This document is designed to provide an overview of each layer of Dispel's platform, components, and user roles. The document then details Dispel's work with sub-processors and the RACI (Responsible, Accountable, Consulted, Informed) breakdown for implementation on use of Dispel's Services.
Dispel Zero Trust Access Components
Structure Overview
⚡ Dispel connects you to the OT network in just 30 seconds while meeting necessary OT security standards.
The Components
Wicket ESI
Wicket ESI
What is the Wicket ESI?
The Wicket External Systems Integrator (ESI) is an on-premise component available as a hardware or software appliance. It automatically routes verified traffic across your OT network, preventing unauthorized access to your devices.
How does it work?
The Wicket ESI establishes an encrypted, outbound connection to the Region, ensuring that no component knows the location of your OT network. Once approved traffic is linked, the Wicket ESI decrypts and translates the traffic. This allows Dispel traffic to pass through your firewalls smoothly.
What are the deployment requirements for Wicket ESIs?
For Wicket ESI system requirements, see this article.
Hardening, Patching, and Updating
Dispel uses the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for evaluating the hardening of deployed systems STIGs are published as tools to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. The existence of a STIG does not equate to DoD approval for the procurement or use of a product.
About DISA
DISA is a U.S. DoD combat support agency focused on information technology. DISA’s strategic plan continues to align to national and defense-level strategies, namely The National Security Strategy, National Cyber Strategy, National Defense Strategy, DoD Cyber Strategy and DoD Digital Modernization Strategy. The DoD’s long-term cyber-strategic approach is based on mutually reinforcing lines of effort to build a more lethal joint force, compete and deter in cyberspace, expand alliances and partnerships, reform the department and cultivate talent. Collectively, these strategies guided the development of the strategic plan and support DoD’s goal to strengthen the security and resilience of networks and systems that contribute to current and future U.S. military advantages.
Patches and updates are automatically applied to deployed Region infrastructure as they become available. If an update would require downtime, Dispel will proactively reach out to customers to schedule any maintenance.
Region
Region
What is a Region?
A Region is a group of virtual machines (VMs) leased from a public or private cloud, forming a Moving Target Defense (MTD) SD-WAN. This protects against cybersecurity threats by maximizing the field over which an adversary would need to hunt to find your network. The VMs are connected internally through a private interface [10.8.X.X, or customer specified] and are responsible for user connection, access control checks, and managing connections to downstream Wicket ESIs.
How does it work?
The user's virtual desktop connects to a Region via encrypted tunnels. If the user does not meet Access Control List (ACL) rules, they are dropped in the Region before they can even connect to your OT network. If authorized, the Wicket ESI connects to the Region to complete the path to your network.
Each region is made up of several components responsible for traffic management, monitoring, NAT'ing, and routing. For details on the encryption specifications of how each tunnel is created, please refer to this guide: Encryption and Tunnel Implementation
What are the deployment requirements for Regions?
Dispel automatically builds and manages Regions’ networks within 15-30 minutes. Each network is dedicated to a single tenant, ensuring no sharing of remote access infrastructure. Regions primarily use Ubuntu on the 18.04 - 22.04 LTS operating systems. They require a minimum of 2-4 vCPU, 4-16GB RAM, and 50GB storage. Dispel typically deploys Regions in Azure, but can integrate with other cloud providers or in on-premises deployments.
Hardening, Patching, and Updating
Dispel uses the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for evaluating the hardening of deployed systems STIGs are published as tools to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. The existence of a STIG does not equate to DoD approval for the procurement or use of a product.
Patches and updates are automatically applied to deployed Region infrastructure as they become available. If an update would require downtime, Dispel will proactively reach out to customers to schedule any maintenance.
Virtual Desktops
Virtual Desktops
What are virtual desktops?
Virtual desktops are Windows-based, compostable VMs that self-destruct at the end of each session, automatically cycle if not used on a daily basis, and are built from golden images that reference the latest operating system patches. Additionally, a user's virtual desktop is bound to their IP address, protecting against phishing attacks and reducing exposure to DDoS attacks. These security features ensure that even if a vendor has saved another user's virtual desktop credentials, they have no way to access your network without approval.
How do they work?
To connect to a virtual desktop, a user requests access via the Central Management Dashboard and can connect with the click of a button. The user only sees the virtual desktop and does not have to understand the underlying connections that enable their work. Virtual Desktops are compatible with Windows 10 and 11, as well as MacOS and iOS. On the receiving end, our solution supports systems dating back to DOS.
