Abstract: Systems and methods include, responsive to a request from a user for one or more Business-to-Business (B2B) applications, redirecting the request, by a cloud-based system, to an identity provider to authorize the user; displaying the one or more B2B applications that the user is authorized to access; responsive to a selection of a B2B application of the one or more B2B applications, creating a first tunnel from the B2B application to the cloud-based system; and stitching the first tunnel between the B2B application and the cloud-based system with a second tunnel between the user and the cloud-based system. The systems and methods further include, responsive to the user being unauthorized for any of the one or more B2B applications, omitting the one or more B2B applications from the displaying, such that the one or more B2B applications are invisible to the user.

Abstract: Systems and methods for policy based agentless file transfer in zero trust private networks. Various systems and methods include receiving a request for a file transfer; determining a file transfer protocol; evaluating one or more criteria associated with the request, the criteria being associated with any of an end user and the contents of the file; and allowing or denying the file transfer based on the evaluating. Responsive to an end user's policy including a requirement for file inspection, the steps can further include sending the file to a sandbox for inspection, and receiving a result of the inspection from the sandbox.

Abstract: Systems and methods include receiving one or more disaster recovery configurations via a cloud-based system; storing the one or more received disaster recovery configurations in one or more components of the cloud-based system; identifying activation of a disaster recovery mode; and providing private application access based on one or more disaster recovery configurations.

Abstract: Systems and methods include, receiving a request from a user to access an application; determining if the user meets one or more requirements, wherein responsive to the user meeting the one or more requirements, presenting the user with a login page; validating credentials of the user with one or more additional sources; responsive to successful validation of the users' credentials, authenticating the user and evaluating one or more access policies for the user; and initiating a connection between the user and the application based on the one or more access policies.

Abstract: Systems and methods, in a lightweight connector including a processor communicatively coupled to a network interface, include connecting to a cloud-based system, via the network interface; connecting to one or more of a file share and an application, via the network interface; and providing access to a user device to the one or more of the file share and the application via a stitched connection between the network interface and the user device through the cloud-based system. The systems and methods can further include receiving a query for discovery; and responding to the query based on the one or more of the file share and the application connected thereto.

Abstract: Systems and methods include obtaining log data for a plurality of users of an enterprise where the log data relates to usage of a plurality of applications by the plurality of users; determining i) app-segments that are groupings of application of the plurality of applications and ii) user-groups that are groupings of users of the plurality of users; and providing access policy of the plurality of applications based on the user-groups and the app-segments. The steps can further include monitoring the access policy over time based on ongoing log data, manual verification of the access policy, and incidents where users are prevented from accessing any application; and adjusting the determined based on the monitoring.

Abstract: Systems and methods include, responsive to security research identifying a zero-day Common Vulnerabilities and Exposure (CVE), receiving the associated signatures of the zero-day CVE; responsive to determining a user can access an application via a cloud-based system, wherein the application is in one of a public cloud, a private cloud, and an enterprise network, and wherein the user is remote over the Internet, obtaining an inspection profile for the user with the inspection profile including a plurality of rules; performing inspection of transactions after the access using the plurality of rules including a rule for identifying the zero-day CVE; and responsive to results of any of the plurality of rules, one or more of monitoring, allowing, blocking, and redirecting the access, via the cloud-based system.

Abstract: Systems and methods for privileged remote access to Operational Technology (OT)/Internet of Things (IOT)/Industrial IOT (IIOT)/Industrial Control System (ICS) infrastructure, implemented in a cloud-based system. The method includes steps of, responsive to determining a user can access an application associated with the OT/IOT/IIOT/ICS infrastructure, determining the user's security and access policies and creating a session for the user; establishing a secure connection to the application via a lightweight connector connected to the application; and brokering a connection between the user's device and the application through the lightweight connector, enabling the user to interact with the application for the OT/IOT/IIOT/ICS infrastructure, based on the user's security and access policies.

Abstract: Systems and methods include receiving a request, in a cloud system from a user device, to access an application, wherein the application is in one of a public cloud, a private cloud, and an enterprise network, and wherein the user device is remote over the Internet; determining if the user device is permitted to access the application; if the user device is not permitted to access the application, notifying the user device the application does not exist; and if the user device is permitted to access the application, stitching together connections between the cloud system, the application, and the user device to provide access to the application.

Abstract: Systems and methods include, responsive to determining a user can access an application via a cloud-based system, wherein the application is in one of a public cloud, a private cloud, and an enterprise network, and wherein the user is remote over the Internet, obtaining a predetermined inspection profile for the user with the inspection profile including a plurality of rules evaluated in an order; performing inspection of the access using the plurality of rules in the order; and responsive to results of any of the plurality of rules, one or more of monitoring, allowing, blocking, and redirecting the access, via the cloud-based system.

