iboss is a cloud security company that provides organisations and their employees fast and secure access to the Internet on any device, from any location, in the cloud. The iboss cloud platform provides network security as a service, delivered in the cloud, as a complete SaaS offering.

The iboss Zero Trust Service Edge secures user Internet access on any device, from any location, in the cloud. It is a cloud-based platform which ensures that user Internet access is always secure regardless of their location. Since users are always connected to iboss cloud, their access to the cloud and Internet is always protected. Administrators can apply compliance, web filtering, malware defence and data loss prevention to Internet access regardless of user location.

iboss Zero Trust Service Edge includes capabilities such DNS Security, Zero Trust, Cloud Access Security Brokers (CABS), Data Loss Prevention (DLP), Malware Defence, Device posture checks, Browser Isolation, Adaptive Access Polices, SSL Decryption, Outbound Firewall Protection.

Note: User traffic does not go through each of these features one at a time as this could increase latency, rather the traffic is parsed by all these simultaneously.

What is Zero Trust?

The iboss Zero Trust Edge makes applications, data and services inaccessible to hackers but at the same time allowing trusted users to securely connect to protected resources while working from anywhere.

Yes.

DNS Security is the practice of protecting DNS infrastructure from cyberattacks in order to keep it performing quickly and reliably.

DNS is not designed with security in mind and as such is vulnerable to attacks such as spoofing, DoS and interception of private information.

DNS security allows you to force network-joined devices to use iboss cloud nodes for DNS resolution. By directing DNS traffic to your iboss cloud node(s) you can apply a filtering policy of your choice to these requests.

CASB helps monitor, secure and manage access to SaaS applications, providing extensive controls that include but not limited to making Facebook read only, ensuring Google Drive is corporate only and leveraging Microsoft 365 tenant restrictions.

DLP, a full content inspection capability, makes sure sensitive data such as credit card details, social security numbers etc. are not lost or accessed by unauthorised users.

DLP capabilities include

Adaptive Access allows for controlled access to resources based on conditional access policies. This access is adaptive, controlling access even after authentication as iboss cloud sits between the user and the resources and can make real time decisions on access based on user requests and access polices. This greatly reduces the risk of sensitive data loss or infection of malware or ransomware.

Malware Defence is the ability to inspect entire files, web pages and content and identify malicious threats, and this capability is often termed as a Malware Engine. There are many engines available, and the iboss malware engines come from industry leading vendors and research labs. These engines provide deep file analysis and signature-less malware protection to ensure users have the best protection while accessing the Internet regardless of location.

Websites and cloud apps use encrypted HTTPS connections more and more today. It is becoming important to be able to inspect encrypted content to meet compliance, prevent malware and protect against data loss. Performing decryption with network appliances is expensive and unscalable however, the iboss cloud performs this function in the cloud to inspect encrypted traffic with scalability and ease.

Device Posture Check is ensuring devices are healthy and meet security standards and thus reduce the risk of data loss and malware infection.

There are many device posture checks, for example, is the firewall is enabled, is the disk encrypted and is antimalware is enabled can be checked before allowing user access to resources thus preventing unnecessary data loss and devices maintain compliance.

Zero Trust Browser Isolation is the mechanism by which access to resources are opened and managed in an iboss cloud hosted browser. The iboss browser then streams the protected content as pixels to the user’s browser thus isolating data from unmanaged devices, preventing unauthorised uploads and downloads, limiting the ability to copy and paste and protecting networks from malware and ransomware.

Yes, iboss integrates with Identity Providers such as Azure AD, OKTA, Ping and other solutions that support SAML.

With this integration iboss can determine the user and control access as appropriate to the user with inbuilt and custom policies. Without iboss user access is controlled at login only but with iboss in path the user can be monitored continuously and access revoked at any point should the user risk level increase.

Yes. iboss Zero Trust Service Edge Platform has detailed logging and reporting that provides visibility into cloud use, giving comprehensive insight into usage, blocking, malware prevention and more.

Thorough logs include username, device name, group, source IP, URL, time stamp and more.

iboss cloud automatically analyses logs and displays them into a detailed threat dashboard, that includes information on malware content and type, sources, client devices and users that have interacted with the malware. This allows the iboss Zero Trust to determine high risk users and devices which in turn can dynamically alter those users access rights.

