How ColorTokens relays zero trust data to remote employees, third parties

Zero trust has a lot of appeal. The access model requires all users to be continuously authenticated and validated before they can gain entry to applications and data, regardless of whether they’re inside or outside an organization’s private network. Recently, zero trust security company ColorTokens released a new product called Xaccess that extends zero trust access to remote employees, third parties, and contractors in distributed locations. It also offers a single integrated solution across multiple user access needs, data stores, and both cloud and hybrid applications, according to the company.

ColorTokens released Xaccess as a SaaS module within the company’s existing Xtended ZeroTrust Platform. President and chief operating officer Vats Srivatsan told VentureBeat the company developed it because it saw gaps for IT admin, cloud, and developer use cases. Existing secure access solutions, he said, mostly addressed web applications only.

“We’re the first platform that doesn’t look at remote access in isolation and instead addresses zero trust with a native end-to-end platform approach,” Srivatsan said. “By integrating remote access with zero trust segmentation, we empower organizations to extend a zero trust approach across their entire technology infrastructure.”

How it works

Whether applied to protect applications or data access, Xaccess works the same. For example, users can use it to access a S3bucket, a specific testing database, or crown-jewel applications.

The product is based on a service-initiated model, so applications and un-encrypted data are “never exposed to the internet or bad actors, creating a dark cloud,” Srivatsan said. He added that the system checks if the endpoint has encryption turned on before any data is transferred. For data at rest, specifically, he said Xaccess can ensure the device is using proper disk encryption before granting access. And when it comes to data in motion, if the application connections are not natively encrypted, the product ensures data is always sent over via encrypted channels. Regarding data fabric, Xaccess uses the same technology to restrict access to data sources or data stores to permitted users and applications only.

And of course, machine learning provides some intelligence. Srivatsan said it “plays a pivotal role in automating and simplifying policy creation as well as in the continuous assessment of risk posture.” Among other machine learning attributes, he says the platform uses auto-discovery of applications and usage patterns, recommendations with auto-suggestions of policies, prioritization to determine high-risk policies that need action, and anomalies and unusual access patterns.

Overall, Xaccess seeks to enable both granular access and a continuous assessment of risk and changing access decisions. The product taps various types of context to feed its decision making, including user context (including identity/role/department/group via LDAP/SAML/SCIM); device posture (OS, software, health/security check, AV, encryption, firmware); security (vulnerability data, exposure, threat feeds on internet connections); and user location (user defined tags, compliance tags).

The enterprise experience

Beyond those in-the-moment access decisions, Srivatsan said the data is “immensely useful in analysis, policy updates, and fine-tuning risk thresholds.” Every access and flow is captured, so you know exactly who is accessing what, from where, and how frequently. Every transaction also has context — including over 50 tags and attributes — to enable deeper dives.

Customers can get the system up and running in a few hours, rather than days or weeks, the company says. Additionally, the components are auto-configured and deployed in the cloud closest to the resources being accessed, which Srivatsan says “improves data transfer economics while allowing us to leverage the scale of public clouds.”

For the end user, the experience is always the same, whether they’re off-premises or on-premises, Srivatsan said. There are no additional steps for users, regardless of where the application or data is located.