Skip to main content

Utilizing Internal Business Network SaaS — Safely and Conveniently with SHIELD Gate

Purpose of this document
When utilizing SaaS in the internal business network of the financial sector, it is a prerequisite to have the regulatory basis from the Financial Supervisory Service and the security management measures recommended by the Financial Security Agency.SHIELD Gateis a product that helps users manage access, actions, and logs consistently, allowing them to use SaaS without complexity while complying with requirements. The safety of the CSP (Cloud Service Provider) necessary for using the SHIELD Gate service is being pursued for certification (safety assessment, etc.) on a financial-exclusive SaaS platform by financial institutions or SOFTCAMP. (Detailed obligations such as supervisory interpretation, resolutions, and usage reports follow the latest guidance on contracts, service conditions, and supervision, and this document is not legal advice.)

Product Standards
Menu, functions, and procedures are officially based on the [Administrator Guide](../../Administrator Guide/Administrator Guide.md) · [User Guide](../../User Guide/User Guide.md). This document explains the relationship between security management and SHIELD Gate functionality.

Why SHIELD Gate?

PerspectiveDescription
Security (Compliance)RBI (Remote Browser Isolation) fundamentally blocks third-party apps and local plugins from interfering with business access paths, and limits accessible apps and URLs to a pre-registered and approved list (whitelist). Apps, URLs, or movements not on the list are blocked at the time of access, and actions such as file and clipboard control, as well as access control required by supervision and guidance through logs, external extension restrictions, and usage monitoring can be designed at the end-user level.
Work (Convenience)After logging in, users can select approved apps or set it up to use only URLs permitted for work, simplifying the access path and making it easier to manage policies and logs in one place. (This may vary depending on configuration and policies.)
Operation (Visibility)Who accessed which SaaS, when, and the history of URL navigation, files, clipboard, and input checks can be logged and used for auditing, inspection, and responding to anomalies.

CSP (Cloud) security certification is a prerequisite for using the SHIELD Gate service, which will be obtained by financial institutions or SOFTCAMP on a financial-exclusive SaaS platform. The remaining controls such as contract, SLA, SaaS management console, IdP/network design, etc., will be implemented by the institution on the SaaS/network side, while the terminal, browser, and access behavior will beSHIELD Gatecan be managed consistently.

1. Director·Guide Security Management ↔ SHIELD Gate

The left column summarizes the management aspects found in the "Electronic Financial Supervision Regulation Implementation Rules" and the Financial Security Institute's "Internal Business Network SaaS" security guidelines, the middle column lists the actions possible in SHIELD Gate, and the right column contains tasks to be carried out in institutions, SaaS, and networks.

Security Management (Summary)SHIELD Gate Measures (Summary)Tasks to Collaborate on in Organizations·SaaS·Networks (Summary)
CSP (Provider) SafetyIn order to use the SHIELD Gate service, financial institutions or SOFTCAMP are expected to obtain certification (such as safety assessment) on the financial-exclusive SaaS platform.The latest guidelines for usage reports, documents, and supervision are subject to the institution and service contract (refer to the Financial Security Institute CSP evaluation procedure).
Access TerminalAccess will only be granted when the connection conditions such as allowed IP and time set by the conditional policy (work system) are met. The device authentication feature is planned to be introduced in the future, allowing only pre-registered devices to use the SHIELD Gate. (Refer to Section 6 for planned features)MDM·Vaccine·Asset Management
Unauthorized Internet·App/PluginThe URL is controlled to allow access only to pre-approved and registered addresses (whitelist), and all other URLs and movements are blocked. Third-party apps and browser plugins are fundamentally blocked in the RBI (Remote Browser Isolation) structure.SaaS Console Add-in·Sharing etc.
Authentication and AuthorizationSHIELD IDProvides account management and integration with various SaaS services by supporting IdP.SaaS Administrator MFA·Role Settings
Data·InputInstead of analyzing traffic in the middle through a Proxy method, it directly verifies and controls data at the moment the user inputs it. File, clipboard, and print restrictions, as well as sensitive information input checks, are immediately applied at the endpoint.DLP·Data Classification·SaaS Settings
Network and EncryptionHTTPS Client PathNetwork Separation and N/W Design for End Customers and SaaS
Log·MonitoringAccess · URL Change · Clipboard · Input Log, Generative AI Usage Log (Optional)SaaS Audit Logs·SIEM
Regular ManagementPolicy · URL Change Procedure · Log Review RoleResponsibility·Education·Incident

Log events and codes refer to [Log Management](../../Admin Guide/Logs/Log Management.md).

2. Operation Guide (SHIELD Gate)

2.0 Access Terminal

  • Access availability is determined by whether it meets the conditions set in the conditional policy (business system), such as allowed IPs and times. If it does not meet the conditions, access will not be granted.
  • Access apps and URLs only allow pre-registered and authorized items (whitelist), and block all other apps, URLs, and movements. **RBI (Isolated Browser)** controls end-user access, and third-party apps and local plugins are fundamentally blocked as they cannot intervene in the work session on the device due to the RBI structure.
  • Device authentication is a feature that will be supported in the future, in addition to the conditional policy mentioned above, to ensure that SHIELD Gate can only be used on registered devices. (Feature name, UI, procedures, and schedule will be available at launch.)User/Admin GuideWe are updating the list of planned features for Section 6 below.)

