How it works

How it works

Concepts

InstaSafe ZTAA is a Zero Trust based user and device aware secure remote access management platform that ensures the highest possible secure posture for the remote access sharing of the network, devices, and applications. The seamless and accurate architecture makes the sophisticated operations look amazingly simple and user friendly. It is completely adaptable for the client-side tools and designed to work with everything in today’s remote access ecosystem.

The user is presented with a simple dashboard upon login where he can access the applications and devices on a single click. Each application access creates a unique encrypted tunnel to the application server.

 

The application can be shared over a containerized environment or as the thick client applications. It can be completely governed via MFA and SSO services from any third party or InstaSafe.

ZTAA follows the Client initiated ZTNA architecture put forward by Gartner, NIST and CSA.


ZTAA Architecture 

The key concept of ZTAA architecture is the secure posture it offers while sharing the assets of the organizations remotely. It hides away the IT assets from unknown users and establishes the secure data tunnel with legitimate devices alone.

ZTAA agent initiates two separate network connections from the user device, when an application is accessed namely control plane and data plane. 



The controller device present at the Control plane validates the user and device via MFA and does the device posture validation. It also enforces policies and authorizes the user access for the allowed applications. 

The data plane manages the application data traffic flow from the user device(Eg: Laptop, Mobile phone) to the application server through a mTLS encrypted tunnel after the authentication process. The application servers are hidden behind a SDP gateway and the legitimate user devices alone can establish the TCP connection to it.

ZTAA offers a built-in user management platform, TOTP authenticator and SSO along with support for third party solution on these features.

An application can be quickly onboarded by adding the SDP gateway, application and the user policies at the ZTAA controller user interface.


How ZTAA works


The solution supports two types of connectivity to the customer environment. 

  1. SDP gateway for TCP connections at layer 7 for Applications

  2. Network gateway for the port, server or network level connectivity at layer 3 or layer 4. It does support protocol level connectivity for protocols such as ssh.

The gateway is protected by a default drop-all firewall. The packet received from the pre-identified user device alone can be detected and later establish the dynamic port access to the gateway. The gateway server is not visible to external users at the internet and hence the complete infrastructure is protected.

It takes 6 steps to access the application. The operations take very little time and hence the user is unaware of the sophistication of the process.


  1. The user will be taken through a process of authentication at the first step. The process involves a usual username/password combination and a multifactor authentication such as TOTP, Email or SMS . 


  1. The identity is a combination of user and the devices for Zero Trust Access. Users, groups, and policies will be compared against the Identity management software data and the defined policies. The security posture of the user devices is also validated at this stage. The user agent located at the device shares the required customizable data for the validation. The need for NAC is taken away as it is taken care of at this point.


  1. The list of applications accessible by the user will be shared by the controller based on the policies for the authenticated user and device. The application list will be received by the ZTA agent installed on the user device. The list of applications will be shown to the user at his dashboard at this point. The user can click on any of the applications (including Thick Apps, SSH, RDP and web-based apps) and access them on a single click.


  1.  The ZTA controller informs the gateway about the user access, policies and allowed applications for the user. The user can connect to any of the allowed applications via the gateway after this step. The activity happens in parallel to step 3.


  1. The device will share the access request with the gateway,when the user clicks on the applications. Gateway validates the network request and approves the connectivity and opens the TCP port access specifically for the user device.


  1. An encrypted tunnel will be established between the user device and the gateway at this step. The tunnel can be at the network layer 3 or layer 7 based on the type of the gateway chosen. The completely contained tunnel ensures that the user cannot access other assets that are present in the same server or at the network.

User Experience

ZTAA users who need to access the applications should authenticate at the ZTAA agent. Users can enter the password credentials and the OTP obtained via mobile App, Email or SMS.

The user is presented with a dashboard containing applications upon login. Each of these applications can be accessed on a single click and are SSO/SAML supported.


Admin Experience

Admin have to go through 4 steps while onboarding the application.

  1. Install a gateway server and ensure that the application server is reachable via a private network.

  2. Add the gateway and the application data to the SDP Controller UI

  3. Add the users, groups and policies at the SDP Controller

  4. Test the end user access and confirm 



How Authentication Works

The ZTAA agent present at the user device such as laptop or mobile device will present the login screen where the users are asked for their username, password and a 2nd factor authentication. 

The agent sends the user and device information to the SDP controller in turn the Controller shares back the list of authorized applications and informs the SDP gateway about the user request.

The SDP gateway is protected by a drop-all firewall and hence the SDP agent sends the single packet of authorization in order to get the TCP connection established with the gateway. The agent can establish a secure tunnel with the SDP gateway at this point and access the application.

Audit Log

ZTAA maintains the audit log of everything happening inside the environment. The audit log consists of the users’ application access activities, authentication configuration and history




    • Related Articles

    • Access Client - Installation

      Windows Installation STEP 1:Download the InstaSafe Zero Trust Application Access Client Download the InstaSafe Zero Trust Application Access Client (ZTAA) from the below url after account provisioning ...

    • HTTP Status Code

      ERROR CODE SUB ERROR CODE REASON 409 101 Duplicate company auth profile 409 102 Duplicate user auth profile 404 103 Company auth profile not exist-update(active status) and get 404 104 Company auth profile not exist-delete 404 105 Company auth ...