Yes. As the iboss Zero Trust Service Edge platform inspects files it can forward those files to external systems and wait for responses before proceeding. Forwarding of those files is performed by the industry standard ICAP protocol.

This ability to send files and data to external systems for additional inspection allows for limitless cybersecurity integration.

Yes, iboss Zero Trust Service Edge has a feature called Bandwidth Optimisation which allows for the creation of policies which when applied prioritise services.

Management of the iboss Zero Trust Service Edge is via the iboss cloud admin console.

The basic concept of iboss Zero Trust Service Edge is to securely redirect all user traffic from a client device/user through iboss service in the cloud before continuing to the required resource. Allowing this traffic to be inspected and both users and resource can be protected.

By installing a iboss Cloud Connector agent on the Virtual Delivery Agent (VDA) you can redirect all internet traffic to the iboss service.

You can install the iboss Cloud Connector agents on the user’s device to redirect all internet traffic through the iboss service. The Cloud Connector agent also authenticates the user and installs the appropriate certificates for SSL decryption. Cloud Connector agents are available for the following operating systems: iOS, macOS, Android, Windows, Windows terminal Server, Linux and Chromebook.

Citrix SD-WAN appliance installed at remote sites can be configured to make a direct connection to the nearest iboss service and then redirect internet bound traffic through that connection. IPSEC or GRE tunnels are used to secure this connection, no Cloud Connector agent is needed. Citrix SD-WAN automatically creates secure connectivity to the closest iboss service point of presence (PoP). Fault tolerance on these links is achieved both at the tunnel level and through multiple links to primary and secondary iboss PoPs.

There are Three solution packages from iboss Zero Trust Based on per user subscription pricing.

• Zero Trust Core

Essential Features to Implement Zero Trust Resource Access

• Zero Trust Advanced

Zero Trust Core plus Integration and Malware Protection for enterprises at scale

• Zero Trust Complete

Zero Trust Advanced plus Complete Data Loss Prevention

iboss Zero Trust Service Edge is managed through the iboss Cloud Portal. Unlike other products iboss provides a single admin console for all policies and reporting across all resource types. 

The iboss Cloud Connector Agent is a software agent that will redirect all internet traffic to the iboss service from a user’s device. The Cloud Connector agent also authenticates the user and installs the appropriate certificates for SSL decryption. The agent is available for download from the iboss Management portal and can be installed directly to the client device or via deployment solutions such as GPO, MDM or others.

No, M365 traffic should be routed directly to the internet to adhere to Microsoft connectivity principals to maintain the best possible user performance.

Yes, iboss is designed based on an instance-based architecture. Every customer gets their own instance, and that instance can be replicated across regions. Also, that architectural instance is logically separated from an instance of another customer. This architecture ensures greater data privacy between customers. It also helps ensure that data from one region is scanned and stored within that region. This is needed to meet certain compliance and regulatory needs such as GDPR.

Within NIST (National Institute of Standards and Technology) there is the ITL (Information Technology Laboratory) which provides guidance, measurements and standards for information technology. ITL develops tests, test methods, reference data, proof of concept guidance and technical analysis for development and deployment of information technology.

ITL has a series of special publications, the800-series, which are guidelines in information system security, which form a Zero Trust architecture model, effectively a Risk Management Framework (RMF).

iboss have built iboss Zero Trust by following the NIST 800-207 RMF and implements the NIST 800-207 Zero Trust Architecture Special Publication acting as the Zero Trust Policy Decision and Enforcement Point (PDP & PEP) which is at the heart of the NIST Zero Trust architecture.

The iboss cloud is a containerization based environment. What this means is that iboss cloud is containerized so that they process data for one customer in isolation from processing data for other customers. This allows for more security and the ability to scale. Scaling is important to allow for infinite growth in processing power for security as the data traversing the iboss cloud is divided across the containerized work units within the cloud.

All resources identified by the iboss platform, applications, data and services, are automatically placed into resource catalogues for easy configuration of Zero Trust Polices.

ALL user on ALL devices are identified (both know and anonymous) by the iboss platform and automatically placed into a user catalogue for easy configuration of Zero Trust Policies.

All devices accessing the iboss platform, both known and anonymous, are placed into the asset catalogue. They are identified and categorised by operating system (Windows, Mac (OSX & IOS), Android, Linux and Chromebook), cloud connector version and anonymous assets type.

