Cyflare’s One Converged Security Platform (formerly SOC In A Box) service deploys managed appliances to end user networks via their channel partners. Cyflare needed a better way than SSH to securely remotely manage the devices.
Secure Access: SSH vs ZTNA
Cyflare has hundreds of appliances deployed to customers globally for remote security monitoring and management services.
While looking for a product to replace the default SSH access for appliance administration, Cyflare found TransientX’s TransientAccess. Cyflare’s goals were to:
- Implement a zero-trust model
- Move away from SSH
- Limit access to only the minimum resources allowed to the people that needed
- Reduce support overhead
The default manner of remotely managing the Cyflare appliances was via SSH. This came with a host of usability and security challenges. SSH was complicated to set up securely and manage, hampered by a lack of knowledge by partners and customers.
Now they simply login through the TransientAccess disposable container client. Policies set by Cyflare ensure they have visibility only to the appliances they are allowed to access. Cyflare automated a simple provisioning process that sclaes and enforces the least privilege principal for who can access what.
“Moving to TranstientAccess allowed us to focus more on our core services and worry less about the risk of a breach. Implementation of the solution is simple and requires no involvement from our customers. We practice what we preach, delivering for our customers a security management and monitoring solution that is itself truly secure from end to end. “ -Evan Hausle, Director of Sales Engineering”
As part of their search for a solution, Cyflare explored how they could implement true Zero Trust Network Access. Moving to VPNs were not an option as that would have created a whole new set of security issues. As part of the move to ZTNA, Cyflare was able to discontinue some legacy VPNs in place for other uses.
ZTNA Solution Evaluation: Transient Access
They evaluated other ZTNA solutions on the market, but found shortcomings with all the alternatives. Some products were:
- Passed traffic through their own systems (creating regulatory and compliance issues
- Limited to only web-based applications.
In addition to the technical advantages of TransientAccess, Cyflare selected TransientX because of the confidence in the team and the level of support they received.
In addition to the requirement of replacing SSH, another requirement for Cyflare was to host their own Controllers in order to deliver flexible provisioning for partners. The ease of deployment and support for different deployment options was another key factor in selecting TransientAccess.
Betek, with 2000 employees in 16 countries, chose TransientAccess to replace its legacy VPN with Zero-Trust Network Access (ZTNA), allowing them to use remote clients, SAP in particular, with confidence.
While looking for a product to replace their current VPN solution and secure remote workers, Betek found TransientX’s TransientAccess based on a recommendation from their partner, Maya ICT, one of Turkey’s leading MSSPs. Maya ICT had already incorporated TransientAccess into their cloud security offering for customers. Betek’s goals were to:
• Implement a zero-trust model
• Secure remote workers with ZTNA and eliminate the VPN
• Provide granular control of remote network access between offices
• Provide secure access by 3rd parties to in-house SAP apps without a VPN
• Implement micro-segmentation of critical apps
• Create and manage application-based user policies within minutes
• Support private cloud and hybrid architectures
As part of their search for a solution, Betek explored how they could implement microsegmentation in their critical applications for the company with their existing systems, but they could not fully support this for end users. Managing the many different user profiles in order to partially control access to their VPNs was time consuming and difficult.
This solution was not scalable and was difficult in terms of change management. Moreover, they had to support a wide variety of their customers’ IT architectures, including private cloud and hybrid architectures.
” TransientAccess is very easy to use, but the main benefit is that it provides very powerful control with the features it provides.
They made it possible to define a variety of policies for different groups with different needs. We could not find any other alternative system that met our needs as we define various policies for all our users. It provides security so easily.” -Feza Zengin,
IT Manager at Betek.
ZTNA, NAC, SDP, RDP, VPN: Making sense of the remote access alphabet soup.
Zero Trust Security is a hot topic and with good reason. But what does it really mean in practice, when applied to solving remote access security challenges? In this post we provide an introduction on Zero Trust Security as it applies to Network Access (ZTNA) to help sort it out.
