Application Security

Application Security

Context is crucial to application security

Total Access Control goes much further than simply verifying user authorizations. It is a proxy-based system that serves as a gatekeeper to the applications behind it.

It only allows access to those applications after considering not just the user, but the device, location, time of day and any other factors you deem to be important before allowing access to a given application. In other words, it considers the context surrounding the connection request.

TACcontext2

Think about...

A financial analyst uses her company-issued laptop to access the corporate financial system from within the walls of headquarters.

That’s a perfectly ordinary and acceptable context.

Now say it’s lunchtime and the analyst takes the same laptop to a restaurant down the street. She wants to keep working and can connect via the restaurant’s public Wi-Fi network.

Do you still want her accessing that financial app?

No, because the context of the connection has completely changed; she’s no longer on a secure network.

TAC gives you the power to consider context
– in real time

TAC can take into account all sorts of factors that play into application security context, including:

Device Type

Operating System

Device Jailbreak/Root Status

Current Antivirus, Spyware Detection

Applications Installed on Device

Employee or Company Owned

Employee User Group/Department

Time of Day

Location

Network Connection Type - Public, Private, Encrypted

IP Address

The idea is to differentiate the sorts of communications that are normal for any given application from those that aren’t – and treat each accordingly. And should context change, even during a session, the TAC will act accordingly.

TAC provides secure access to all applications, local and cloud, according to rules you define.

You don’t have to play by your cloud provider’s security rules

Cloud providers too often implement security policies that only frustrate employees – and don’t necessarily provide better security. Many force users to routinely change their passwords or use passwords that are so complicated users can’t remember them. Some lock users out after a few failed login attempts.

Is that any way to run a business?

Security Shouldn’t Be a
Burden on Employees

TAC takes away all that password complexity.

Users visit a single URL to log on once to TAC – using whatever credentials you deem necessary, including multi-factor authentication.

After that, TAC provides access to all applications for which users are authorized. You are in complete control of security policies for each application, taking into account the context surrounding the access request.

You can even create separate rules for different instances of the same application.

A public-facing version of SharePoint, for example, may require just a username and password. Another that’s used for sensitive internal documents may require multi-factor authentication, and will block document uploads and downloads if the user is not on a corporate-issued computer.

TAC provides a virtually unlimited combination of granular controls for all sorts of applications, including:

Enterprise Applications

Sharepoint, Exchange, Oracle, Web Applications, Client/Server, etc.

Remote Desktop

RDP, Citrix, VMware and more

Local Apps

Connect in-house applications and get single sign-on for both local and cloud applications

Cloud

Enables you to determine access policies for your cloud applications, not the cloud provider.  Office365, Salesforce. Google Apps, etc.

VPN

Full VPN tunnel, or per-application connections for applications like RDP, Citrix or client/server applications, as well as TLS tunnels for application-specific connections

PortSys supplies pre-built Application Connectors for many popular applications,
making it a snap to connect them to TAC.

They Include:

Citrix

Microsoft Dynamics

Outlook Web Access

Skype for Business

Documentum

Oracle

SharePoint

WebSphere

SharePoint

TAC delivers a more personalized SharePoint experience.

SharePoint

Many organizations have large Microsoft SharePoint installations, with many different instances each serving different user communities – and each with a different address.

When users log in to TAC, they will see only those SharePoint instances that apply to their role within the organization.

If you have 80 different SharePoint instances but only five of them apply to a given user, that user only sees five.

Advanced SharePoint file sharing

sharepoint2

TAC Gateway also gives users a new level of SharePoint file sharing. SharePoint was originally intended for internal use within an organization, allowing employees to easily store and share documents. As such, links to SharePoint documents don’t have public IP addresses, only internal ones. So, if a user passes a link to a SharePoint document to someone outside the organization, the address will be broken – the remote user won’t be able to access the document.

The Total Access Control Gateway uses host address translation to turn that internal link into a public one. But that public link doesn’t connect directly to the SharePoint application. Instead, it terminates at the TAC Gateway, which can ensure the remote user is authorized to view and/or manipulate the document. If so, the gateway resolves the public address to one that SharePoint can understand and allows the user access to the document.

Granular Policy Control

Anti-virus-512

You can also take advantage of TAC Gateway’s policy enforcement features for all your SharePoint instances.

For public-facing instances, perhaps a username and password will suffice. For more sensitive data, maybe you want two-factor authentication. And perhaps you allow users on employee-owned mobile devices to view documents, but not download, upload or otherwise manipulate them. The choice is yours. All TAC Gateway policy controls are at your disposal.