Virtual Desktop Features
Personalized with all applications and software users need to complete their work, Virtual Desktops also include the following features to support a user’s workflow:
Session Recording: allows admins to view and export recordings of a user's entire session, which can be used to investigate abnormal traffic detected in logging servers, or used for internal training videos.
Data Streaming: provides a method of sending continuous data from the OT environment to the data collector, allowing one to aggregate data from several sites into one location.
Password Vaulting: creates an encrypted vault that performs automatic password injection and password rotation, reducing the time it takes for an authorized user to access a device over various protocols
Device Shortcuts: creates an accessible folder of shortcuts to connect to devices that a user has been granted access to, simplifying the connection to those devices over various protocols.
Persistent Files: allows users to save files in a folder tied to their credentials, so they can continue their work despite the cycling of desktops.
File Sharing: enables or disables file transfer between a user's personal computer and the virtual desktop.
URL Whitelisting: grants users access to approved external URLs such as Box or Sharepoint.
Remote Assistance: provides users a method of viewing and controlling another user's virtual desktop for assistance.
Hardening, Patching, and Updating
Dispel uses the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for evaluating the hardening of deployed systems STIGs are published as tools to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. The existence of a STIG does not equate to DoD approval for the procurement or use of a product.
Patches and updates are automatically applied to deployed Region infrastructure as they become available. If an update would require downtime, Dispel will proactively reach out to customers to schedule any maintenance.
Central Management Dashboard
Central Management Dashboard
What is the Central Management Dashboard?
Dispel's Central Management Dashboard is the main user interface, and provides a singular platform to allow users to securely perform remote work. The login process aligns with Federated Automation standards and requires a combination of Dispel credentials, MFA, and/or SSO.
For admins, the Dashboard is where they can configure their organization, set ACLs, approve access requests, and create access windows. Admins can also utilize Dashboard Logs for full visibility of actions taken by users within the Dispel Dashboard.
For other users, the Dashboard is where they request access to facilities and connect to their virtual desktops. After their request is approved, the user can RDP to their virtual desktop with a click of a button, or can utilize an in-browser VDI through HTTPS if RDP is not an option.
🔎 To view various user experiences on the Dashboard, check out the Org Admin Dashboard Guide, Facility Admin Dashboard Guide, and VDI User Quick Start Guide.
How does it work?
The Dashboard connects to the Region in order to 1) authenticate the user, 2) authorize admin-granted connections to the OT network, and 3) connect the user to their virtual desktop. Once this connection is established, the user is able to reach their authorized OT devices via their virtual desktop.
How long does it take for personalized features to be implemented?
Dispel offers continuous deployment, allowing customers to receive requested additional features within 1-2 weeks, while competitors typically take 2 months to implement such requests.
Dispel Application
Dispel Application
What is the Dispel Application?
The Dispel Application is a cross-platform client that supports Windows, MacOS, and iOS. App usage is a privileged permission set by admins, so its utilization can be restricted. Learn how to download the app on various operating systems, check out these articles.
What are the App’s use cases?
If you need to meet NIST 800-172, are using our FedRAMP system, or want to prevent the risk of split tunneling on the person’s endpoint, you can require an application install on a user’s device. Additionally, the application can be used to connect to the Wicket ESI on-site without internet, ensuring that traffic is still brokered according to ACLs.
What security postures does the App utilize?
The Dispel App requires that the user’s local device is updated to the most current OS and App version, software patches, and virus protection before the user can even complete the login process. If the local device does not meet the requirements, the user receives an alert to update or install necessary software to ensure compliance and security before being able to log in.
Deployment Options
Deployment Options
SaaS Deployment
Our default deployment, shown in the “Structure Overview” section, places the wicket in the client’s network, while all other Dispel infrastructure is fully segmented from the client’s network in an Azure cloud.
Customer Cloud or Private Cloud Deployment
Private Cloud deployments mirror our SaaS deployments, though Dispel integrates with your private cloud account rather than our own Azure cloud.
On-Premises Deployment
In on-premise deployments, all of Dispel’s infrastructure exists on the customer’s network rather than in the cloud. For this type of deployment, we bundle our software components into two Virtual Machines (VMs). VM1 is the Management VM which combines Dispel’s Dashboard, database, and the orchestration engine into one. VM2 is the Connection VM, which bundles the MTD nodes and the Wicket ESI.
