Operational technology (OT) cybersecurity is a challenging but critical aspect of protecting an organization’s critical systems and resources. As cybercriminals log in rather than infiltrate systems, access security becomes more complex and management and control more important than ever. In an effort to solve the access-related challenges facing OT and critical infrastructure operators, Cyolo’s team addresses the unique safety, security, and uptime requirements of OT and industrial control system (ICS) environments. We built a zero trust access platform designed to meet your needs. .
Let’s look inside:
The Cyolo solution is a powerful combination of Zero Trust Network Access (ZTNA), Identity Provider (IdP) and Privileged Access Management (PAM). What makes this approach stand out from other his ZTNA solutions is that none of his other ZTNA solutions offer his IdP or PAM functionality and identity and access management tools (IdP and PAM) is not extending And unlike other players in the secure remote access space, Cyolo does not require cloud connectivity or endpoint agent installation. This allows the platform to tackle some challenging connectivity use cases that many organizations struggle with.
How the Cyolo Platform Works
 |
| Figure 1: Architectural layout of Cyolo deployment |
The core building blocks of the Cyolo platform are the Identity Access Controller (IDAC) and Edge.
- Identity Access Controller (IDAC): IDAC terminates Transport Layer Security (TLS) 1.3 connections and applies access policies configured by Cyolo administrators. As a “reverse proxy”, all decryption and enforcement happens behind your organization’s firewall.
- Edge Broker: Edge is an on-premises broker that routes user requests to relevant IDACs based on Server Name Indication (SNI) headers. In all deployment models Edge routes traffic from a user to his IDAC.In particular, since Edge operates without external connectivity and never decrypts traffic, Cyolo can actually Zero Trust Principles.
Cyolo can be deployed on-premises, in a SaaS model, or most commonly in a hybrid version of the two. If desired, on-premises components can be fully isolated and non-IP connected for enhanced security. The core elements required for each deployment method are:
- IdP connection: Identity providers (IdPs) ensure that users seeking access are who they claim to be across multiple platforms, applications, and networks. Cyolo can be integrated with his existing IdP or you can use Cyolo’s local IdP included as part of the IDAC setup. The IDAC connects directly to the IdP (not via Edge).
- IDAC outbound communication: IDAC always communicates outbound, whether connecting to a user’s session from the edge (port 443) or communicating with the published application that provides the service (specific port).
Product details and differentiation
Let’s take a closer look at the Cyolo platform and see how it differs from current approaches to security and access to other tools on the market.
At first glance, the platform has a clean and easy-to-navigate user interface. It is set up to manage user access to specific applications and brokers this access through a set of Zero Trust policies. A closer look reveals that it records many details about all user activity and has a robust application programming interface (API).
 |
| Figure 2: Cyolo admin dashboard main page |
Identity: The Cyolo platform can act as a standalone identity source to add users via file import, cross-domain Identity Management System (SCIM), or user self-registration. This is especially beneficial when onboarding a third-party vendor or contractor that the company does not want added to his IdP. Each user can be added to specific groups that are used to grant access to specific applications or services based on policy. The workflow for adding users is straightforward, and additional authentication steps such as multi-factor authentication (MFA) can be added as a requirement.
 |
| Figure 3: Adding a new user to the Cyolo dashboard |
Cyolo also works with all standard IdPs like Okta, Active Directory, Azure AD, Ping, etc. If an enterprise has multiple his IdPs, Cyolo will federate them so that the most appropriate IdP can be used for a given access request.
application: Cyolo provides connectivity to all applications based on valid identities, injects credentials on behalf of users, and enables a complete single sign-on (SSO) experience. This simplifies the login process for users and eliminates the need for generic accounts and shared passwords that can create additional risks.
Choro can also be used Extend secure access Integrate traditional and custom-built applications to enable MFA and SSO for these challenging resources. This feature is most useful in OT areas that rely heavily on legacy equipment and systems that communicate with Security Assertion Markup Language (SAML) or OpenID Connect (OIDC).
 |
| Figure 4: Configuring an application on the Cyolo platform |
policy: Each application is configured to require specific access parameters that consider individual users and groups, along with contextual details such as time and location. Two interesting features are the ability to require authorization before access and the ability to enforce recording of each access session.
 |
| Figure 5: Configuring policies between identities and applications on the Cyolo platform |
log: All activity on the platform is tracked in easily exportable logs. This is especially useful if the Cyolo tool is providing her SSO to applications that typically use generic usernames and passwords. Additionally, Cyolo includes a password vault so you can securely store and update shared passwords with logs that track exactly which users have accessed your application or service.
 |
| Figure 6: Activity logs within the Cyolo platform |
Additional Findings:
- Cyolo does not require cloud connectivity to operate, making this solution ideal for businesses that need to isolate critical segments of their network and restrict access to them. This is common for his OT/ICS operator who wants to strictly control remote and third party access to these areas.
- Security tools require agents to be installed on endpoint devices, which can interfere with remote access. Cyolo requires no agent interaction, making it easy for third parties, outsourced contractors, or business partners to use.
- The company’s IDAC and Edge are containerized software applications (Docker containers), so they can be loaded onto various form factors such as virtual machines and hardened servers. This makes deployment easier and faster as no traffic needs to be interrupted for installation.
Conclusion
It’s clear that the Cyolo team recognizes the importance of a great and simple user experience. Ultimately, to get the most out of your security and access tools, they must be easy to use for your end users.
When end-users log into the Cyolo platform, they see only the tools, resources, and applications they need to do their work. This is configured based on the user’s identity and the policies of the specific application being accessed, and enforced at her IDAC level within the organization’s trusted boundary. A user selects the applications they want to access and the Cyolo platform manages all connections and credential injection for a fast and complete her SSO experience. The advantage of this is that the user’s workflow is unaffected (depending on the setup, the user may not even be aware that they are using her Cyolo platform), but the security posture benefits are significant.
 |
| Figure 7: Cyolo end-user application portal |
One notable addition is the Cyolo platform’s ability to manage Remote Desktop Protocol (RDP) connections to OT environments. Cyolo has the ability to act as an IdP, so adding external (third-party) users was very easy. Additional layers of security such as MFA, supervisor approval, and full audio/video recording can be intuitively configured to provide a valuable record of user activity while connected. These features demonstrate the power of connectivity and IAM policy integration.
this short demo shows user and admin screens side-by-side, showing the workflow of a native (or web) RDP session with supervised access and recording.
 |
| Video 1: A simple demonstration of supervised access to a remote desktop over RDP without using an agent |
Overall, the Cyolo platform is a versatile tool that helps solve some of the more challenging use cases that plague many security operators today. Cyolo brings massive amounts of processing power with a focus on connectivity, identity verification and access management. And best of all, he doesn’t leave any applications or services behind, and specializes in challenging scenarios such as vendor access to his OT environment. If you have a tough problem to solve, it might be time to take a closer look at Cyolo.
If you want to know more about Cyolo, click here. here.
