Integrating the Corporate Editions

The feedback we receive the most is a question similar to, "How do we integrate this into our existing access control systems?" This typically comes from companies where access control relies heavily on known endpoints. Endpoints that have been enrolled in an MDM or UEM system and whose signatures exist in their access control systems like ISE.

Using SAEOS to augment your remote access solution should not adjust that approach. If you have deployed assets, inventoried and hardened them and validate them during remote access requests...perfect, you are ahead of the game! But in this time of unknown scale and quantity, you may need something to allow for elasticity.

You have to weigh allocating this unbudgeted spend to modernizing your infrastructure or to endpoints you may not need in 3 to 4 months.

SAEOS will never function like your endpoints and is not meant to replace them or the controls you have in place. Instead, you should treat SAEOS as a new type of endpoint. Once your VAR customizes the image to your liking, let your asset control system identify it. You should create access profiles that allow only presentation layer traffic. This ensures you have complete control over the compute environment and any egress points can be controlled on the server side. SAEOS becomes the secure viewer to your presentation layer.

For those companies using SaaS platforms, like Office 365 and Salesforce. Use their built-in controls along side your NAC rules and profiles to enforce data classification, access and governance rules. You can configure Office 365 and Salesforce to only allow logins from your corporate proxy public IP adresses or cloud POP's like Prisma Access and Zscalar. Once an employee connects the VPN from SAEOS, the NAC profile and associated rules can allow traffic from the SAEOS client through to the SaaS platform. SaaS controls, along with a CASB can ensure only certain classes of data are downloaded to the SAEOS client - keeping in mind that the SAEOS Regulated Remote Worker client does not allow local storage.

You can even apply VPN policies to the SAEOS profile that prevents split tunneling and forces all traffic over your VPN. To add to that, we can apply web-filtering similar to the Kids Edition that only allows web traffic from the SAEOS image to certain SaaS providers or  internal URLs, ensuring ALL traffic is inspected and routed in compliance with your corporate security policies. The combinations of controls are endless!

Ephemeral Adaptation at its finest.