Exchange / Email

Employees send all sorts of sensitive data via email, making email applications a veritable treasure trove for intruders. Yet many organizations protect their email installations with nothing more than a simple username and password. Should that username/password be compromised, the intruder can log on to the user’s email account from any device and have unfettered access.

It can happen to you: Phishing attacks are succeeding

Anti-virus-93

It’s likely only a matter of time before at least some of your user credentials are compromised. According to the 2017 Verizon Data Breach Investigation Report, 7.3% of users were successfully phished, either clicking on a link or opening an attachment. More bad news: “15% of all unique users who fell victim once, also took the bait a second time,” the report says.

Typically, the bad actors will quickly install malware on a compromised system that can collect username/password combinations, among other nefarious actions.

In the face of such threats, it’s clear a username/password combination is not sufficient to protect your email accounts. (The same applies to applications such as Office 365, as explained here.)

TAC Gateway brings Exchange/email security to a new level

No matter what email application you use – Exchange with Outlook, Outlook Web App or any other web or premises-based email server – TAC Gateway offers protection against compromised user credentials.

With Exchange, the TAC Gateway can capture a user’s ActiveSync ID and bind it to the user’s mobile device ID (or multiple IDs). If a user attempts to log on from a device that’s not known to the gateway, access is denied. And the user doesn’t have to do a thing to gain this added security – it all happens behind the scenes. That’s the kind of simplicity that makes security truly effective.

TAC Gateway offers additional security for any email application in other ways, as well. They include device validation, which enables you to ensure the user’s device meets all your security policies around antivirus status, jailbreak/rooting, registry keys, operating systems and more.

You can also require the use of multi-factor authentication, using PortSys’ own picture-based SafeLogin or the multi-factor authentication method of your choosing.

Email is too important to be protected only by a simple username/password combination.

Put the power of TAC Gateway behind your email and rest assured that even if users do fall victim to a phishing attack, their email – and potentially sensitive corporate data – won’t be compromised.

Microsoft Office 365

As the popularity of Microsoft Office 365 continues to grow, organizations need to take a hard look at how they’re protecting access to it. Think about all the documents, presentations and other data users are storing in their Office 365 OneDrive environments. Is it protected as well as your in-house data?

If you’re relying solely on a username/password, chances are the answer is no – because it’s not unusual for such credentials to be compromised.

According to the 2017 Verizon Data Breach Investigation Report, 7.3% of users fell victim to phishing attacks, either clicking on a link or opening an attachment. What’s more, “15% of all unique users who fell victim once, also took the bait a second time,” the report says.​

Phishing attacks compromise username/password combinations

Once a user falls for a phishing attack, the intruder will likely install malware on the compromised system that collects username/password combinations. With that, the intruder can now log on to any web-based application that is protected only by a username/password, including Office 365.

Total Access Control Gateway offers stronger protection for Office 365

Another problem with relying on a username/password combination for security is it’s subject to a brute force attack, where an intruder uses automated tools to try different combinations until it hits on a winner.

Office 365 does offer protection against such attacks – it locks you out after a certain number of failed login attempts. As a result, it’s not uncommon for legitimate users to be locked out of their own accounts. Given all the different passwords they need to remember for various applications, it can be hard for users to keep them all straight.

TAC Gateway is a proxy-based solution that offers protection against brute force attacks. When anyone – a legitimate user or would-be intruder – tries to access an Office 365 account, they are directed to the TAC Gateway URL. The gateway then verifies the user is legitimate , according to your specific security policies, before connecting to Office 365. If the user doesn’t pass muster, access is denied – without the user ever touching the actual Office 365 app. That means no legitimate users are ever locked out of their accounts, while intruders are shut out.

Cloud Applications

Nearly all companies now use at least one cloud-based service or application, surveys show, with some forecasting cloud infrastructure and services will account for well over half of all IT spending by 2020. As they adopt more cloud-based applications and services, organizations would do well to consider how they’re protecting access to those resources.

Passwords fall short of protecting cloud-based apps

A simple username/password combination is not enough to protect cloud-based applications, simply because they are too easily compromised. Whether via a phishing attack or brute force, it’s not difficult for intruders to get past such limited defenses.

Yet many cloud providers suggest just that, and may even require federation of identity information which may include much more than username and password. That means you’re handing all this critical information identifying your users to a third-party cloud provider.

