, access is denied – without the user ever touching the actual web-based app. That means no legitimate users are ever locked out of their accounts, while intruders are shut out.

Cloud Applications

The adoption of cloud infrastructure and services continues to accelerate at a staggering pace pace, even as enterprise organizations adapt to the New Normal following the Covid-19 pandemic. As your organization looks to adopt more cloud-based applications and services, you would do well to consider how you’re protecting access to those resources in the cloud.

 

Passwords fall way short in protecting cloud-based apps

A simple username/password combination is not enough to protect cloud-based applications, simply because they are too easily compromised. With the social engineering tools available to hackers today, it’s not difficult for intruders to get past such limited defenses. Yet many cloud providers still insist on just that simple approach, and may even require federation of your users’ identity information that may include much more than username and password. That means you’re handing all this critical information identifying your users to a third-party cloud provider, who by the way have been hacked more and more frequently lately.

It doesn’t have to be that way.

TAC's zero trust access CONTROL: a simpler, more secure alternative
to provide strong authentication for all your cloud and premises-based services

The TAC gateway is proxy-based, meaning users never “touch” the cloud application until they are fully authenticated. The gateway first ensures not only that users are authorized, but that the device they’re using meets your security policies, for both local and cloud resources. It will give your end users the proper level of access given the context of their connection request, including their location, type of network connection, time of day and more.

Total Access Control also works hand-in-hand with security mechanisms cloud providers already have in place. For example, some cloud providers enable you to restrict access to their cloud services to certain IP addresses. In this scenario, you just restrict access to the URL for TAC’s gateway and you’re done – nobody is granted access to that cloud solution without a thorough vetting by TAC.

Or perhaps you do want to federate identify with one or more cloud providers You still don’t have to hand over your entire Active Directory – PortSys can manage the process for you, handling the user repository and credentials for cloud applications but obscuring them from cloud providers.

The TAC Gateway still makes all decisions on which users get access to what resources, and to what extent. The best part is users don’t even have to remember their cloud credentials. They log in to the TAC Gateway through a single URL and the gateway handles the rest, behind the scenes.

Or perhaps you do want to federate identify with one or more cloud providers You still don’t have to hand over your entire Active Directory – PortSys can manage the process for you, handling the user repository and credentials for cloud applications but obscuring them from cloud providers.

The TAC Gateway still makes all decisions on which users get access to what resources, and to what extent. The best part is users don’t even have to remember their cloud credentials. They log in to the TAC Gateway through a single URL and the gateway handles the rest, behind the scenes.

What’s more, TAC Gateway also offers single sign-on capability for cloud-based applications, including Office 365. You define the level of security that’s appropriate for each application, including multi-factor authentication.

Users log on only once, to the TAC Gateway – it handles all other logons seamlessly, behind the scenes. Don’t rely on a simple username/password to protect online applications like Office 365: get the power of TAC Gateway.

What’s more, TAC Gateway also offers single sign-on capability for cloud-based applications, including Office 365. You define the level of security that’s appropriate for each application, including multi-factor authentication.

Users log on only once, to the TAC Gateway – it handles all other logons seamlessly, behind the scenes. Don’t rely on a simple username/password to protect online applications like Office 365: get the power of TAC Gateway.

Total Access Control Gateway offers stronger protection for Office 365

Another problem with relying on a username/ password combination for security is it’s subject to a brute force attack, where an intruder uses automated tools to try different combinations until it hits on a winner.

Office 365 does offer protection against such attacks – it locks you out after a certain number of failed login attempts. As a result, it’s not uncommon for legitimate users to be locked out of their own accounts. Given all the different passwords they need to remember for various applications, it can be hard for users to keep them all straight.

TAC Gateway is a proxy-based solution that offers protection against brute force attacks. When anyone – a legitimate user or would-be intruder – tries to access an Office 365 account, they are directed to the TAC Gateway URL. The gateway then verifies the user is legitimate , according to your specific security policies, before connecting to Office 365. If the user doesn’t pass muster, access is denied – without the user ever touching the actual Office 365 app. That means no legitimate users are ever locked out of their accounts, while intruders are shut out.

Total Access Control takes your email security to a new level with zero trust access control

No matter what email application you use – Exchange with Outlook, Outlook Web App or any other web or premises-based email server – TAC offers significantly stronger protection against compromised user credentials.

For example, if your email is hosted on Exchange, TAC can capture a user’s ActiveSync ID and bind it to the user’s mobile device ID – or even multiple IDs. If a user attempts to log on from a device that’s not known to the gateway, access is denied. And the user doesn’t have to do a thing to achieve this enhanced protection – it all happens behind the scenes. That’s the kind of simplicity that makes security truly effective.

TAC’s Zero Trust Access Control offers additional security for any email application in numerous other way, as well.

These include device validation, which enables you to ensure the user’s device meets all your security policies around antivirus status, jailbreak/rooting, registry keys, operating systems and more.

You can also require the use of multi-factor authentication, using PortSys’ own picture-based SafeLogin or the multi-factor authentication method of your choosing.

