Author: Roman Arutyunov, Co-Founder and SVP Products, Xage Security
Today’s operations rely on partners, vendors, and suppliers to provide services like maintenance and process optimization. Enabling these users and their application tools to access assets is challenging. When a technician needs to use a specialized application that’s installed on their personal laptop to access an asset deep inside an operational site, or a critical ERP system or database, how do you maintain security while still providing the access they need?
One option is using a VPN, but that’s a problematic approach where remote users are granted excessively broad access to everything. It exposes your high-impact assets to too much risk. With zero trust setting a high bar for managing access, you need tighter control without added risk or operational friction. With Xage you can securely enable specialized applications running remotely to communicate with the needed OT and IT assets.
Xage Supports Zero Trust Access for Desktop Applications
Xage zero trust remote access allows for desktop apps widely used in OT, sometimes called client-server applications, like Studio 5000, ROClink, and more to remotely connect to exactly the assets needed and no more. Connect easily without the headaches of managing VPNs and agent-based solutions which can require changes to firewall rules or network configuration that expose your organization to risk.
Xage doesn’t require the installation of any new clients or agents and you can keep your firewall rules and network configuration tightly secure. Instead, it taps into the built-in clients on Windows, Mac, or Linux machines, then adds a layer of granular control and security by forming a Xage Zero Trust Containment Point. This security overlay provides both zero trust access and asset protection that would be otherwise absent in the case of typical VPN-based network access. You get SSO and MFA across all layers and devices, even for those devices with no built-in support for these critical security capabilities.
Key Benefits
- Get secure remote access and privilege management for third parties, vendors, and service providers to use the apps they need.
- Allow the use of desktop or client-server type apps to remotely access assets without granting the broad access of VPNs or needing agents—and get the ability to terminate sessions when malicious activity is suspected.
- Enable MFA to secure all remote access, including when remote users are connecting their own locally installed desktop apps directly to assets.
See a Demo of Zero Trust Access for Desktop Applications
See how it works in this demo video.
How It Works
- User logs into the Xage Fabric, then establishes a direct connection from the user’s laptop (or third-party device) to the zero trust containment point in the Fabric. Containment point can be in the cloud, IT, iDMZ, or OT.
- Xage checks the user’s authorization to access the target edge system, then creates zero trust tunnels in the Xage Fabric, restricting access to individual assets and protocols per policy. Zero trust tunnels are protected by signatures secured in the Fabric and by optional multi-layer MFA.
- User works directly with the target system using desktop apps on the user’s laptop, while the Fabric maintains separation of the laptop from the rest of the OT, IT and cloud network.
Securely Connect with Xage
With Xage, you get a highly secure connection with granular access controls so you can move quickly to grant frictionless remote access even to your most critical OT assets, without compromising on cybersecurity.
Privileged Remote Access Doesn’t Have to Increase Risk
In the past, granting remote access that had all the functionality needed meant making security compromises. A remote technician from a third-party, service provider, or OT vendor might need to connect to a specific PLC, but using VPN to do that meant granting access to a whole group of assets. With Xage you can follow zero trust principles, connecting them only to exactly what’s necessary. You can terminate the session initiated from the respective apps at any time and the user will no longer have access to any assets after their access duration runs out or their session is terminated.
Using the Xage Fabric also lets you use managed accounts and MFA managed at each layer to access assets in those layers, even when assets do not support an IdP (identity provider) or AD (Active Directory). That remote technician can be assigned specific and limited access per your policies. Plus, all activity with the context of user and device identity is logged, so that any errors or suspicious activity can easily be reviewed immediately and logged to a SIEM for later investigation as needed.