- ScaleFT integrates with your Identity Provider of choice to authenticate the user attempting to login to a resource through flexible role based access controls.
- When authorized for a specific resource, a Certificate Authority built into the Platform issues a short-lived client certificate used to initiate a secure session.
- A lightweight Server Agent enrolls resources with ScaleFT to create local accounts in the background and log all user events for audit purposes.
- A Client Application running on the user’s device is used to synchronize certificates with the local operating system to ensure a seamless integrated workflow.
ScaleFT's credentials are a point in time attestation of user identity, tied to the user's device. These credentials are cryptographically verified by servers without an outbound network connection. This short-lived credential architecture allows for easy deployments with diverse network topologies.
ScaleFT's endpoint visibility encourages users to self-remediate for basic security settings such as system updates and full disk encryption. All ScaleFT users install our Client application to receive fast-expiring credentials, and the platform tracks authorized devices for every user.
Host validation is meant to protect against man-in-the-middle attacks, but decisions about trust are delegated to individual users. ScaleFT fixes the trust problem by securely synchronizing SSH host keys (or RDP host certificates), and configuring them in the user's client.
ScaleFT integrates with your corporate identity provider (IdP) for authentication and to provide rich account management on both Linux and Windows servers. This includes Google Apps and Okta, and we directly support SAML or OpenID Connect.
ScaleFT's server agent integrates with cloud provider specific metadata services to automatically configure itself and enroll servers with the Platform. This saves time during deployment and ensures a seamless operations experience.
ScaleFT bastion support enables easy and secure access to sequestered resources. Users can transparently route SSH and RDP connections over bastions, without having to use SSH Agent Forwarding.