Technical Overview

This overview walks through the major components of Xiid’s technology, how they interact with one another, and where they are generally located. Xiid’s products consist of a variety of components that are spread throughout different areas within and outside the private network perimeter. It is helpful to understand what these components are and where they reside.

Birds-eye Overview

At a very high level, Xiid’s technology can be split into four major components:

  • Xiid Collectors

  • Xiid SealedChannels™ and SealedTunnels™

  • Xiid Agents

  • XOTC Authenticators

These four components work together under the global paradigm of AbsoluteZero Trust™ (AZT™).

As the name AZT implies, each component operates in its own “silo” and communication between these components is based on the premise of no trust between them. This means that regardless of wherever any component resides (inside or outside the private network), communication is heavily encrypted, heavily vetted, and completely rejected if at all suspicious.

To explain how Xiid’s technology works from a birds-eye view, let’s use the analogy of a city with multiple canals meandering in and out of the city limits.

You are a person currently outside the city (with the city representing a private network), wishing to access a resource within the city.

Installing Xiid’s software is like building a giant, thick stone wall around the city and sealing every gate. The only remaining ways in and out of the city are the canals, but Xiid has modified the canals, too.

To protect the city from outside threats via the canals, inbound traffic into the city is eliminated (all inbound ports are closed). No one is allowed to directly travel the canal to the city boundary and request to enter.

To secure the canals into the city, newly-installed metal gates in the canals (the Xiid SealedChannel and Xiid SealedTunnel products) make it impossible for barges or packages to directly enter the city. These gates also have specifically-shaped gaps in them, so packages with arbitrary sizes and contents (malware, etc.) physically cannot cross into the city.

Guards are stationed outside the canals’ gates, and they unload and inspect the contents of the barges. These external guards are called Xiid Collectors.

In addition, the identity of every barge and package must be known and approved by the city before they will even be considered by the Xiid Collector guards. This approval process is our credential-less XOTC Authenticator. Furthermore, the identity includes the location (IP address) of who is making the request, so the city knows where to ultimately send the honored request.

If the Xiid Collectors find anything that looks extraneous, suspicious, or otherwise, that object is destroyed by tossing it into the water below.

In this case, a package containing your resource request is sent by you on a barge to the Xiid Collectors. After it’s been inspected and approved, only the bare minimum contents of your package needed to fulfill your request are repackaged into a new shape that will fit through the specifically-shaped gaps in the metal gates at the city boundary.

Once the (many-times encrypted) repackaging of your request reaches the city border, a group of Xiid Agents on the inside of the canal gates then use the small openings in the metal gate to grab supplies from the Xiid Collectors (guards), with only the specifically-shaped packages able to pass through.

If, despite all of these processes and restrictions, a supply package still looks suspicious to an Xiid Agent, they will reject the package and it will be dumped safely outside the city walls.

Finally, once your package makes it into the city and is approved and honored, a carrier pigeon (carrying a many-times encrypted response) flies outbound from the city and directly to you with your requested resource.

With this strategy, traffic is securely locked down and limited, so that only safe, secure supplies ever enter the city, and malicious actors and items and barred from entry. At no time is any direct inbound communication to the city permitted or possible if all ports are locked down.

Below is a high-level diagram describing this process from a more technical - and less metaphoric - perspective.

High Level Architectural Diagram of Xiid Technology

Xiid AbsoluteZero Trust™ Model

The Xiid AbsoluteZero Trust (AZT™) Model is a new cybersecurity strategy aimed at bolstering network perimeter security. At the core of the AZT paradigm is the premise that no technical component establishes any trust relationship which grants any level of access to the component’s owned resources. To fit the mold of the AZT Model, Xiid utilizes the SealedChannel™ in tandem with the Smart Hybrid Protocols (SHyPs) or the SealedTunnel™ to handle all communication and authentication between network segmented resources. The SealedChannel, SealedTunnel, and SHyPs technologies are 100% proprietary and use no external, third-party library libraries.

The AZT architecture is designed to be non-invasive and seamlessly overlay with existing domain structures. You don’t need to change anything about your current network and domain architecture to start using Xiid. In fact, after installing Xiid, we provide the flexibility to further enhance your network security without causing issues for Xiid’s software!

Xiid Collectors (Request Collectors)

The Xiid Request and SealedTunnel Collectors are the front-lines of Xiid’s technology. Collectors are one of two components (the XOTC Authenticator being the other) that reside outside the network perimeter. Request Collectors have only one purpose: to collect requests that come in from various identity providers, convert them to SHyPs, and put them into a Queue. The Request Collectors are managed by Xiid, with built-in redundancy across regions and cloud providers, top-of-the-line security, and protections at every level from networking down to reduce the attack surface. SealedTunnel Collectors perform the same job for SealedTunnels without using SHyPs.

