Architecture Overview

Splashtop Secure Workspace provides a secure and efficient way for end users to access private applications, SaaS applications, and the internet from anywhere. It also offers IT administrators a centralized panel to manage users, devices, applications, data, and networks.

The simplified architecture diagram illustrates the components and how they work together.

Components of Splashtop Secure Workspace

Splashtop Secure Workspace consists of the following key components:

1. Cloud Controller & Web Portal: The controller manages configurations, policies, and acts as the policy decision point. It controls access to both the internet network and private applications.
2. Secure Workspace Global Edge Network: The Secure Workspace Global Edge Network is a geo-distributed network that provides secure access to private applications.
3. Secure Workspace Connector: The connector is a dial-out component responsible for establishing a persistent secure tunnel with the Splashtop Secure Workspace Global Edge Network.
4. Edge Locations: The Secure Workspace edge infrastructure is strategically distributed across various geographic regions. These Edge Locations are interconnected through a high-performance network backbone, ensuring efficient and reliable connectivity.
5. Secure Workspace Client: The secure workspace client supports multiple form factors, including desktop GUI applications, desktop CLI applications, mobile devices, web browsers, and web browser extensions.

How Splashtop Secure Workspace Works

Splashtop Secure Workspace supports secure work from anywhere in the following use cases:

- Private Application Access via Desktop Client:

When launching a private application through the Secure Workspace desktop client, the following steps take place:

1. Requesting access: The secure workspace desktop client initiates a request to the controller, providing all the necessary context and runtime information. This includes client security postures, user information, and the client signature.
2. Policy and entitlement checking: The controller evaluates the request by checking the relevant policies and entitlements. It verifies if the user is entitled to launch or access the application and ensures that the defined policy conditions allow the requested access.
3. Granting access: If the user meets the entitlement criteria and the policy conditions are satisfied, the controller grants access. It then issues a token to the client as a secure authorization credential.
4. Negotiating with a secure workspace edge location: The client utilizes the received token to negotiate with the nearest edge location within the Secure Workspace global network. This establishes a secure tunnel between the client and the selected edge location.
5. Optimized routing to a target application: The secure workspace edge location, now connected to the client through the secure tunnel, routes the request to the edge location that has a persistent connection with the target application. The target application is connected to the nearest edge location using the secure workspace connector. The secure workspace global edge network optimizes the routing process by leveraging its backbone network, ensuring optimized performance.

- Private Application Access via Web Browser and Mobile Client:

Users can launch private applications directly from (1) the secure workspace web portal using a web browser or (2) from their secure workspace mobile client. This provides flexibility and convenience when accessing private applications. The following steps outline how this functionality is achieved:

1. Policy and entitlement checking: When launching a private application through a web browser or the secure workspace mobile client, the controller performs a comprehensive check of the user's entitlement and the associated policy. It verifies if the user is entitled to launch the application and ensures that the defined policy conditions allow the requested access.
2. Granting access: If the user meets the entitlement criteria and the policy conditions are satisfied, the controller grants access. It then issues a token to the browser client as an authorization credential, securely confirming the user's eligibility to access the private application.
3. Requesting redirection: After granting access, the controller redirects the request to the proxy server running in the edge location that has a direct and persistent connection to the target application.
4. Rendering a target application: The access proxy server, in collaboration with the web browser, renders the target application within a browser tab using HTML5. This allows users to interact with remote desktops, SSH, or other types of applications seamlessly within their browser environment.

- Public Application (SaaS) Access:

Splashtop Secure Workspace also supports the provisioning and access of public applications or Software-as-a-Service (SaaS) applications. These applications can be assigned to users by IT administrators. The following steps outline how public application access functionality is achieved::

1. Integration with secure workspace: The SaaS application is configured to use Splashtop Secure Workspace as its Identity Provider (IDP). From the perspective of Secure Workspace, the SaaS application is considered a Service Provider (SP), and integration is established between the two.
2. Launching a public application: When a user launches the public or SaaS application from the Secure Workspace controller or web portal, an authentication request is initiated to the controller. The user's credentials and authentication request are sent to the controller for validation.
3. Entitlement and Policy Checking: The controller authenticates the user, ensuring their credentials are valid. It then verifies if the user meets the entitlement criteria and policy conditions defined for accessing the public application. If the criteria are satisfied, the controller issues a sign-on token based on the IDP configuration.
4. Issuing tokens and redirection: Depending on the IdP configuration, the controller issues either a Single Sign-On (SSO) token or an OpenID Connect token. The controller then redirects the user's request to the target SaaS application.
5. SaaS application authentication flow: Upon receiving the redirected request, the SaaS application follows the appropriate authentication flow based on the received token. The user is authenticated by the SaaS application and granted access within an open web browser tab.

- Secure Internet Network Access by Desktop Client:

The Splashtop Secure Workspace desktop client offers a powerful feature that enables administrators to secure all internet access from the user's desktop. With this capability, administrators can establish and enforce network access policies to ensure a safe and productive online experience. The following steps outline how this functionality is achieved:

1. Network access policy setup: Administrators can configure network access policies (such as allowed domain lists, blocked domain lists, or web content categories) to control and protect users from accessing harmful websites. These policies serve as the guidelines for internet access permissions.
2. DNS configuration: The desktop client takes over the DNS configuration of the user's desktop. When an internet access request is made from the user's computer, the desktop client takes over the DNS request and validates it with the cloud controller.
3. Access request validation: The controller acts as the central authority for access control, ensuring compliance with the defined policy. It verifies whether the request satisfies the network access policy set by the administrator.
4. Access approval and DNS resolution: If the controller approves the access request based on the policy validation, it instructs the desktop client to provide the proper DNS resolution for the requested domain. This allows the user to access the requested website or online resource securely.
5. Non-compliant access handling: In cases where the user's request does not meet the network access policy requirements, the desktop client redirects the request to a block page. The user is then presented with a block message that is customized by the IT administrator, indicating that the requested website or resource is blocked based on the configured policies.

