The Blacksands Separation of Powers architecture is predicated on splitting up how authorizations are performed. Our zero-trust environment requires all connections to be authorized. With the Blacksands architecture we have Receivers, Authorizers and the Blacksands Cloud.
- Authorizer – forward facing identification system
- Manager – invisible, external cloud management system
- Receiver – invisible, software edge appliance / gateway
- Certificates - unique industry standard certificates for every user device
With our Separation of Powers architecture, the SCaaS solution is designed to invert the typical internet connectivity process. Instead of the standard Trust but Verify process where one connects to the entire internet and then attempts to filter out malicious or illegitimate traffic, Blacksands, prior to making any network connection at the edge, dynamically authenticates, authorizes, and provides point-to-point routing through its external management architecture to pre-defined Services (PCs, Applications, IoT Devices).
STEP 1 A secure connection begins when a user establishes an encrypted session to a Blacksands’ Authorizer (A). The Authorizer’s job is to identify the users, maintain a connection heart-beat, provide routing information for selected services from the Manager (M). The user is identified using two-factor authentication (unique certificate and password). Neither the password nor a hash of the password is ever passed over the internet. Once a user is identified, the user is provided a list of authorized services.
STEP 2 When the user selects a particular service through the Authorizer (A), the Manager (M) sets up the point-to-point connection. The Blacksands Receiver (R) is dynamically set to receive a new session from a particular user, with a specific certificate, at a specific IP address and route the session to a particular service on the backend. Simultaneously, the user is provided the route to the particular Receiver, providing an encrypted point-to-point connection.
STEP 3 The user’s new point-to-point connection is made to the Receiver (R). The user again passes their unique certificate to the Receiver (R) front end. The Receiver proxies the new connection to a particular Service (S) at a specific IP address and port.