Xiid Collectors have no inbound network access to private domains and all the authentication data that they receive is completely anonymized for security and privacy, ensuring that even if a Collector were to be comprised, the attacker still would be unable to access private resources.

XOTC Authenticator

The Xiid One-Time-Code Authenticator, commonly referred to as XOTC (pronounced “exotic”) Authenticator, is an application which allows users to create and bind security profiles for various credentials to a credential-less one-time-code. As of now, the XOTC Authenticator is available for Android and Apple smartphones through their respective application stores. (See Portals and Applications for more information.)

The XOTC Authenticator allows users to access their favorite external applications, files, services, and data without worrying about credential theft. The best way to secure credentials and authentication is to remove credentials from the equation altogether. The XOTC Authenticator offers the strongest security available to ensure that proper access is granted to individual’s resources and not to malicious actors.

No usernames, no passwords, (far fewer) problems!

Xiid SealedChannel, SHyPs, and SealedTunnel

With Xiid you can (and should) close down all of your inbound ports on your network. Inbound ports aren’t needed with Xiid’s software and they vastly increase the attack surface of your domain for malicious actors. However, outside communication with your network resources is critical to business operations. The Xiid SealedChannel solves this problem by creating a highly encrypted and secured communication channel that does not rely on inbound communication but instead utilizes the internal network’s outbound ports with efficient, consistent polling. The messages polled from within the network are stored in the Xiid Request Collector and are layered with multiple layers of strong encryption, ending with Xiid’s own patented technology called Smart Hybrid Protocols.

SHyPs are Xiid’s collection of communication protocols which rely on an AbsoluteZero Trust paradigm in which only a portion of the actual protocol is known by either side (hence the word “hybrid”). The Request Collector side only understand a portion of how to encrypt the incoming requests before putting them into a queue. The Xiid Agents (see below) understand the other half of the encryption protocol and use passive transport mechanisms to only fetch the data they need. If any request wrapped in a SHyP in the queue looks at all suspicious, the request will be immediately discarded.

Layering these two technologies together creates a tightly locked-down communication channel through which your internal network can safely communicate with the outside world.

The SealedTunnel operates similarly to the SealedChannel but without using SHyPs, and is used for process-to-process tunneling between remote resources. The SealedTunnel, along with all Xiid software, also allows for all inbound ports to be closed, and efficiently uses polling a SealedTunnel Collector to function.

Xiid Agents - General

Xiid Agents handle communication via the SealedChannel or SealedTunnel. There are different types of Xiid Agents which poll for different requests from the Xiid Collectors. For example, Xiid LDAP Agents poll for authentication requests whereas RDP Agents poll for RDP session requests. Each type of Xiid Agent knows exactly what information to grab from the request collectors using Xiid’s Smart Hybrid Protocols (SHyPs). The Agents than act as the liason to the underlying resource and handle the request “personally”. For example, an LDAP Agent would grab an authentication request for a user, and query the Active Directory itself with credential information to determine authentication status and access. In short, Agents are the outbound-polling interop handlers for various requests to your internal network.

Below are the current Xiid Agents available for use:

LDAP Agent

LDAP Agents are deployed on your directory (or Active Directory) server or on any network-adjacent server. The LDAP Agent handles all authentication requests to your directory service, allowing you to close down all of your inbound authentication firewall ports. You can deploy multiple LDAP Agents within a single domain with Trust Relationships, and the Agents will work in tandem to handle authentication requests. An LDAP Agent can also connect to multiple directories and set up application restrictions based on your Active Directory Security Groups, for example. The LDAP Agent is the core of the Xiid.IM Product Solution.

RDP Agent

Xiid RDP Agents are deployed onto machines that you wish to connect to remotely, either through a direct Remote Desktop Protocol connection or to an application on the machine that you would like to have access to anywhere. You can provision RDP Agents in the Xiid Global Management Portal, and then bind the RDP Agents to your account, where they can be accessed by the LDAP Agent to configure RDP (or VDI) applications and RDP connections on the Xiid SSO Portal.

SealedTunnel (ST) Agent

Xiid’s ST Agent may be deployed onto any machine you wish to connect to remotely, similarly to the RDP Agent, and is used for process-to-process, encrypted tunnelling that is sent to and from 127.0.0.1 and is dramatically more secure than (and shares little relation with) traditional RDP or VPNs. Only outbound port 443 is required for it to function.