Before Zero Trust, a user or device was validated as having the correct credentials and the right to access the network. Once that step was complete the user or device had a wide open path to the network and resources. To mitigate the risk that a valid user would access systems they weren’t supposed to, role-based access control (or RBAC) was implemented. In theory this worked in conjunction with least-privileged access (the Principle of Least Privilege or PoLP) so that users were only granted access to the resources they needed and nothing more.
VPNs – Virtual Private Networks – are the ubiquitous technology for providing remote users access to enterprise resources. However, they are a network-layer technology, meaning that once the user is validated and logged in, the user’s device now has an open network connection to the corporate network. To mitigate the security risk of this open pipe, in addition to RBAC and PoLP, enterprises deploy Network Access Control (NAC) to verify first that a given device has the correct security posture – is the device allowed, independent of the user? Does the device have up to date AV running and passed a scan? And so forth.
Once a user logged in to the VPN client, and his device passed the NAC security check, one of the most common resources accessed are remote desktops, most often with Remote Desktop Protocol or RDP. Although it is a proprietary Microsoft protocol, it does have cross-platform support for non-Windows devices.
That in essence is the technology stack most widely deployed in enterprises today to enable remote access: VPN clients where devices are validated by NACs. Users are granted access based on RBAC, PoLP to resources, including remote desktops over RDP.
Zero Trust Network Access (ZTNA) offers a simpler, more secure alternate vision. ZTNA turns the existing paradigm on its head – rather than open up a wide open pipe and then retroactively find ways to narrow it down, ZTNA assumes no device or user should be trusted, and no access granted by default except that explicitly required only for the duration required.
This is critical in a world where there is no fixed perimeter any more, but rather a software-defined perimeter (SDP).
TransientAccess takes ZTNA and SDP a step further, delivering true app-to-app connectivity over disposable networks. That is, there is never a device to device connection, nor is a user validated for anything more than what the user needs access to for the time the user is accessing it.
TransientX has a unique approach to Zero Trust Network Access (ZTNA):
- A lightweight agent, creating a disposable virtual network connecting the local app to the enterprise resource on-prem or in the cloud.
- A “Transient Virtual App Network”
This approach means TransientX can deliver on the promise of truly secure remote access for an organization’s workforce and business partners. Learn more in our intro video, contact us to get TransientAccess now or scroll below for further reading:
TransientAccess delivers true Zero Trust Network Access for the Fenerbahce Sports Club
With over 5000 employees and more than 300,000 members,
Fenerbahce is one of the largest multi-sport clubs in Turkey and is a
major retailer in its own right.
With their dedicated fan bases, legal and illegal betting riding on game results and big revenue streams, professional sports clubs are among the most targeted companies by hackers. Successful attacks can have devastating effects on company operations and reputation.
An organization’s viability can be imperiled because of damage caused by IP loss. For an organization like Fenerbahçe, SAP is the most important digital asset to defend. Protecting such a high value asset means going beyond traditional security paradigms. Most organizations deploy multiple security layers to protect SAP data, such as NGFWs, AV, MFA along with robust IT security policies. Yet all these steps can still leave holes that
need to be closed.
FC Fenerbahce relies heavily on SAP for all business-critical processes. The executives and security teams are responsible for carrying out this process knowing that their business revolves around this information. However, they are also aware of hidden dangers such as user accesses, file downloads, and data leaks that can occur due to data streaming. It therefore became critical to implement solutions that monitor and prevent such leaks.
“After a detailed product assessment, in-depth presentations and a pilot
project to measure performance in our company’s environment,
TransientAccess demonstrated reliability and effectively demonstrated its
value in providing SAP access and data security.”
– Bülent Kaçmaz, CTO, FC
Securing remote access for SAP with ZTNA
TransientAccess is able to proactively eliminate threats such as data loss and ransomware attacks by providing users with an operational convenience they have not experienced before.
As a result, TransientAccess provides proactive protection against commercial damage by ensuring data protection and facilitating secure operational processes. Thanks to the micro-segmentation feature of TransientAccess, only relevant users are authorized to access company data in the relevant SAP modules. IT Managers can now see ‘who’ can access ‘which’ data from the SAP system and make sure that this data is securely encrypted, even outside the company.