Using Single-Packet Authorization (SPA), Client device makes access request to and authenticates to the Controller. Controller evaluates credentials, and applies access policies based on the user, environment and infrastructure.

Controller checks context, passes Live Entitlement to Client. The Controller returns a cryptographically signed token back to the Client, which contains the authorized set of network resources.

Using SPA, Client uploads live entitlement, which the Gateway uses to discover applications matching the user’s context. When the user attempts to access a resource – for example by opening a web page on a protected server – the network driver forwards the token to the appropriate cloaked Gateway. The Gateway then applies additional policies in real time – network location, device attributes, time of day and more. It may permit or deny access, or require an additional action from the user, such as prompting for a one-time password.

A dynamic Segment of One network is built for this session. Once granted, all access to the resource travels from the Client across a secure, encrypted network tunnel, and through the Gateway to the server. Access is logged through the LogServer, ensuring there’s a permanent, auditable record of user access.

Controller continuously monitors for any context changes, adapts Segment of One accordingly.