Or perhaps you do want to federate identify with one or more cloud providers You still don’t have to hand over your entire Active Directory – PortSys can manage the process for you, handling the user repository and credentials for cloud applications but obscuring them from cloud providers.

The TAC Gateway still makes all decisions on which users get access to what resources, and to what extent. The best part is users don’t even have to remember their cloud credentials. They log in to the TAC Gateway through a single URL and the gateway handles the rest, behind the scenes.

Or perhaps you do want to federate identify with one or more cloud providers You still don’t have to hand over your entire Active Directory – PortSys can manage the process for you, handling the user repository and credentials for cloud applications but obscuring them from cloud providers.

The TAC Gateway still makes all decisions on which users get access to what resources, and to what extent. The best part is users don’t even have to remember their cloud credentials. They log in to the TAC Gateway through a single URL and the gateway handles the rest, behind the scenes.

What’s more, TAC Gateway also offers single sign-on capability for cloud-based applications, including Office 365. You define the level of security that’s appropriate for each application, including multi-factor authentication.

Users log on only once, to the TAC Gateway – it handles all other logons seamlessly, behind the scenes. Don’t rely on a simple username/password to protect online applications like Office 365: get the power of TAC Gateway.

What’s more, TAC Gateway also offers single sign-on capability for cloud-based applications, including Office 365. You define the level of security that’s appropriate for each application, including multi-factor authentication.

Users log on only once, to the TAC Gateway – it handles all other logons seamlessly, behind the scenes. Don’t rely on a simple username/password to protect online applications like Office 365: get the power of TAC Gateway.

Socket Forwarding

Applications that communicate over a specific port can present problems for traditional proxy-based security solutions, which are typically limited to use a single port. But TAC is anything but typical.

Thick-client applications such as RDP, Citrix or Skype for Business each expect to use a specific port when communicating with the server. In such cases, TAC accepts the request, unencrypts it, performs its usual authentication routines, then re-encrypts the request and sends it across whatever port the application expects.

This also can apply to legacy client/server applications. These applications are typically difficult or impossible to support with traditional security products. TAC not only supports these legacy applications, but also simplifies the entire experience for the end users, making it conform to the way you choose to authenticate your users. You can also add security options like multi-factor authentication to your existing legacy applications with just the click of a button.

You gain all the benefits of the simple, strong security that TAC’s Zero Trust Access Control provides. For users, it’s just another app that they access through the TAC portal, using its powerful single sign-on capabilities.

Socket Forwarding

Applications that communicate over a specific port can present problems for traditional proxy based security solutions, which are typically limited to use a single port. But PortSys Total Access Control Gateway is not typical.

Thick-client applications such as RDP, Citrix or Skype for Business each expect to use a specific port when communicating with the server. In such cases, the TAC Gateway will accept the request, unencrypt it, perform its usual authentication routines, then re-encrypt the request and send it across whatever port the application expects.

This also can apply to legacy client/server applications. These applications are typically difficult or impossible to support with traditional security products. TAC not only supports these legacy applications, but also simplifies the entire experience for the end users, making it conform to the way you choose to authenticate your users. More than that, you can now add security options like multi-factor authentication to your existing legacy applications with the click of a button.

You gain all the benefits of the simple, strong security the TAC Gateway provides. For users, it’s just another app that they access through the TAC Gateway, using its powerful single sign-on capabilities.

File Shares

The standard way organizations allow employees to access files remotely is through a VPN, usually, an IPSec-based VPN that provides a site-to-site tunnel. That potentially gives the user access to any resources hosted at the site, with little to no security vetting beyond the VPN password.

TAC Gateway takes a more measured, secure approach with zero trust access controls. It provides a file access application that is subject to all the same security policies as they would have when accessing files locally. Users log on to the app and see only those folders and files they are authorized to access. What’s more, IT can dictate what level of access users have based on their context.​

Users seeking access from a company-owned laptop via a secure Wi-Fi connection may be allowed to upload files and pull them down. A user logging in from their own smartphone via a cellular connection, on the other hand, may be allowed to view files, but not upload or download.

File Shares

The standard way organizations allow employees to access files remotely is through a VPN usually an IPSec-based VPN that provides a site-to-site tunnel. That potentially gives the user access to any resources hosted at the site, with little to no security vetting beyond the VPN password.

Total Access Control takes a more measured, secure Zero Trust Access Control approach. It provides a file access application that is subject to all the same security policies as your end users would have when accessing files locally. Users log on to the app and see only those folders and files they are authorized to access. Your security policies can also dictate what level of access your end users should given based on the full context of their access.​

Users seeking access from a company-owned laptop via a secure Wi-Fi connection may be allowed to upload files and pull them down. However, a user logging in from their own smartphone via a cellular connection may be allowed to only view files, but not upload or download them.

That level of granularity is simply not possible with a typical VPN.
It is with TAC's Zero Trust Access Control.

You may be interested in these materials

Administration & Performance

Simplified User Experience

Identity & Access Management

Access Methods

Introduction

You may be interested in these materials

Administration & Performance

Simplified User Experience

Access Methods

Identity & Access Management

Introduction