Permissions and Roles within Dispel's Platform
The following section is pulled from another Dispel article:
When it comes to managing operational technology, creating a proper permissions hierarchy is essential to maintaining security and ensuring that employees have access to the tools and information they need to do their jobs. In this article, we will discuss the logical structure of Dispel's permissions schema and the permissions controls at each tier. We will also cover how users are created and managed, as well as how request access flows work within the Dispel platform. Finally, we will discuss how digital forensics are used to maintain accountability and auditing within the system.
Logical Structure
Dispel’s permissions schema resides within a stacking hierarchy framework where roles and permissions are scoped within their respective tier. Users can belong to or have permissions to multiple tiers simultaneously.
Organization
Organization is the parent level, and are typically tied to the contracting company or business division. For example, the Organization level in our example is the Acme Brewing Co.
Region
A Region is a SD-WAN communications backbone in a geographic region. Regions are therefore both a logical construct in the Dispel dashboard and a physical segmentation. Regions may be scoped to a wider area (e.g., North America), or a smaller zone (e.g., US East). All Regions are physically segmented from one another.
While you can name a Region whatever you want, the actual Region location is dictated by the availability of a public cloud provider in that area. In our example, Acme Brewing Co. might have a plant in Vermont and choose to have a Vermont-Maine Region, but if the nearest data center is in Virginia then that is physically where the Region will function out of.
Facility
A Facility is the physical installation connected into the Region. Here, the Acme Brewing Co. has a Boston Plant making beer in their North American Region.
Most facilities are easy to define: it’s a factory, a power plant, dam, or some other installation. You might also have smaller sub-facilities such as distributed sensors, floodgates, and wind turbines.
Device
Devices are the hardware and software devices inside of a Facility. Often these are HMIs, PLCs, DCS. Fundamentally, control and visibility of what devices people and machines have access to inside of a facility is what the Dispel platform is about.
Permissions
Permissions are scoped within each tier, and each tier enjoys its own permission controls.
Tier | Role | Function |
Organization | Admin | Root level administrator role. Can set Organization-wide security settings; administer Regions, Facilities, and Devices; and manage users. |
| User | Belongs to the Organization and can be added lower tiers. Does not have access to anything automatically. |
Regions | Admin | Can administer Region settings, and manage Facilities and Users within the Region. |
| User | Belongs to the Region. Does not have access to anything automatically. |
Facility | Admin | Can administer Facility settings and manage Devices and Users within the Facility. |
| Access Request Approver | Can approve or deny Access Requests to the Facility. |
| User | Can have access to Devices in the Facility. Does not have access to anything automatically. |
Device | User | Allows access to a device by IP address, port, and protocol. |
| Virtual Desktop User | Connections are further restricted to only be allowed through a disposable virtual desktop. |
User Creation
Users may be created in Dispel through the native Privileged Access Management system, or through an integration with a federated identity provider. Dispel supports Okta and Microsoft Active Directory. For more information on how Dispel handles federated authentication, see this article.
Role-Based Access Control: Users & Groups
Dispel allows permissions to be set and scoped down to individual users. It is also common for users to be assigned to a group based on their role in the organization, and their permissions therefore correspond to that role. This principal is commonly known as Role-Based Access Control.
Request Access Flows: Interwoven IT & OT Security Roles
Once a hierarchy and permissions have been established, standardized process flows within the Dispel platform should be used.
Dispel permissions are designed for IT and OT operational workflows. Typically, IT decides which vendors and employees are approved to request access to environments. IT and/or OT may decide which environments (Regions, Facilities, Devices) those users and groups have access to and at what level.
With the Request Access Flow module Administrators can select which users at a Facility-level are allowed to approve access requests. Typically, the approvers are OT plant managers running day-to-day operations.
Immutable Digital Forensics
User and Administrator—including Owner—activities are logged in the dashboard in an immutable state. Logs provide information on user activity, access requests, sessions, and account changes. These provide a clear record of changes made within the system by all users. Digital forensics are preserved for auditing and accountability and cannot be changed or deleted.
Dashboard event logs operate in addition to remote access system logging and session recordings.
