Secure access by policy
Context
David is the CIO of a pharmaceutical laboratory with 120 people. After an attempted intrusion from a foreign country, management asks him to strengthen access controls. Certain critical applications — patient data, clinical trial results — must only be accessible under strict conditions.
The problem without SmartLink
- SaaS applications are accessible from any device, anywhere
- No way to restrict access by geographic location
- Impossible to ensure devices used are compliant
- Traditional VPNs are cumbersome to manage and degrade user experience
With SmartLink
Step 1 — Define access policies (DAP)
David configures Device Access Policies in SmartLink. For critical applications, he sets:
- Allowed browsers: only Chrome and Firefox (latest versions)
- Operating systems: Windows 10+ and macOS 12+
- Allowed IP ranges: only the company network and VPN
- VaultysID security level: mandatory biometric authentication
Step 2 — Apply policies by folder
David associates these policies with folders containing sensitive applications. The "Clinical Data" folder requires the highest security level, while the "Daily Tools" folder (Slack, email) remains accessible from any secure device.
Step 3 — Real-time verification
When a researcher tries to access clinical data from a café with their personal computer, SmartLink blocks access and displays an explanatory message. From their workstation at the lab with their biometric VaultysID, access is immediate.
Step 4 — Traceability and reporting
Every access attempt — successful or denied — is logged in the Audit Trail. David filters for Bastion events (approval requests, successful authentications, denials) to monitor suspicious attempts. The access attempt from the café appears as "Connection denied" with the IP, browser, and OS used.
Each month, David reviews the CISO report which summarizes security incidents, including access blocked by Bastion policies.
What changes
| Without SmartLink | With SmartLink |
|---|---|
| Access possible from anywhere | Control by IP, browser, OS |
| No device verification | Policy by VaultysID security level |
| Cumbersome, restrictive VPN | Granular control without VPN |
| Uniform rules for everyone | Policies differentiated by folder |
| No visibility on access attempts | Logging of every attempt (success/denial) |
| No security reporting | Monthly CISO report with Bastion incidents |
Features used
- 🛡️ Access Policies (DAP) — Rules by browser, OS, IP, and security level
- 📁 Folder management — Apply policies by folder
- 🔐 VaultysID — Security levels (passkey, biometrics, hardware key)
- 📜 Audit Trail — Traceability of access attempts and Bastion events
- 📑 Reports — CISO report with security incidents