Search

US-12627669-B1 - Component for managing access to internal resources

US12627669B1US 12627669 B1US12627669 B1US 12627669B1US-12627669-B1

Abstract

A system for providing secure remote access to an internal resource hosted by a target computing environment, comprising: a component designed for installation at the target computing environment configured for: publishing on a cloud platform in communication with the target computing environment, external routes to the internal resource hosted by the target computing environment, wherein the cloud platform routes a request to the component according to the published external routes, the request generated by a client terminal for accessing the internal resource, authenticating and/or authorizing the request against an access policy managed by the component for accessing the internal resource, in response to the authentication and/or authorization, establishing a remote access session according to the request, between the client terminal and the component managing the internal resource via the cloud platform over an encrypted connection, and decrypting traffic received over the established remote access session running on the encrypted connection.

Inventors

  • Dedi Yarkoni
  • Eran Shmuely

Assignees

  • Cyolo Security Ltd

Dates

Publication Date
20260512
Application Date
20250626

Claims (19)

  1. 1 . A system for providing secure remote access to an internal resource hosted by a target computing environment, comprising: at least one processor executing code of a component designed for installation at the target computing environment, comprising instructions for: publishing on a cloud platform in communication with the target computing environment, external routes to the internal resource hosted by the target computing environment, wherein the cloud platform routes a request to the component according to the published external routes, the request generated by a client terminal for accessing the internal resource; authenticating and/or authorizing the request against an access policy managed by the component for accessing the internal resource; in response to the authentication and/or authorization, establishing a remote access session according to the request, between the client terminal and the component managing the internal resource via the cloud platform over an encrypted connection; and decrypting traffic received over the established remote access session running on the encrypted connection; and at least one router configured for communication with at least one component, and at least one upstream router configured for communication with at least one component and/or router, wherein each component is configured for communication with a single upstream router and a router is configured for communication with a single upstream router; wherein each respective router sends a list of internal resources being managed by the respective router to the upstream router for which the respective router is configured to communicate with, wherein each upstream router verifies the internal resources sent by each respective router.
  2. 2 . The system of claim 1 , wherein the cloud platform directs the encrypted traffic over the encrypted connection between the client terminal and the component of the target computing environment without decryption at the cloud platform, wherein decryption is performed by the component at the target computing environment.
  3. 3 . The system of claim 1 , wherein data from the internal resource for sending over the established remote access session running on the encrypted connection is encrypted by the component without encryption occurring at the cloud platform.
  4. 4 . The system of claim 1 , wherein the component is configured for managing remote access for individual internal resources.
  5. 5 . The system of claim 1 , wherein the request is associate with an identity of a specific user, and the authenticating and/or authorizing is for the identity associated with the request.
  6. 6 . The system of claim 1 , wherein the cloud platform monitors network level attacks against the encrypted connection passing through the cloud platform.
  7. 7 . The system of claim 1 , wherein the request is generated in response to a click on the internal resource presented within an application portal on a display of the client terminal, and wherein access to the internal resource is established in response to the click.
  8. 8 . The system of claim 1 , wherein the authentication is performed against a selected identity provider of a plurality of identity providers defined by the component, the plurality of identity providers installed at the target computing environment and/or installed at the cloud platform, wherein different requests for different internal resources are authenticated by different identity provides as defined by the component.
  9. 9 . The system of claim 1 , wherein private and/or sensitive data is hosted by the component and/or hosted by the target computing environment and excluded from being hosted by the cloud platform.
  10. 10 . The system of claim 1 , wherein the component is configured for managing access to at least one internal resource hosted by the target computing environment.
  11. 11 . The system of claim 1 , further comprising continuously monitoring and/or logging the established remote access session by the component.
  12. 12 . The system of claim 1 , wherein network ports of the component are maintained in a closed and opened in response to the authentication and/or authorization for establishing the remote access session.
  13. 13 . The system of claim 1 , further comprising a plurality of components installed in a plurality of target computing environments hosting a plurality of internal resources, wherein the plurality of components communicate with each other via the cloud platform.
  14. 14 . The system of claim 13 , further comprising at least one router configured for communication with at least one component, and at least one upstream router configured for communication with at least one component and/or router, wherein each component is configured for communication with a single upstream router and a router is configured for communication with a single upstream router.
  15. 15 . The system of claim 14 , wherein a router receives the request from the client terminal and obtains an indication for routing the request to the component and closes a circuit in response to server name indication (SNI) matching an authenticated connection, or the router sends the request to the upstream router and the upstream router checks for a router to route the request, or the router terminates the connection when no router to route the request is found.
  16. 16 . The system of claim 13 , wherein data exchange and/or decision making between the plurality of components are performed via a consensus process.
  17. 17 . The system of claim 13 , wherein in response to failure of a first component of the plurality of internal resources managing access to the internal resource, a second component configured in association with the internal resource is triggered for taking over functions of the first component for performing the authenticating and/or authorizing and for establishing the remote access session for the internal resource.
  18. 18 . The system of claim 13 , wherein at least two components of the plurality of components are associated with at least two different internal resources on at least two different target computing environments, the at least two components are configured as VPN termination points, and a VPN is established between the at least two components configured as VPN termination points.
  19. 19 . The system of claim 1 , wherein for each respective router configured for communication with an upstream router, the router sends to the upstream router a list of internal resources managed by components configured to communicate with the respective router, wherein the upstream router verifies the list of internal resources.