Abstract: Systems and methods include, connecting to a first service edge node in a cloud-based system and obtaining one or more addresses each for one or more service edge nodes in the cloud-based system, wherein the one or more service edge nodes include public service edge nodes and private service edge nodes; connecting to a second service edge node of the one or more service edge nodes using the corresponding address; providing a request for an application to the second service edge node; and responsive to policy and accessibility determined via the cloud-based system, receiving access to the application via a connector adjacent to the application.

Abstract: A Dynamic Name Server (DNS) surrogation method, a DNS system, and a DNS server provide DNS surrogation which is the idea that if a user device sends a DNS resolution request to a given DNS server that server does not need to actually perform the recursion itself. A policy can be defined telling the server that first received the request to take other factors into account and “relay” or “surrogate” that request to another node. This additional node is called a “surrogate” and it actually performs the recursion therefore allowing the resolving party to perform proper localization, optimization, or any other form of differentiated resolution. This surrogation also distributes the job of actually performing resolution, which adds scalability to the DNS server or service itself. A network of “surrogate” resolvers is possible as well as the concept of every client needing DNS resolution can also become a surrogate.

Abstract: Systems and methods include, responsive to a request from a user for one or more Business-to-Business (B2B) applications, redirecting the request, by a cloud-based system, to an identity provider to authorize the user; displaying the one or more B2B applications that the user is authorized to access; responsive to a selection of a B2B application of the one or more B2B applications, creating a first tunnel from the B2B application to the cloud-based system; and stitching the first tunnel between the B2B application and the cloud-based system with a second tunnel between the user and the cloud-based system. The systems and methods further include, responsive to the user being unauthorized for any of the one or more B2B applications, omitting the one or more B2B applications from the displaying, such that the one or more B2B applications are invisible to the user.

Abstract: The present disclosure includes, responsive to a request from a user device, performing a security check based on policy associated with the user device, wherein the policy includes setting related to content filtering and security; responsive to the security check, performing one of: directly allowing the request to the Internet based on the security check determining the request is allowed by the settings; directly blocking the request based on the security check determining the request is disallowed by the settings; and forwarding the request to a system for inline inspection based on the security check determining the request includes suspicious content, wherein responsive to the inline inspection, the request is one of allowed and blocked.

Abstract: A cloud-based security method using Domain Name System (DNS) includes receiving a request from a user device at a DNS server; performing a security check on the request based on a policy look up associated with the user device; responsive to the policy look up, performing a DNS security check on the request; and responsive to the DNS security check, performing one of allowing the request to the Internet; blocking the request based on the policy; and providing the request to inline inspection based on the policy, wherein the request is one of allowed to the Internet or blocked based on the inline inspection.

Abstract: Systems and methods, in a lightweight connector including a processor communicatively coupled to a network interface, include connecting to a cloud-based system, via the network interface; connecting to one or more of a file share and an application, via the network interface; and providing access to a user device to the one or more of the file share and the application via a stitched connection between the network interface and the user device through the cloud-based system. The systems and methods can further include receiving a query for discovery; and responding to the query based on the one or more of the file share and the application connected thereto.

Abstract: Virtual private access systems and methods implemented in a clientless manner on a user device are disclosed. The systems and methods include receiving a request to access resources from a Web browser on the user device at an exporter in a cloud system. The resources are located in one of a public cloud and an enterprise network and the user device is remote therefrom on the Internet. The systems and methods also include performing a series of connections between the exporter and i) the Web browser and ii) centralized components to authenticate a user of the user device for the resources. The systems and methods further include, subsequent to authentication, exchanging data between the Web browser and the resources through the exporter. The exporter has a first secure tunnel to the Web browser and a second secure tunnel to the resources.

Abstract: Systems and methods include receiving a request, in a cloud system from a user device, to access an application, wherein the application is in one of a public cloud, a private cloud, and an enterprise network, and wherein the user device is remote over the Internet; determining if the user device is permitted to access the application; if the user device is not permitted to access the application, notifying the user device the application does not exist; and if the user device is permitted to access the application, stitching together connections between the cloud system, the application, and the user device to provide access to the application.

Abstract: A virtual private access method implemented by a cloud system, includes receiving a request to access resources from a user device, wherein the resources are located in one of a public cloud and an enterprise network and the user device is remote therefrom on the Internet; forwarding the request to a central authority for a policy look up and for a determination of connection information to make an associated secure connection through the cloud system to the resources; receiving the connection information from the central authority responsive to an authorized policy look up; and creating secure tunnels between the user device and the resources based on the connection information.

Abstract: Virtual private access systems and methods implemented in a clientless manner on a user device include receiving a request to access resources from a Web browser on the user device at an exporter in a cloud system, wherein the resources are located in one of a public cloud and an enterprise network and the user device is remote therefrom on the Internet; performing a series of connections between the exporter and i) the Web browser and ii) centralized components including a crypto service, database, cookie store, and Security Assertion Markup Language (SAML) Service Provider (SP) component to authenticate a user of the user device for the resources; and, subsequent to authentication, exchanging data between the Web browser and the resources through the exporter, wherein the exporter has a first secure tunnel to the Web browser and a second secure tunnel to the resources.