Software Defined Access

Safe-T’s overall solution, “Software Defined Access” protects data by solving the trusted access challenge and ensures that organizations’ sensitive data is available only to the right people. Software Defined Access allows visibility and availability of applications, services and networks only after assessing trust that is based on policies regarding authorized user, device, location and application. This patented solution reduces cyberattacks by masking mission-critical data at the perimeter, making it accessible only to authorized and intended entities, on-premises or in the hybrid cloud.

Integrated Data Security Platform (IDSP)

Provides the foundation for Safe-T’s Software Defined Access, providing it all the technology components required to create a true adaptive access solution. Enterprises can scale up according to business needs by adding key products and services that integrate seamlessly with the platform.

Safe-T’s underlying technology enables customers to benefit from an advanced security architecture, policies and workflows, strong data encryption, high availability, roles management, reporting and detailed audit trails. Safe-T’s technology platform is comprised of six modules:

Anonymous Application Access

Easy and secure new file upload services for applications, customers and anonymous users.

Secure Application Access

Secure, controlled and transparent access and usage for all entities to internal applications and files.

Secure File and Email Access

Controlled access and secured exchange of any type and size of file between people, applications, cloud solutions and businesses.

Cloud Storage Access

Controlled and monitored all data uploaded and downloaded from the enterprise to/from cloud storages.

Secure Hybrid Cloud Access

Simple migration to the hybrid-cloud architectures by securely and transparently connecting the cloud to the on-premise.

Reverse Access

Safe-T’s Reverse-Access is a dual server patented technology: It removes the need to open any ports within a firewall while allowing secure application access between networks (through the firewall).

External server

Installed in the DMZ/external/non-secured segment.

Located in the organization’s DMZ (on-premise or cloud), the role of the external server is to act as a front-end to all services/applications published to the Internet. It operates without the need to open any ports within the internal firewall and ensures that only legitimate session data can pass through into the internal network. The external server performs TCP offloading, allowing it to support any TCP based application without the need to perform SSL decryption

Internal server

Installed in the internal/secured segment.

The role of the internal server it to pull the session data into the internal network from the external SDA node. Only if the session is legitimate, it will perform layer 7 proxy functionality (SSL offloading, URL rewrite, Deep Packet Inspection, etc) and pass it to the destination application server.

SecureStream Workflow Engine

Safe-T SecureStream policy and workflow enforcement engine enables enterprises to easily enforce security policies on any data exchange and data access workflow. Each workflow is fully controlled and monitored, providing complete auditing and tracking of “who, what, where, when and how” information. Administrators can create policies and workflows for secure data access and exchange that can be integrated intuitively into existing business workflows.


Enables system users to build multiple application tasks, defined as a series of automated actions, that can be triggered to occur based on specific events or behavior.

System users can integrate virtually any task and application with any other task with minimal integration effort, regardless of the protocols and languages each one uses. For example, SecureStream allows brokering traffic to 3rd party security (DLP, AV, Anti-malware) and IAM products.

Combining Safe-T Connectors and Authentication Engine with Safe-T’s SecureStream allows for creating robust workflows. For example:

  • Automatically enforce security policies on outgoing/incoming data exchange flows.
  • Easily create multi-factor authentication and authorization workflows.
  • Receive an uploaded file from a user and store it in an SFTP folder.
  • Store a file received from a document-management system in an NTFS location.
  • Pass an email attachment to a DLP to be scanned and then to an encryption solution to be encrypted.

SmarTransfertm SIFS (Secure Internet File System)

Secure NTFS File Share and Access with Internal and External Entities. SmarTransfer SIFS allows internal and external users to gain transparent access to secure storage.

What appears as a standard mapped network drive is actually a secure, encrypted and access-controlled channel to interact with files (upload, download, copy, open, delete, etc.) while not relying on vulnerable protocols, such as SMB. All transactions are subject to Safe-T’s SecureStream policy and workflow engine, thereby ensuring secure and controlled access to any file type, content meeting governance and audit requirements.

Authentication Gateway

Safe-T IDSP supports a robust built-in multi-factor and multi-tier authentication and authorization (MFA) gateway. The gateway allows performing user authentication and authorization enforcement actions through multiple authentication engines as part of any data exchange or access workflow.

2-Factor Authentication (2FA) and Multi-Factor Authentication (MFA)

Safe-T solutions support performing 2-Factor Authentication (2FA) and Multi-Factor Authentication. For example: Requesting the authenticating user to provide a username and password and then sending an SMS with an OTP with which the user has to enter.


