Skip to content

Architecture

High Level Architecture

The InstaSafe Secure Access (ISA) Architecture consists of 3 planes.

  • Management Plane
  • Control Plane
  • Data Plane

Management Plane

The Management Plane refers to a set of functions to configure, monitor, and manage ISA. It comprises the cloud based web console for OAM(Operations, Administration and Management) of ISA. This provides centralized management and control of access to resources, and enforces security policies. This allows dynamic updates to security policies, to make it a more flexible and adaptive security approach.

InstaSafe implements the Role-Based Access Control (RBAC), also known as Role-Based Security (RBS). In this access control model, permission and access rights are assigned to Users based on their role or job function within the organization. The roles are defined and assigned to users, and each role has a set of associated permissions or access rights. When a user tries to access a resource, the system checks the user's role and compares it to the permissions associated with that resource. If the user's role has permission to access the resource, access is granted, otherwise it is denied.

ISA have 5 roles with different access levels:-

  • InstaSafe Admin
  • Partner Admin
  • Company Admin
  • Sub-Admin
  • End User

InstaSafe Admin - The super admin role is a DevOps Administrator role for setting up the tenants for customers. This role can do the following:

  • Provision a Partner
  • Provision the Tenant
  • Manage Subscriptions and Licenses
  • Create Company Admin Roles
  • Enable/Disable Tenant

Partner Admin - This role is a DevOps Administrator role for setting up the tenants for customers. This role can do the following:

  • Provision Tenants
  • Manage Subscriptions and Licenses
  • Create Company Admin Roles
  • Enable/Disable Tenant

Company Admin - The Admins have full access roles within the tenant scope. The role has mainly these following privilege to

  • Maintain Users, Applications, Access Control List
  • Provision and Deprovision Controller and Gateways
  • Enable/Disable features inside Tenants.
  • Create Sub-Admin Roles
  • Monitoring

Sub-admins - Sub-Admins roles are configured to do a particular activity and have limited access. The access could be defined by the Company Admins and can be controlled with certain level authorization depending on Read or Write of any sections like User, Application, ACL, Controller, Gateway.

End User - The End User has limited access like Agent Download and Profile Settings.

Control Plane

The Control Plane refers to the set of functions and processes that are responsible for the authentication and authorization. The assumption is that all incoming network traffic is untrusted until it is verified as coming from an authenticated and authorized user.It also acts as the gatekeeper for all access to the protected resources and enforces the security policies. It creates a secure perimeter around a network and only allows authorized users to access the network after they have been authenticated and authorized. It verifies the agent with Multi-Factor authentication (MFA), Device Checks, Device Updates, Device binding, Geo Binding & Device Binding.

Data Plane

The Data Plane refers to the set of functions and processes responsible for the actual transmission of data between the user and the protected applications.

Once a user is authenticated and authorized by the control plane, the data plane allows the user to access the protected resources by creating a secure, encrypted tunnel between the user's device and the gateway to allow access to protected applications . It is responsible for maintaining data integrity and data confidentiality using encryption and hashing methods.

Comments