It doesn’t have to be that way.

The PortSys Total Access Control Gateway provides a simpler, more secure alternative for providing strong authentication for all your cloud (and premises-based) services.

The TAC Gateway is proxy based, meaning users never “touch” the cloud application until they are fully authenticated. The gateway first ensures not only that users are authorized, but that the device they’re using meets your security policies. It will give users the proper level of access given the context of their connection request, including their location, type of network connection, time of day and more.

Once a user is authenticated, the TAC Gateway passes a SAML token to the cloud provider that provides proof of validation.

TAC Gateway can work hand-in-hand with security mechanisms cloud providers have in place. Some enable you to restrict access to the cloud service to certain IP addresses, for example. Restrict access to only the TAC Gateway address and you’re done – nobody will get access without a thorough vetting by the gateway.

Federation – on your terms

Or perhaps you do want to federate identify with one or more cloud providers You still don’t have to hand over your entire Active Directory – PortSys can manage the process for you, handling the user repository and credentials for cloud applications but obscuring them from cloud providers. The TAC Gateway still makes all decisions on which users get access to what resources, and to what extent.

The best part is users don’t even have to remember their cloud credentials. They log in to the TAC Gateway through a single URL and the gateway handles the rest, behind the scenes.

Single sign-on for cloud-based apps

What’s more, TAC Gateway also offers single sign-on capability for cloud-based applications, including Office 365. You define the level of security that’s appropriate for each application, including multi-factor authentication. Users log on only once, to the TAC Gateway – it handles all other logons seamlessly, behind the scenes.

Don’t rely on a simple username/password to protect online applications like Office 365: get the power of TAC Gateway.

SSO_single_sign_on-336x336[1]

Socket Forwarding

Applications that communicate over a specific port can present problems for traditional proxy based security solutions, which are typically limited to use a single port. But PortSys Total Access Control Gateway is not typical.

Thick-client applications such as RDP, Citrix or Skype for Business each expect to use a specific port when communicating with the server. In such cases, the TAC Gateway will accept the request, unencrypt it, perform its usual authentication routines, then re-encrypt the request and send it across whatever port the application expects.

This also can apply to legacy client/server applications. These applications are typically difficult or impossible to support with traditional security products. TAC not only supports these legacy applications, but also simplifies the entire experience for the end users, making it conform to the way you choose to authenticate your users. More than that, you can now add security options like multi-factor authentication to your existing legacy applications with the click of a button.

You gain all the benefits of the simple, strong security the TAC Gateway provides. For users, it’s just another app that they access through the TAC Gateway, using its powerful single sign-on capabilities.

File Shares

The standard way organizations allow employees to access files remotely is through a VPN, usually, an IPSec-based VPN that provides a site-to-site tunnel. That potentially gives the user access to any resources hosted at the site, with little to no security vetting beyond the VPN password.

TAC Gateway takes a more measured, secure approach. It provides a file access application that is subject to all the same security policies as they would have when accessing files locally. Users log on to the app and see only those folders and files they’re authorized to access.

What’s more, IT can dictate what level of access users have based on their context.​

Users seeking access from a company owned laptop via a secure Wi-Fi connection may be allowed to upload files and pull them down.

lock

A user logging in from their own smartphone via a cellular connection, on the other hand, may be allowed to view files, but not upload or download.

That level of granularity is simply not possible with a typical VPN.
It’s just one more way the TAC Gateway puts you in control.

Explore the Functions of

Total Access Control (TAC)

Consolidated and intelligent security for today’s hybrid enterprise.

Total Access Control goes much further than simply verifying user authorizations. It is a proxy-based system that serves as a gatekeeper to the applications behind it.

Security tools must be high performance and simple to administer.

Total Access Control puts a premium on both.

Security is too complicated for end users.  It doesn’t have to be.

If your security relies on username and password alone, whether this is for local applications, email or cloud-based applications, you are a prime target for hackers.

Questions? Call Us!

We’re here to help. Give us a call and speak
with a security specialist who will answer
any questions you might have.

US +1 781 996 4900
UK +44 208 196 2420

Request a Demo

In 30 minutes, our system engineers will show you how PortSys Total Access Control can help you achieve compliance, protect your data, and increase efficiency, while enhancing the end user experience.

Free Security Assessment

Not sure whether your environment is protected? In 2 easy steps, we’ll help you find risk areas, audit access, and go through your access requirements.