Claiming you can reduce attack surfaces by up to 95% is a bold claim for anyone in today’s cyber security environment but that’s exactly what Cryptzone are saying in their latest release.
The release announces the launch of AppGate XDP and is focused on managing access control across cloud and on-premises systems. AppGate XDP uses what Cryptzone claims is dynamic attribute-based control that determines access across cloud, virtual and physical infrastructures.
Jason Garbis, Cryptzone Vice President of Products said: “With AppGate XDP, customers can now benefit from dynamic, automated access control for infrastructure-as-a-service cloud environments; secure, multi-tenant cloud access management; and smoother enterprise cloud adoption by securing and abstracting network access based on policies and attributes.”
What does AppGate XDP do?
The majority of access control systems allow a user to see resources that they don’t have access to. It can tempt the curious into trying to access directories and often leads to support calls such as: “If I can see it why can’t I access it?” Attempts to access directories also result in security alerts. The problem is that there are so many security alerts that this part of the security process is ignored.
There is a more serious issue with displaying everything. Hackers are not interested in the vast amount of data on machines. They understand that they often have a short window to attack computer systems and steal data. If they are able to walk the file directories to find those that are of interest, it helps them speed up their attack by refining their targets.
AppGate XDP is claiming that is can prevent this. Under AppGate XDP everything remains hidden until the user has been granted access rights. As a result it stops people trying to see what is in a directory and prevents hackers from easily finding their targets. It is a simple approach but something extremely difficult if not impossible to implement with other solutions.
Five key features to protect data
According to the press release AppGate XDP has five key features. It:
- Is specifically designed to address the more dynamic and real-time nature of cloud-based resources
- Ensures that all resources (whether on-premises, private or public cloud) remain invisible until authorized using newly-patented technology
- Detects new server instances being created within the cloud, and automatically adjusts user access rights based on a combination of server attributes and user context
- Introduces centralized dynamic, attribute-based controls that determine access across physical, virtual and cloud infrastructures for consolidated access management
- Reduces cost, complexity and effort for configuring third-party access, privileged user access and cloud infrastructure management
Changing access rights a major challenge for IT
One of the challenges will be taking the existing Directory Services that customers are using and integrating them into AppGate XDP. A key reason that many people in an organisation have too much access is that when they change jobs or stop being part of a collaboration group their access rights are never withdrawn. This means that to deploy the fine grained approach that AppGate XDP offers, IT will have to spend time tuning the system.
This brings its own problems. While users accept security needs tightening it is much harder to remove access from someone than it is to grant it. Users will make excuses as to why they still need access to a directory that they haven’t used for years just in case they might want to look something up.
This is where the dynamic approach of AppGate XDP will be interesting. Rather than rely solely on a directory service which can be compromised, AppGate XDP verifies each session using a number of different user variables before a user gets access to an application. One of the pain points early on for new customers will be dealing with mobile users.
These users are likely to be access resources from unknown locations such as coffee shops, hotels, airport lounges or even the home WiFi of friends and colleagues. This means that the IT teams will need to find a balance between denying access from unknown locations and allowing users more latitude while AppGate XDP learns about them.
What Cryptzone are promising sounds very interesting. How it will work across a range of companies will take time to understand. Large enterprises should be able to implement and manage it relatively easily although denying access will be a pain point.
SME’s however will need support from their cloud and hosting providers. What isn’t clear here is whether Cryptzone are likely to address that market. If they do and they can prove the ‘segment of one’ approach that they talk about works in a multi-user environment, there will be a lot of real interest in the product.