Architecture
High Level Architecture
The InstaSafe Secure Access (ISA) Architecture consists of 3 planes.
- Management Plane
- Control Plane
- Data Plane
Management Plane
The Management Plane refers to a set of functions to configure, monitor, and manage ISA. It comprises the cloud based web console for OAM(Operations, Administration and Management) of ISA. This provides centralized management and control of access to resources, and enforces security policies. This allows dynamic updates to security policies, to make it a more flexible and adaptive security approach.
InstaSafe implements the Role-Based Access Control (RBAC), also known as Role-Based Security (RBS). In this access control model, permission and access rights are assigned to Users based on their role or job function within the organization. The roles are defined and assigned to users, and each role has a set of associated permissions or access rights. When a user tries to access a resource, the system checks the user's role and compares it to the permissions associated with that resource. If the user's role has permission to access the resource, access is granted, otherwise it is denied.
ISA have 5 roles with different access levels:-
- InstaSafe Admin
- Partner Admin
- Company Admin
- Sub-Admin
- End User
InstaSafe Admin - The super admin role is a DevOps Administrator role for setting up the tenants for customers. This role can do the following:
- Provision a Partner
- Provision the Tenant
- Manage Subscriptions and Licenses
- Create Company Admin Roles
- Enable/Disable Tenant
Partner Admin - This role is a DevOps Administrator role for setting up the tenants for customers. This role can do the following:
- Provision Tenants
- Manage Subscriptions and Licenses
- Create Company Admin Roles
- Enable/Disable Tenant
Company Admin - The Admins have full access roles within the tenant scope. The role has mainly these following privilege to
- Maintain Users, Applications, Access Control List
- Provision and Deprovision Controller and Gateways
- Enable/Disable features inside Tenants.
- Create Sub-Admin Roles
- Monitoring
Sub-admins - Sub-Admins roles are configured to do a particular activity and have limited access. The access could be defined by the Company Admins and can be controlled with certain level authorization depending on Read or Write of any sections like User, Application, ACL, Controller, Gateway.
End User - The End User has limited access like Agent Download and Profile Settings.
Control Plane
The Control Plane refers to the set of functions and processes that are responsible for the authentication and authorization. The assumption is that all incoming network traffic is untrusted until it is verified as coming from an authenticated and authorized user.It also acts as the gatekeeper for all access to the protected resources and enforces the security policies. It creates a secure perimeter around a network and only allows authorized users to access the network after they have been authenticated and authorized. It verifies the agent with Multi-Factor authentication (MFA), Device Checks, Device Updates, Device binding, Geo Binding & Device Binding.
Data Plane
The Data Plane refers to the set of functions and processes responsible for the actual transmission of data between the user and the protected applications.
Once a user is authenticated and authorized by the control plane, the data plane allows the user to access the protected resources by creating a secure, encrypted tunnel between the user's device and the gateway to allow access to protected applications . It is responsible for maintaining data integrity and data confidentiality using encryption and hashing methods.