Application Security

Context is crucial to application security

Total Access Control goes much further than simply verifying user authorizations. It is a proxy-based, Zero Trust Access Control system that serves as a gatekeeper to the applications behind it.

TAC’s Zero Trust Access Control only allows access to those applications after considering not just the user, but the device, location, time of day and any other factors you deem to be important. TAC considers the full context of the end users when they make connection requests.

Take the case of a financial analyst who uses her company-issued laptop to access your corporate financial applications from within the walls of headquarters. That’s a perfectly ordinary and acceptable context. 

But now it’s lunchtime, and she takes the same laptop to the crowded restaurant down the street. She wants to keep working and connects via the restaurant’s public Wi-Fi network.

Do you still want her accessing that financial app? You may not want to, because the context of her connection has completely changed. She’s no longer on a secure network, and who knows who else is in the restaurant attempting to hack into applications coming across the public wi-fi?

 

TAC gives you the power to consider an end user's full context of access – in real time

For any applications, TAC gives you a wide-ranging combination of granular controls

Device Type

Operating
System

Device Jailbreak
or Root Status

Current Anti-Virus,
Spyware Detection

Applications
Installed on
Device

Employee or
Company-Owned
Device

User Group
or Department

Time of Day

Network Connection
Type - Public, Private, Encrypted

Location

TAC’s Zero Trust Access Control provides secure access to all applications,
local and cloud, according to rules you define.

YOU DON'T HAVE TO PLAY JUST BY YOUR CLOUD PROVIDER'S SECURITY RULES

Cloud providers too often implement security policies that only frustrate employees – and don’t necessarily provide better security. Many force users to routinely change their passwords or use passwords that are so complicated users can’t remember them. Some lock users out after a few failed login attempts.

IS THAT ANY WAY TO RUN A BUSINESS?

Security Shouldn’t Be a Burden on Employees

TAC takes away all that password complexity

TAC users visit a single URL to log on with whatever credentials you deem necessary, including multi-factor authentication.

After that, TAC provides access to all applications for which users are authorized. You are in complete control of security policies for each application, taking into account the context surrounding the access request. You can even create separate rules for different instances of the same application.

A public-facing version of SharePoint, for example, may require just a username and password. Another version that’s used for sensitive internal documents may require multi-factor authentication, and will block document uploads and downloads if the user is not on a corporate-issued computer.

TAC provides a virtually unlimited combination of granular controls for all sorts of applications

Any Enterprise
Apps, including:

Microsoft365
SharePoint
Exchange
Teams
Salesforce
Oracle
SAP
Adobe
Zoom
Skype
Slack

Any Remote
Desktop,
Including:

RDP
Citrix
VMware
Web-based File Access

Any Local Apps

Connects in-house applications, provides Single Sign-On (SSO) for both local and cloud applications

Any Cloud
Applications

Enables you, not just the cloud provider, to determine access policies for any of your cloud applications

VPN

Full VPN tunnel or per-application connections for any applications, including RDP, Citrix or client/server. Provides TLS tunnels for application-specific connections

Pre-built application connectors for many popular productivity applications
make it a snap for you to connect them to TAC

They Include:

TAC’s Zero Trust Access Control delivers
a more personalized SharePoint experience

If you have large Microsoft SharePoint installations, that more than likely means you have many different instances for each different user community – and each comes with its own different address. When users log in to TAC, they will see only those SharePoint instances that apply to their role within the organization, and nothing more. 

Exchange / Email

Employees send all sorts of sensitive data via email, making email applications a veritable treasure trove for intruders. Yet many organizations still protect their email installations with nothing more than a simple username and password. Should those credentials get compromised, an intruder can log on to the user’s email account from any device and gain unfettered access.

It’s likely only a matter of time before at least some of your user credentials are compromised. According to the 2017 Verizon Data Breach Investigation Report, 7.3% of users were successfully phished, either clicking on a link or opening an attachment. More bad news: “15% of all unique users who fell victim once, also took the bait a second time,” the report says.

Typically, the bad actors will quickly install malware on a compromised system that can collect username/password combinations, launch ransomware attacks, extract proprietary information, and any number of other nefarious actions.

In the face of such persistent and pervasive threats, it’s clear a username/password combination is not sufficient to protect your email accounts. 

EMAIL IS TOO IMPORTANT TO BE PROTECTED ONLY BY A SIMPLE USERNAME/PASSWORD COMBINATION

Microsoft 365, including all the Office 365 applications, continues to dominate the productivity solutions enterprise organizations rely upon today. Whether you use Microsoft 365, Google Apps, or any other productivity solutions, you need to take a hard look at how you are protecting access to them.

Think about all the documents, presentations and other data users store in their OneDrive environments. Is it protected as well as your in-house data? If you’re relying solely on a username and password to grant access, the chances are your answer is no.

Today, hackers are constantly relying on social engineering attacks so they can attack any web-based applications with your organization’s own credentials. Hackers increasingly use all sorts of social engineering approaches to get those credentials, including phishing, brute force, pretexting, baiting, quid pro quo and tailgating attacks.

TAC's Zero Trust Access Control offers stronger protection for Office 365, Google Apps and any
other web-based productivity tools you use today.

