Metadata and Attribute-Based Access Control

Understanding Attribute-Based Access Control Leveraging Platform Metadata

The Appgate demo series provides deep insights into the functionality and advantages of attribute-based access control utilizing platform metadata. This article highlights key features and technical details relevant to the Appgate client and its application in securing access control to various platforms.

Introduction to Appgate Features

During the demo, the speaker illustrates how users can access specific entitlements within the Appgate client after authentication. The client allows users to launch applications via quick launch icons and reveals a list of entitlements tailored to each user’s access permissions.

Defining Entitlements

Entitlements in Appgate are defined using both DNS names and IP addresses. For instance, a user may have access to an entitlement linked to a DNS name denoting a corporate application server. Traffic is controlled through standard TCP rules on designated ports, such as 80 and 443. Additionally, entitlements can also be based on IP addresses, facilitating subnet access when needed.

Utilizing Metadata for Access Control

A key differentiator in Appgate’s approach is the use of metadata to access entities. For example, the demo showcases an entitlement for “QA London” within the AWS London region. This entitlement allows ICMP (Internet Control Message Protocol) traffic, enabling users to verify real-time access. Instead of relying solely on static IP addresses or DNS names, Appgate executes queries based on metadata tags associated with cloud instances.

Automatic Updates with Metadata Changes

The demo further emphasizes the automatic updates that occur when metadata changes. For instance, when a metadata tag is modified from “QA” to “Production,” the user’s access is revoked almost immediately as the Appgate gateway continuously executes the relevant query to reflect the current access status.

This real-time functionality is significant in dynamic cloud environments, allowing for quick adjustments to user entitlements based on changes in the operational state. Should a new instance be tagged accordingly, the Appgate gateway will instantly recognize it and update the user’s access rights appropriately.

Integration with Other Platforms

Beyond AWS, Appgate extends its metadata querying capabilities to other cloud providers such as Azure and Google Cloud Platform (GCP). This versatility allows organizations to maintain unified access control across multiple environments while ensuring compliance with existing security policies. Furthermore, Appgate integrates seamlessly with VMware environments, leveraging resource pools and folder structures specific to those platforms.

Leveraging Illumio for Enhanced Security

The discussion also highlights the integration with Illumio’s Platform Control Engine (PCE). By executing queries against Illumio to obtain label values, Appgate enhances its capability to control east-west traffic within cloud environments. The collaboration enables users to benefit from an additional layer of security through effective traffic management.

Conclusion

In conclusion, Appgate's attribute-based access control leveraging platform metadata offers robust, flexible solutions for modern cloud environments. By utilizing metadata for access queries, organizations can maintain high levels of security while adapting rapidly to changes in user entitlements. For more detailed information and demonstration, watching the video will provide further insights into the features and capabilities of Appgate.