Description

BACKGROUND The present invention, in some embodiments thereof, relates to security of internal resources and, more specifically, but not exclusively, to systems and method for managing access to internal resources. Secure remote access to internal resources while preventing unauthorized access and data breaches is required. Traditional VPNs and access control methods often lack flexibility and scalability. Emerging solutions integrate identity-based authentication, dynamic policies, and zero-trust principles to enhance security. Efficient management of remote access reduces risks and improves user experience. SUMMARY According to a first aspect, a system for providing secure remote access to an internal resource hosted by a target computing environment, comprising: at least one processor executing code of a component designed for installation at the target computing environment, comprising instructions for: publishing on a cloud platform in communication with the target computing environment, external routes to the internal resource hosted by the target computing environment, wherein the cloud platform routes a request to the component according to the published external routes, the request generated by a client terminal for accessing the internal resource, authenticating and/or authorizing the request against an access policy managed by the component for accessing the internal resource, in response to the authentication and/or authorization, establishing a remote access session according to the request, between the client terminal and the component managing the internal resource via the cloud platform over an encrypted connection, and decrypting traffic received over the established remote access session running on the encrypted connection. According to a second aspect, a computer implemented method for providing secure remote access to an internal resource hosted by a target computing environment, comprising: using at least one processor executing code of a component designed for installation at the target computing environment, comprising instructions for: publishing on a cloud platform in communication with the target computing environment, external routes to the internal resource hosted by the target computing environment, wherein the cloud platform routes a request to the component according to the published external routes, the request generated by a client terminal for accessing the internal resource, authenticating and/or authorizing the request against an access policy managed by the component for accessing the internal resource, in response to the authentication and/or authorization, establishing a remote access session according to the request, between the client terminal and the component managing the internal resource via the cloud platform over an encrypted connection, and decrypting traffic received over the established remote access session running on the encrypted connection. According to a third aspect, a non-transitory medium storing program instructions for providing secure remote access to an internal resource hosted by a target computing environment, which when executed by at least one processor of a component designed for installation at the target computing environment, cause the at least one processor to: publish on a cloud platform in communication with the target computing environment, external routes to the internal resource hosted by the target computing environment, wherein the cloud platform routes a request to the component according to the published external routes, the request generated by a client terminal for accessing the internal resource, authenticate and/or authorize the request against an access policy managed by the component for accessing the internal resource, in response to the authentication and/or authorization, establish a remote access session according to the request, between the client terminal and the component managing the internal resource via the cloud platform over an encrypted connection, and decrypt traffic received over the established remote access session running on the encrypted connection. In a further implementation form of the first, second, and third aspects, the cloud platform directs the encrypted traffic over the encrypted connection between the client terminal and the component of the target computing environment without decryption at the cloud platform, wherein decryption is performed by the component at the target computing environment. In a further implementation form of the first, second, and third aspects, data from the internal resource for sending over the established remote access session running on the encrypted connection is encrypted by the component without encryption occurring at the cloud platform. In a further implementation form of the first, second, and third aspects, the component is configured for managing remote access for individual internal resources. In a further implementation form of the first, second, and third