Web-based productivity tools such as Windows 365 and Google Apps can offer protection against social engineering attacks – they can lock your users out after a certain number of failed login attempts. But often, your legitimate users will end up locked out of their own accounts as well.

Why? Given all the different passwords they need to remember for various applications, it can be hard for your end users to keep them all straight.

TAC’s proxy-based solution offers your organization much stronger protection against hackers’ social engineering attacks. When anyone – a legitimate user or would-be intruder – tries to access a protected web-based account, they are directed to TAC’s gateway URL. The gateway then verifies the user is legitimate, according to your specific security policies, before connecting to the web-based app.

If the user doesn’t pass muster, access is denied – without the user ever touching the actual web-based app. That means no legitimate users are ever locked out of their accounts, while intruders are shut out.

Cloud Applications

The adoption of cloud infrastructure and services continues to accelerate at a staggering pace, even as enterprise organizations adapt to the New Normal following the Covid-19 pandemic. As your organization looks to adopt more cloud-based applications and services, you would do well to consider how you’re protecting access to those resources in the cloud.

Passwords fall way short in protecting cloud-based apps

A simple username/password combination is not enough to protect cloud-based applications, simply because they are too easily compromised. With the social engineering tools available to hackers today, it’s not difficult for intruders to get past such limited defenses. Yet many cloud providers still insist on just that simple approach, and may even require federation of your users’ identity information that may include much more than username and password. That means you’re handing all this critical information identifying your users to a third-party cloud provider, who by the way have been hacked more and more frequently lately.

It doesn’t have to be that way.

TAC's zero trust access CONTROL: a simpler, more secure alternative
to provide strong authentication for all your cloud and premises-based services

The TAC gateway is proxy-based, meaning users never “touch” the cloud application until they are fully authenticated. The gateway first ensures not only that users are authorized, but that the device they’re using meets your security policies, for both local and cloud resources. It will give your end users the proper level of access given the context of their connection request, including their location, type of network connection, time of day and more.

Total Access Control also works hand-in-hand with security mechanisms cloud providers already have in place. For example, some cloud providers enable you to restrict access to their cloud services to certain IP addresses. In this scenario, you just restrict access to the URL for TAC’s gateway and you’re done – nobody is granted access to that cloud solution without a thorough vetting by TAC.

Total Access Control takes your email security to a new level with zero trust access control

No matter what email application you use – Exchange with Outlook, Outlook Web App or any other web or premises-based email server – TAC offers significantly stronger protection against compromised user credentials.

For example, if your email is hosted on Exchange, TAC can capture a user’s ActiveSync ID and bind it to the user’s mobile device ID – or even multiple IDs. If a user attempts to log on from a device that’s not known to the gateway, access is denied. And the user doesn’t have to do a thing to achieve this enhanced protection – it all happens behind the scenes. That’s the kind of simplicity that makes security truly effective.

TAC’s Zero Trust Access Control offers additional security for any email application in numerous other ways, as well.

These include device validation, which enables you to ensure the user’s device meets all your security policies around antivirus status, jailbreak/rooting, registry keys, operating systems and more.

You can also require the use of multi-factor authentication, using PortSys’ own picture-based SafeLogin or the multi-factor authentication method of your choosing.

Socket Forwarding

Applications that communicate over a specific port can present problems for traditional proxy-based security solutions, which are typically limited to use a single port. But TAC is anything but typical.

Thick-client applications such as RDP, Citrix or Skype for Business each expect to use a specific port when communicating with the server. In such cases, TAC accepts the request, unencrypts it, performs its usual authentication routines, then re-encrypts the request and sends it across whatever port the application expects.

This also can apply to legacy client/server applications. These applications are typically difficult or impossible to support with traditional security products. TAC not only supports these legacy applications, but also simplifies the entire experience for the end users, making it conform to the way you choose to authenticate your users. You can also add security options like multi-factor authentication to your existing legacy applications with just the click of a button.

You gain all the benefits of the simple, strong security that TAC’s Zero Trust Access Control provides. For users, it’s just another app that they access through the TAC portal, using its powerful single sign-on capabilities.

File Shares

The standard way organizations allow employees to access files remotely is through a VPN usually an IPSec-based VPN that provides a site-to-site tunnel. That potentially gives the user access to any resources hosted at the site, with little to no security vetting beyond the VPN password.

Total Access Control takes a more measured, secure Zero Trust Access Control approach. It provides a file access application that is subject to all the same security policies as your end users would have when accessing files locally. Users log on to the app and see only those folders and files they are authorized to access. Your security policies can also dictate what level of access your end users should be given based on the full context of their access.​

Users seeking access from a company-owned laptop via a secure Wi-Fi connection may be allowed to upload files and pull them down. However, a user logging in from their own smartphone via a cellular connection may be allowed to only view files, but not upload or download them.

The level of granularity that TAC's Zero Trust Access Control provides
is simply not possible with the VPN technology typically in use today.

You may be interested in these materials

Zero Trust Access
Benefits
Administration &
Performance
Simplified User
Experience
Identity &
Access Management
Access
Methods