When a user signs in to Appgate SDP, Claims information is harvested and used by the Controller to provide fine-grained control over which Policies are granted to the user or device. These Policies will be used to create Entitlement tokens which in turn create the firewall rules required for that user as they sign in. With a few thousand users signed in, the Appgate SDP system can easily create several million dynamic firewall rules.
As well as the Entitlement tokens, the claims information is passed to the Gateways in the claims Token. These tokens, combined with any additional claims collected by the Gateways, are used to manage which hosts should be allowed at the time of use. During use, dynamic and conditional re-evaluations continue, providing an ongoing degree of real-time access control.
This combination of fine-grained access rights and dynamic controls delivers timely and precise access decisions. This concept, called Live , results in a radically improved security posture.
Admins set access rules by defining Entitlements which include Actions. Within the Action, hosts can be defined by a range of means: IP addresses, subnets, hostnames, URLs, resource names (Cloud resolvers), and host Entitlement scripts.
There are several different elements within Appgate SDP which underpin the concept of Live Entitlements.
Resource names and Entitlement scripts support the dynamic least-privilege access model which is a key part of Appgate SDP. These extend the capabilities of the system allowing it to adapt in near real-time to changes in the infrastructure.
Entitlements include access controls which can be set to “always allow” or require one or more access criteria to determine when a given Entitlement will be allowed.
Entitlements can contain static Actions or alternatively contain more dynamic elements such as resource names or scripts. These allow the Appgate SDP system to decide WHICH hosts to connect to based on dynamic information, such as the number of auto-scaled hosts that are in use at the time.