Skip to content

InstaSafe Secure Access Architecture

Product Overview

InstaSafe Secure Access (ISA) is an innovative enterprise remote access software solution based on software defined perimeter delivered as a service. It provides enterprises a simplified setup to secure and manage application access.

ISA provides user access to only those applications which they are authorized to access. The platform allows businesses to create and manage secure networks for their remote teams, with features such as multi-factor authentication, user access controls, network segmentation, and geo location. The approach provides secure, isolated network segments for specific groups of users and devices, rather than using traditional network-based access controls.

ISA is designed to provide secure, flexible, and easy-to-manage remote access for businesses, with the emphasis on security of data and networks.

The use cases for ISA are:

Remote Access Connectivity to corporate applications - Allow users to connect to a corporate network and access applications from a remote location.

Remote Access Connectivity to cloud hosted applications - Allows remote users to access applications hosted in public or private cloud securely.

Site-to-Site Connectivity - Allows services or applications in two or more sites to communicate with each other. Example: Branch office to main office connectivity or branch office to branch office connectivity.

Cloud to Cloud Connectivity - Used for inter-cloud or intra-cloud connectivity. The gateway deployments in each of the entities ensures services across the cloud regions or platforms communicate with each other.

Application to Application Connectivity - Allows a specific application to connect to another application. For Example: Web applications to database connectivity or application to application replication or inter-communication.

Product Architecture

The InstaSafe Secure Access (ISA) Architecture consists of 3 planes.

  1. Management Plane

  2. Control Plane

  3. Data Plane

Management Plane

The management plane refers to a set of functions to configure, monitor, and manage ISA. It comprises the cloud-based web console for Operations, Administration and Management (OAM) of ISA. This provides centralized management and control of access to resources, and enforces security policies. This allows dynamic updates to security policies, to make it a more flexible and adaptive security approach.

InstaSafe implements Role-Based Access Control (RBAC), also known as Role-Based Security (RBS). In this access control model, permission and access rights are assigned to users based on their role or job function within the organization. The roles are defined and assigned to users, and each role has a set of associated permissions or access rights. When a user tries to access a resource, the system checks the user's role and compares it to the permissions associated with that resource. If the user's role has permission to access the resource, access is granted, otherwise it is denied.

Control Plane

The Control Plane refers to the set of functions and processes that are responsible for the authentication and authorization. The assumption is that all incoming network traffic is untrusted until it is verified as coming from an authenticated and authorized user.

It acts as the gatekeeper for all access to the protected resources and enforces the security policies. It creates a secure perimeter around a network and only allows authorized users to access the network after they have been authenticated and authorized. It verifies the User Agent with username, password, Geo Binding, Device Binding, Device Checks, and multi-factor authentication (MFA).

Data Plane

The Data Plane refers to the set of functions and processes responsible for the actual transmission of data between the user and the protected applications.

Once a user is authenticated and authorized by the control plane, the data plane allows the user to access the protected resources by creating a secure, encrypted tunnel between the user's device and the Gateway to allow access to the protected applications. It is responsible for maintaining data integrity and data confidentiality using encryption and hashing methods.