Yes, Private networks can be connected to the iboss platform using GRE or IPSec tunnels and then resources within the on-premises network can be protected by the Zero Trust capabilities of the iboss platform.

Yes,iboss employs dozens of reputation fields including OpenPhish & Phishtank for phishing protection, every connection is assessed at the point of connection request.

Sandboxing is where you run code (suspected malware/ransomware) in a secure and isolated environment so that you can observe and analyze its effects on a network that mimics end-user operating environments. Sandboxing is designed to prevent threats from getting on the network and is frequently used to inspect untested or untrusted code.

Yes. Sandboxing is built into the iboss platform.

The iboss cloud is natively and extensively integrated with Microsoft. Including integrations with O365, Azure, and Microsoft Cloud App Security CASB. MCAS integration extends the application controls and visibility provided within the iboss cloud platform to seamlessly include all the CASB controls within MCAS. Microsoft customers with E5 subscriptions or CAS licenses, can integrate Cloud App Security (CAS) with iboss and deliver detailed visibility into shadow IT and high-risk user / app activity.

Yes. iboss cloud can stream logs, in real time, directly to multiple reporting platforms concurrently.

Yes. iboss includes a built in connector for Splunk allowing data collected from the iboss platform to be streamed in real time to your Splunk implementation.

Yes. The iboss cloud architecture is uniquely positioned to be able to adhere to regulations such as GDPR. Its containerized architecture allows the iboss cloud to deliver the following benefits:

• Containerized cloud gateway capacity ensures data is scanned within regulated countries 
• Containerized cloud reporting capacity ensures data is stored within regulated countries 
• Admin defined and controlled zones allow clear visibility to how data will flow through cloud-based Internet security when users are within regulated regions 

• Admin controlled reporting logging flow ensures reporting data remains within regulated regions 
• Log and reporting anonymization encrypt sensitive user PII such as username, source IP and group membership 
• Selective decryption allows data to remain untouched in regions that require it 
• Private cloud can meet the needs that demand private capacity while still leveraging the global iboss cloud presence for users global. 

Yes. Proxy appliances weren’t designed for the modern cloud driven world but more for predefined traffic and they have limited capabilities to decrypt network traffic. By changing your proxy appliance for iboss cloud allows you to deliver all the protection of your proxy appliance but with infinite scalability. No longer need costly appliances at each site and future proofing. 

Yes. The iboss Zero Trust architecture provides fast and secure connections from ANY location. Because users are always connected through the cloud network security service, access to resources and applications can be granted based on who the user is, the location and many more criteria providing a far more flexible and mobile solution than a VPN. 

Yes. The iboss patented security enforces the Goggle Safe Search, YouTube and social media sites with advanced controls providing extended access without compromising safety. 

Examples, re-enable Google safe search should it be disabled: reinforce clean images: Make social media sites read only: enforce posting only but no chats: and more. 

OCR Optical Recognition is “image text extraction and recognition”, the ability to use machine learning to extract text directly from pictures with no human assistance and by so doing extend Data Loss protection capabilities.

The iboss Zero Trust Security Service Edge now supports image text extraction & recognition for analysing and applying DLP and document classification rules. Image text recognition reduces the risk of IP or data loss by ensuring resource tags/sensitivity labels (Microsoft Information Protection, etc.) are consistently applied for images, and documents with embedded images (DOC, PPT, etc.), during both inline (DLP) and out-of-band access/analysis (API-CASB).

2 Steps:

• Step 1, DLP rules are defined within the administration GUI which define a “trigger” for a DLP inspection.
• Step 2, create a Content analysis rule that determines what specific content will trigger a DLP alert.

In other words, define what you are looking for and how to identify it.

Within iboss management GUI, under Zero Trust, there is the option to create “Trust Algorithms” and it is through the configuration of these algorithms that you can define the checks you want to be made. These algorithms can then be bound to individual apps giving you fine control across your resources.

Yes. ONLY iboss integrates with CrowdStrike, to automatically prevent damage from ramsomware by cutting access to sensitive resources when devices become infected.

Yes. ONLY iboss provides HTTPS, TLS and SSL decryption to private resources to apply CASB and DLP.

No. iboss decryption can be selective, configurable by the customer. Traffic can be selected to bypass the decryption process should it be necessary.

Yes. The SSL decryption process supports TLS 1.0 – 1.3 cipher suite protocols.