- Client Management:

With Splashtop Secure Workspace, IT administrators have the ability to manage and control all enrolled desktop clients through the web portal. This allows for seamless administration and configuration of user settings for desktop clients.

The following steps outline how desktop client enrollment is achieved:

1. Enrollment process: When a desktop client attempts to connect to the controller, the controller validates whether the client is enrolled. There is an enrollment process that may require admin approval. When the desktop client registers with Secure Workspace for the first time, it generates a private key and a certificate signing request (CSR) stored in its secure store (e.g., Keychain on Mac OS). The client then sends the CSR to the controller for verification and signature.
2. Admin approval and certificate issuance: Upon verifying user credentials and receiving admin approval, the controller issues a certificate signed by the controller itself to the desktop client. The client stores this certificate in its secure store (e.g., Keychain). Subsequently, whenever the client initiates a connection with the controller, it presents this certificate for authentication purposes.
3. Client registration and authentication: This enrollment process ensures that only approved and authenticated desktop clients can establish a connection with the controller. The client presents its certificate during connection initiation, allowing the controller to authenticate the desktop client and grant access to the Secure Workspace resources.

- Client Security Posture Validation:

Splashtop Secure Workspace allows administrators to enforce client posture check policies. These policies enable administrators to validate the security hygiene of the desktop clients, ensuring compliance with security standards. The following steps outline how client posture check is implemented:

1. Configuring client posture check policy: Administrators can define a client posture check policy that includes various validation points. These points assess the state of the desktop client's security, such as disk encryption, antivirus presence, specific registry settings, and the patch level of the operating system. By specifying these requirements, administrators can ensure the security hygiene of the desktop client cross the organization.
2. Scheduling Posture Checks: The controller schedules client posture validation with the desktop client. This validation process is performed periodically or based on specific triggers, such as client connection or system events.
3. Reporting posture check results: The desktop client conducts the client posture check according to the scheduled validation. It then reports the results of the posture check to the controller. This allows the controller to assess the compliance of the desktop client with the specified security posture requirements.
4. Access control decision making: Based on the results of the client posture check, the controller makes informed decisions regarding access to network resources. It determines whether to allow or disallow the desktop client's access based on its compliance with the defined security posture. This ensures that only compliant and secure desktop clients are granted access to network resources.

- Password and Secret Management:

Splashtop Secure Workspace offers a robust password and secret management capability for all users, including IT administrators and end users. This feature simplifies the management of credentials and enhances security across various applications and systems. The following information outlines how password and secret management is implemented in Splashtop Secure Workspace:

• Integrated Password Manager: Splashtop Secure Workspace provides an integrated password manager, allowing users to securely store and manage their usernames and passwords. This ensures a seamless experience and adds convenience when accessing private applications.

• Private Application Access with Password Manager: Private applications are assigned to groups, and by enabling the dynamic credentials attribute for the application, each group can be assigned one or multiple usernames and passwords stored within the password manager. Leveraging this feature, the system automatically retrieves the stored credentials, establishing a secure session for users to access the target application without needing to know the credentials assigned by the administrator.

• Zero Knowledge Architecture: The password manager in Splashtop Secure Workspace is built on a zero-knowledge architecture. This means that only the user who possesses the master password has the ability to access the stored passwords and secrets. The workspace controller has zero knowledge of the actual content stored in the password manager, ensuring the privacy and confidentiality of user data.

• Client-Side Encryption: To further enhance security, all passwords and secrets stored within the password manager are encrypted on the client side. This ensures that sensitive information is protected and remains inaccessible to unauthorized parties.

- Privileged Access to Private Applications via Web Browser:

Splashtop Secure Workspace offers privileged access capabilities for private applications through web browsers. Privileged accounts refer to credentials such as service accounts, root accounts, or admin accounts. The following information outlines how privileged access management is implemented within Splashtop Secure Workspace:

• Assigning Privileged Accounts to Users and Groups: Administrators have the ability to assign privileged accounts to specific users or groups within the private application configuration. These assigned accounts can then be accessed by the respective user or group members when accessing the target application via a web browser. This ensures that users can utilize privileged access without needing direct knowledge of the actual username and password associated with the privileged account.
• Integration with Password Manager: The implementation of privileged access is closely integrated with the password manager feature discussed previously. Administrators can securely store service accounts, root accounts, or other privileged accounts within their password manager without directly sharing these credentials with anyone.
• Dynamic Credential Assignment: Administrators can activate the dynamic credential attribute for the private application. With this feature, each user or group can be assigned zero or multiple privileged accounts stored in the administrator's password manager. When a user attempts to access the application, they will be prompted to choose from the assigned privileged accounts associated with their group membership.
• Choosing Privileged Account for Session Establishment: End users can select the desired privileged account from the provided list to establish their session. This allows them to utilize the necessary privileges for accessing the target application, ensuring smooth and secure operations.

Conclusion

Splashtop Secure Workspace offers a powerful solution for secure and efficient access to the internet, private applications and public applications (SaaS). By leveraging the Secure workspace Controller, Secure Workspace Global Edge Network, and its advanced access control mechanisms, users can enjoy seamless and protected access to resources from any location.

Secure Workspace Portal
Desktop Client
Mobile Client
Command-Line Interface (CLI) Client
Browser Extension
Connector