2.1 Access·App·URL

  • Only apps and URLs that have been pre-registered and authorized by the administrator are included in the list (whitelist) that can be accessed or moved to from the SHIELD Gate. Access to apps, URLs, or sites not on the list will be blocked. (Details of restrictions may vary depending on policies and menus.)
  • First, determine whether to allow app / URL input fields and the maximum number of screens in the conditional policy (business system), and then only list the SaaS used for business in the app / URL list (whitelist).
  • If the flow of entering a URL arbitrarily is not absolutely necessary, turning off the URL input field is often advantageous in terms of usability and control.
  • Allowing extensive navigation to different sites within the same session can easily lead to control leakage, so adjust the "Site Navigation" and URL scope of the URL conditional policy to fit your business needs.

Related:[Conditional Policy](../../관리자 가이드/업무시스템/업무시스템 제어/조건부정책.md) · [URL Registration](../../관리자 가이드/업무시스템/URL/URL입력창 목록.md) · [URL Conditional Policy](../../관리자 가이드/업무시스템/URL/URL입력창 조건부 정책.md) · [App Conditional Policy](../../관리자 가이드/업무시스템/앱/앱 조건부 정책.md)

  • Control of Third-Party Apps and Browser Plugins**RBI (Remote Browser Isolation, Remote Browser Isolation)**The structure is a premise. Since the work screen opens in an isolated remote browser, the extensions installed on the user's PC do not apply to the work session, fundamentally blocking any local or device-side arbitrary extensions.
  • In cases where search engine integration is used, the search result URLs are reflected in advance to be included in the policy.

Related:[PAC File Configuration](../../Admin Guide/Configuration/PAC File Configuration.md)

2.3 Authentication and Authorization

  • SHIELD IDsupports IdP to manage registered accounts in one place, and apply MFA and various authentication methods.
  • You can integrate existing accounts managed by AD and others on the internal network with provisioning to centrally manage account creation, modification, and deletion.
  • By integrating various SaaS services with SSO (Single Sign-On), users can access authorized SaaS without separate re-authentication.

2.4 Data·Input

  • SHIELD GateUnlike the Proxy method that intercepts traffic in the middle, it directly verifies and controls the data at the moment the user actually inputs it. This allows for immediate blocking and management of sensitive information at the endpoint before it is transmitted externally.
  • Download, upload, clipboard, and print are restricted to the necessary scope for work in the URL/app conditional policy.
  • [Input Sensitive Information Management](../../관리자 가이드/업무시스템/입력 민감정보 관리/입력 민감정보 관리.md) inspection policies and enterprise DLP·SaaS settings are implemented in parallel.
  • Generative AI SaaS prioritizes the deactivation of learning and feedback on the provider side and visualizes usage through [Generative AI Usage Logs](../../관리자 가이드/로그/생성형 AI 사용 로그.md) (optional).

2.5 Log

  • We secure audit materials through user logs that record who accessed which app/URL, when, and actions such as URL navigation, clipboard usage, and input checks. The retention period for audit logs on the SaaS side is implemented within the SaaS and aggregation system.

Related:[Log Management](../../Admin Guide/Logs/Log Management.md) · [Generative AI Usage Logs](../../Admin Guide/Logs/Generative AI Usage Logs.md)

2.6 User (Reference)

  • [Accessing the Business System (User)](../../User Guide/Business System/1. Guide to Accessing the Business System.md)

3. Inspection Checklist

  • Only apps and URLs that are pre-registered (whitelisted) in the conditional policy are present. The URL input field has been turned off if it is unnecessary.

  • Apps, URLs, arbitrary movements, and access that are not on the whitelist are blocked by policy.

  • There is a policy and URL change, as well as a review cycle for administrator logs.

  • The user log retention and access procedures are suitable for audit purposes.

  • Sensitive information inspection, download/clipboard control aligns with internal classification.

  • When using generative AI (optional), AI log and SaaS learning settings will be checked.

4. Administrator Guide Quick Map

What You Want to DoDocument
App/URL·Top Level Allowance[Conditional Policy](../../Admin Guide/Business System/Business System Control/Conditional Policy.md)
URL Registration[URL Input Field List](../../Admin Guide/Business System/URL/URL Input Field List.md)
URL Action[URL Conditional Policy](../../Admin Guide/Business System/URL/URL Input Field Conditional Policy.md)
App Behavior[App Conditional Policy](../../Admin Guide/Business System/App/App Conditional Policy.md)
Input sensitive information[Input Sensitive Information Management](../../Admin Guide/Business System/Input Sensitive Information Management/Input Sensitive Information Management.md)
Menu·Search[Usage Settings](../../Admin Guide/Settings/Usage Settings.md)
log[Log Management](../../관리자 가이드/로그/로그 관리.md) · [Generative AI Usage Logs](../../관리자 가이드/로그/생성형 AI 사용 로그.md)
Isolated Browser[Access Guide for Business System](../../User Guide/Business System/1. Access Guide for Business System.md)

5. Reference Materials

Financial Sector_Internal Business Network_SaaS_Network Separation_Exception Application_Security Explanation Document.pdf

Financial Sector Internal Work Network SaaS Utilization Institutionalization Related FAQ.pdf

Kim & Chang_Analysis Data.pdf

6. Planned Features for SHIELD Gate (List)

This is a compiled list of the planned features and roadmap for SHIELD Gate support in the regulation guide.

Feature (Tentative Name)OverviewStatus
Device AuthenticationIn addition to conditional policies (IP, time, etc.), SHIELD Gate can only be used on pre-registered devices (unregistered devices will be blocked).Scheduled Support

Document Maintenance: If the number of supported features increases, add or modify rows in this table, and align the mapping table in §1 with the text and terminology in §2.0.