Overview

keystrike cloud protector extends identity security by enforcing device bound usage and full session protection , via continuous user presence validation, across saas applications it integrates with your existing idp (such as ms entra id) and requires no change to user login behavior how attackers compromise saas access modern saas breaches begin with compromised credentials and end with stolen data, corrupted systems, and outages affecting revenue and reputation while mfa protects from some threats, the advanced adversaries have moved onto breaching workstations to inherit your identity, access, and environment to blend their attacks with your legitimate activity stolen credentials (black dashed arrows) this represents an attacker obtaining a user’s username and password for a saas application common ways attackers steal credentials include phishing emails or fake login pages password reuse across sites keyloggers database breaches once the attacker has valid credentials, they can log in to services as if they were the user—unless other protections block them stolen tokens (red dashed arrows) even if credentials aren’t stolen, an attacker can compromise session tokens session tokens are what keep a user logged in after mfa succeeds threats here include token theft malware on a workstation browser session hijacking memory scraping adversary in the middle (aitm) attacks, where an attacker intercepts tokens during login with the token, the attacker can bypass passwords and even mfa workstation as a proxy (purple dashed arrows) instead of stealing tokens outright, the attacker may use the victim’s workstation to proxy their authentication traffic use remote access trojans (rats) or other remote control tools execute browser actions locally to avoid detection this technique allows attackers to blend in as a “normal user” because requests originate from the real device ip and geolocation look legitimate device posture appears normal this defeats many behavioral and zero trust systems keystrike cloud protector device bound usage overview device bound usage ensures that every authentication attempt is cryptographically linked to a specific, trusted workstation even if an attacker obtains valid user credentials, cookies, or session tokens, they cannot use them from another device how it works keystrike cloud protector is installed on authorized user workstations and securely bound to the device’s tpm (windows) or secure enclave (macos) this binding creates a hardware backed identity for the workstation that cannot be cloned or exported the organization’s identity provider (idp) is then configured with conditional access rules that enforce the following all authentication requests must originate through keystrike cloud protector unauthorized devices or remote attackers cannot directly authenticate to the idp during authentication, cloud protector produces a device bound proof that is validated by the idp before the login is allowed as a result the authentication token becomes cryptographically bound to both the user account and the originating device tokens, cookies, or credentials stolen from the browser or disk cannot be reused from any other machine, even if an attacker has full possession of them once authenticated, the user’s application session proceeds normally with no rerouting, proxying, or network performance impact protection level prevents stolen credential usage prevents cross device token reuse prevents session replay from attacker controlled systems full session protection overview for sensitive, privileged, or high value saas applications, keystrike offers continuous session enforcement, verifying recent physical user input for every important request how it works unlike standard sso, access to the application is not granted once and left unchecked after authentication, requests to the web application must be accompanied by evidence of recent, valid user activity (such as keystrokes or mouse input) if no legitimate user input is detected in the application performing the request, the request is blocked this ensures that only a live, authorized user on a known device can maintain access protection level prevents session hijacking prevents idle device abuse (e g , attacker using a workstation while user is away) prevents remote attacker “workstation as a proxy” attacks prevents unauthorized session continuation after user stops interacting