cryptzone appgate technical architecture
TRANSCRIPT
AppGate Technical Architecture
Individualized perimeter for each user
What Does AppGate Look Like?
2
Fine-grained authorization for on-premises and cloud
What Does AppGate Look Like?
3
Dynamically adjusts to new cloud server instances
What Does AppGate Look Like?
4
Consistent access policies across heterogeneous environments
What Does AppGate Look Like?
Contextual awareness drives access and authentication
What Does AppGate Look Like?
6
AppGate Architecture
ControllerAuthentication and
token-issuing service
Distributed Architecture
with 3 FunctionsGateway
Distributed, dynamic access control
LogServerProvides secure logging services
7
VirtualNetworkAdapter
Secure, Encrypted Tunnel
AppGate Policy Model
8
Filter Entitlement
ConditionAttributes
A Policy-Centric Approach• Controller applies filters to
decide which policies apply upon authentication
• All the permitted entitlements are applied to the user
• Resulting entitlements and conditions are embedded in a token
Site 2
Site 1
Site 3
Database Database
Controller
LogServer
SalesSystem
RDP AccessWeb Staging
SSH
9
FinanceApp
DatabaseFinanceApp
Entitlements
Definition of the protected resource
10
Filters
Determine which users are allowed access
11
Conditions
Determine howand when users can access resources
12
Attributes
User, device and context information
13
AppGate
14
DEVICE TIME
CUSTOMATTRIBUTES ANTI-VIRUS
LOCATIONAPPLICATIONPERMISSIONS
Looks at both context and identity to grant access1
AppGate
15
DEVICE TIME
CUSTOMATTRIBUTES ANTI-VIRUS
LOCATIONAPPLICATIONPERMISSIONS
Managed NetworksCloud, On-premises or Hybrid
SharePoint Secured Email
CRM Group File Share
Executive Files
Enterprise Finance
\\EXEC_SER
VER
Looks at both context and identity to grant access1
Creates dynamic ‘Segment of One’ (1:1 firewall rule)2
ENCRYPTED & LOGGED ERP
AppGate
16
DEVICE TIME
CUSTOMATTRIBUTES ANTI-VIRUS
LOCATIONAPPLICATIONPERMISSIONS
Managed NetworksCloud, On-premises or Hybrid
Looks at both context and identity to grant access1
Creates dynamic ‘Segment of One’ (1:1 firewall rule)2
Makes everything else invisible3
ENCRYPTED & LOGGED ERP
AppGate
17
DEVICE TIME
CUSTOMATTRIBUTES ANTI-VIRUS
LOCATIONAPPLICATIONPERMISSIONS
Managed NetworksCloud, On-premises or Hybrid
Looks at both context and identity to grant access1
Creates dynamic ‘Segment of One’ (1:1 firewall rule)2
Makes everything else invisible3
Adjusts automatically to changes in posture and infrastructure4
ENCRYPTED & LOGGED ERP
AppGate Benefits
18
Creates an identity before connecting to anything on the network
Removes attacks including zero day, DDOS and lateral movement
The Cloud Fabric can now be extended all the way to the user and device
Leverages legacy applications by extending the SDP Architecture
No longer need traditional network defense equipment (Firewall, VLAN, VPN, etc.)
• Identity-centric security • Policies on user and cloud instances
Identity-Centric Network Security