Sub-processor Considerations
Dispel uses a number of sub-processors as part of its offering. Dispel takes great care in selecting only the best partners to work with. A full list of sub-processors and data privacy implications can be found here: https://legal.dispel.com/privacy/sub-processor-list
RACI Matrices
Implementation RACI Approach
| Responsible | Accountable | Consulted | Informed |
Virtualized environment created for Wicket ESI installation | Customer | Customer |
|
|
Firewall rules updated to permit Wicket ESI outbound only UDP/1197 connection out to the Dispel Region. | Customer | Customer | Dispel | Dispel |
Bring Region online. | Dispel | Dispel | Customer | Customer |
Validate Wicket ESI connection. | Dispel | Dispel | Customer | Customer |
Provide ideal image for VDI cloning. | Customer | Customer | Dispel | Dispel |
Harden and deploy golden VDI image. | Dispel | Dispel |
| Customer |
Onboard users, devices, and set ACL rules. | Customer | Customer | Dispel | Dispel |
Confirm successful completion of deployment. | Dispel | Dispel | Customer | Customer |
Ongoing Services and Support RACI Approach
Dispel provides ongoing services and support of our deployments. The following RACI matrix discusses the difference between Incidents and Errors within the Dispel platform and how Dispel responds to both while keeping the customer informed and consulted where applicable. For more information on Dispel's support policy and priority level assignment, please refer to Dispel's SLA: https://legal.dispel.com/support/support-policy
Code | Name | Priority | Dispel | Customer |
Incident | An Incident is not necessarily an error, they can also be difficulties experienced by a user. An example of an Incident that is not an error would be if a user needs assistance resetting their password. |
|
|
|
I1 | Incident Triage - Determine whether the issue is related to the Dispel Service, or another cause (e.g., Internet outage, conflicting VPN running, misconfigured application). Determine if an Incident or Error, and decide if escalation is necessary. |
| R, A | I |
I2 | Unrelated Issue - If I1 shows the Incident is due to another cause outside of the scope of the Dispel services (e.g., an internet outage) then the Responsible party may choose to assist or pass. | N/A | R, A | I, C |
I3 | Incident Support - If I1 shows the issue not an Error but related to the Dispel service not otherwise caused by an Error (e.g., a misconfigured host address in the application), then the Incident is a Customer Assistance-type Incident. Advise and walk through solutions. | N/A | R, A | I, C |
I4 | Wicket Incident - Wickets may experience connection issues when local infrastructure (power, internet) experience an outage--which may require a Wicket service reset, if firewall rules change, or if IP routing tables change. Dispel is solely responsible for the Wicket software. These are not due to an issue with the Dispel Service, rather the operating environment, and are not a failure of the Service. Customer is solely responsible for maintaining all infrastructure and connectivity for the Wicket to function. Dispel will not troubleshoot issues beyond the Dispel Wicket software. | May be P1, P2, or P3. | R, A | I, C |
I5 | Virtual Desktop Incident - Virtual Desktops may experience performance issues due to an outage, unannounced update, or API change at a third party provider supplying software used on the Virtual Desktops. Dispel might also be alerted in advance of an impending update or change by a third party provider that would necessitate adjustments to the Virtual Desktops before a date specified by the third party. | May be P1, P2, or P3. | R, A | I, C |
Error | Error means any failure of the Service: (i) to conform with the Documentation therefor; or (ii) that otherwise causes an error, defect, or failure, whether full or partial, in the functioning of the Service. |
|
|
|
E1 | Error Triage - If I1 shows the Dispel Service is impacted, determine if the issue is due to the Wicket, the Enclave, the Virtual Desktop, or the Console. |
| R, A | I, C |
E2 | Wicket Error - Wickets may experience errors due to issues such as hardware failures. Dispel is not responsible for any hardware. If hardware was purchased through Dispel, the hardware vendor is responsible for hardware troubleshooting, maintenance, and support. | May be P1, P2, or P3. | C, I | R, A |
E3 | Enclave Error - Enclave components such as Hubs and File Share servers may experience outages or connection issues due to Tier 1 and 2 ISP network or cloud provider failures. | May be P1, P2, or P3. | R, A | I |
E4 | Console Error - The Console (also known as Online Services) may experience outages due to issues such as Tier 1 and Tier 2 ISP network or cloud provider failures. | May be P1, P2, or P3. | R, A | I |
E5 | Virtual Desktop Error - Virtual Desktop components may experience outages or connection issues due to Tier 1 and 2 ISP network or cloud provider failures. They may also experience malfunctions due to outages at, or changes made by, providers of software used on the Virtual Desktop. | May be P1, P2, or P3. | R, A | I, C |