Secure File Transfer Protocol — SDE supports acting as an SFTP server to which SFTP clients can connect in order to upload/download files.

VPN Certificate Management

Organizations which allow business partners to connect back to them using VPN provide their business partners with VPN clients and certificates. This distribution adds operational complexity as the certificates must be managed. When using SDA for application access, VPN access is not needed, thus reducing the need for VPN certificate distribution and management.

Reverse Proxy

A reverse-proxy is a “backwards” proxy-cache server: It’s a proxy server that, rather than allowing internal users to access the Internet, it lets Internet users indirectly access certain internal servers. Internet users access an internal website by sending their requests indirectly through an intermediary reverse-proxy server.

With a reverse-proxy, the web server is protected from direct outside attacks, which increases the internal network’s strength. What’s more, a reverse-proxy’s cache function can lower the workload of the server it is assigned to. For this reason, is sometimes called a server accelerator.

However, for a reverse-proxy to operate, the IT administrator must allow certain protocols to pass through the internal firewall and connect to specific hosts in the internal network (e.g. TCP 80/443 for web or Microsoft SharePoint applications). With this configuration, the reverse-proxy can access the internal network directly.

Too often, administrators seeking to troubleshoot a problem create a rule allowing full access between a DMZ system and a back-end server on the internal network (or the entire internal network).


Pass traffic between multiple solutions as part of a workflow. SDE can broker files and data as part of a data exchange workflow. SDA can broker traffic as part of a data access and user authentication workflow.

IAM (Identity Access Management) In the context of Safe-T, we refer to the ability to connect to IAM solutions as part of an authentication workflow.

SDP (Software Defined Perimeter)  The standard architecture of the Software Defined Perimeter (SDP) consists of two components: SDP Hosts and SDP Controllers.

SDP Hosts can either initiate connections or accept connections. These actions are managed by interactions with the SDP Controllers via a control channel (see Figure 1). Thus, in a Software Defined Perimeter, the control plane is separated from the data plane to enable greater scalability. In addition, all of the components can be redundant for higher availability.

Safe-T’s Software Defined Perimeter architecture is the basis for Safe-T’s Secure Application Access solution. By deploying Safe-T’s SDP architecture, organizations can now design and deploy the On-Demand Perimeter. The On-Demand perimeter creates access rules for authenticated users into applications and data in a fully automated and dynamic fashion.

The On-Demand perimeter works as follows:

  • User logs into dedicated authentication portal published by the Authentication Gateway.
  • The user enters the credentials into the portal, and the Controller then authenticates the user using third-party IAM/IDP solutions, POST-based login, Microsoft Active Directory, SAML, OTP, etc.
  • Once authenticated, the user selects the application which should be accessed.
  • The Controller instructs the Access Gateway to allow the specific user access to the specific application and instructs the Authentication Gateway to redirect the user to the new published URL/IP.
  • The user accesses the newly published service.
  • Once the user disconnects from the service, Controller instructs the Access Gateway to block access to the specific user to the specific application.

Ransomware Attack Safe-T’s solution for Ransomware attacks is Safe-T SDE. It prevents ransomware attacks from encrypting organizations files by controlling their encryption type, file size and type, verifying their integrity and ensuring any file manipulation is done solely by SDE.

Anti-Malware Segment / Scrubbing Zone

A dedicated zone for scanning uploaded files before they are transferred into the internal business/applications. Safe-T deploys the scrubbing zone in file upload and safe-reply deployments.

The scrubbing zone is created by deploying SDA between the DMZ (external SDA node) and the scrubbing zone (internal SDA node). Within the scrubbing zone, an SDE is deployed connected to an A/V or anti-malware solution.

DDoS Attacks

DDoS attacks come in various shapes and forms: SYN Flood, HTTP Flood, UDP Flood, NTP amplification attacks and other exotic names.

Each one of them is a unique ‘Attack Vector’ and can have completely different effects on the victim’s network. From a higher level, the attack vectors can be divided into three families that concern the typical organization: Application Web attacks, Network Attacks (also referred as infrastructure attacks), and DNS Attacks.

By running SDA as a hybrid cloud and on-premise solution, it is possible to prevent Network Attacks from reaching the organization’s data center. More information can be found in Safe-T’s Fighting DDoS Attacks Using Attack Surface Reduction white paper.

SSL Keys