This article delves into essential considerations and the best practices for crafting effective AppGate SDP Policies and Entitlements. Please keep in mind that some of these considerations and practices may or may not be applicable depending on each customer’s context and specific situation. Most of the following points can be reviewed in detail consulting the Using Policies and the Using Entitlements in the AppGate SDP Admin Guide.
Networks and Resources
Segment resources: Group similar resources together to simplify the management of Entitlements. This can help in creating more organized and understandable Entitlement structures.
To learn more about what is it important to consider from your network in order to use AppGate SDP, consult the Pre-installation checklist in the Admin Guide.
Entitlements and Policies
Follow the Least Privileged Access Principle: Assign users only the access they need to perform their job functions. Avoid over-provisioning Entitlements, which can lead to security risks.
Test new Entitlements: Before rolling out new Entitlements, test them to ensure they work as expected and do not inadvertently grant more access than intended.
Update Entitlements regularly: Keep Entitlements up to date with changes in the network environment, such as new applications or decommissioned servers.
Avoid overlapping Entitlements: Be cautious of creating Entitlements that overlap in the resources they provide access to, as this can lead to confusion and potential security gaps.
- Try to make Entitlements host as few services as possible; the more access Entitlements grant, the more likely they will start overlapping. This will also simplify naming each Entitlement.
Minimize exclusive Entitlements: Avoid creating Entitlements that are too exclusive or specific to a single user, as this can lead to a proliferation of unique Entitlements that are hard to manage.
Integrate properly with Policies: Ensure that Entitlements are properly integrated into Policies, and that the Policies are assigned to the correct user groups.
Describe Entitlements: Utilize the notes field to document the purpose and scope of each Entitlement. This helps in maintaining and auditing the Entitlements.
Use Tags: Tags can help organize and manage Entitlements, making it easier to assign them to Policies, and to quickly and easily understand their use.
Names and Conventions
Use descriptive and clear naming conventions: Use descriptive and clear names for Policies, Entitlements and user groups, so that they directly reflect the resources or type of access they are related to. For example, you can create a naming convention system that shows if an Entitlement is based on a whole company department that should have access to a resource. It could also show if all services in a certain location can be accessed by a certain group, or if just a particular service can be accessed by certain people.
Use consistent naming conventions: This helps in identifying and managing Policies, Entitlements and user groups more easily, especially when dealing with many of them.
Avoid nesting user groups: Nested groups can become difficult to manage, which might cause security issues such as over-provisioning and/or overlapping Entitlements, as well as losing track of who has access to what. A user in a nested group who needs to be removed from an Entitlement in the host group might suddenly loose access to resources allowed to the nested group, which can also be difficult to solve without further disturbing the groups’ structure or an entire security Policy.
The Client and Headless Client
Have SaaS products behind SDP wherever possible: Take advantage of the use of client shortcuts to segregate access to apps/resources and restrict connection to just the needed IPs. This way, you will also avoid having to save links or create bookmarks to access resources.
Provide third parties/contractors with their own IdP/profile link to access resources through the client. IdPs/profile links can be deleted after contracts are finished. This way, third parties stop having access to your internal IdP and company systems or resources.
Use Connectors and Headless Clients to:
Enable easy access for IT teams into all segments of your network.
Securely automate tasks like password changes or sending notification emails, running headless clients for services like Secret Sever, SendGrid, and others related tasks.
Give controlled access to environments for Dev teams, as well as repositories or version control services (e.g.: GitHub)
To learn more about our client family, consult the Client deployment and management section of the Admin Guide.
Keep SDP Updated
Try to run the latest SDP version supported by your OS, as this will make providing help and technical support by AppGate easier and more effective.
You can have a test group that covers all OS’s in your environment for testing new client versions, before rolling it out to all users/devices.