Concerto
The matrix below outlines which Concerto use cases are supported in each Security Edition of beem.
- All listed features are officially supported and included in the respective contracts.
- Features not listed are not part of the product offering.
- This matrix includes all supported features; there are no additional or undocumented ones.
- This matrix serves as a reference to understand what’s available in each Security Edition.
Concerto Features Matrix
In this section, we describe the options available to you in Concerto to configure your solution according to your individual requirements and preferences.
INFO
With the Essential solution, access to Concerto is not available to you.
The Essential solution is managed directly by Swisscom.
Secure surfing in the beemNet
| Secure surfing in the beemNet | Basic | Plus | Premium |
|---|---|---|---|
| Apply User & Device Confidence Scores to Internet Protection Policies You can apply user and entity confidence scores to internet protection policies and private application protection policies. | ✗ | ✓ | ✓ |
| URL and IP Reputation Lookup URL Lookup extends the capacity by performing real-time requests to cloud servers to get the URL category and IP reputation of URLs that are not present in local URL database. | ✓ | ✓ | ✓ |
| Configure Custom DNS-Filtering Profiles Domain Name System (DNS) filtering allows you to control access to websites, webpages, and IP addresses, to provide protection from malicious websites, such as known malware and phishing sites. | ✗ | ✓ | ✓ |
| Configure Custom URL-Filtering Profiles In a DNS-filtering profile you can configure the following components to use to filter DNS requests: Deny lists, Allow lists, Query-based actions & Reputation-based actions | ✗ | ✓ | ✓ |
| Configure SASE Internet Protection Rules Internet protection rules are firewall rules that are applied to internet-bound traffic on a per-tenant basis. They provide network protection by establishing match criteria and enforcement actions. | ✓ | ✓ | ✓ |
| Configure Captive Portals To control which URLs users can view when they are accessing internet webpages, you can configure captive portal. For the URLs whose access you want to control, you redirect users to a captive portal webpage on which you can display standard or customized messages that provide information about the webpage. For these webpages, you can control access or or you can block access completely. | ✗ | ✓ | ✓ |
| Configure Custom File-Filtering Profile You can configure file filtering to block the transfer of potentially dangerous files and types of files (that is, files associated with specific applications), files of specific sizes, files associated with specific protocols, and files traveling in a particular direction. You can configure SHA-based hash lists of files to mark potentially dangerous files for denying (sometimes called blacklisting) and to mark safe files for allowing (sometimes called whitelisting). You can configure file filtering to perform reputation-based file hash lookups on a cloud server. | ✗ | ✓ | ✓ |
| Configure Custom IP-Filtering Profiles Traffic passing through the network may have IP addresses that are associated with a bad reputation and that may cause security risk to your network. To block these IP addresses based on IP address reputation and IP address metadata such as geolocation, you can configure IP address–filtering profiles and then associate them with security policy. You associate IP-filtering profiles with devices that are connected to a Secure Web Gateway (SWG) and that need to send traffic to the internet. | ✗ | ✓ | ✓ |
| Configure Application Layer Gateway (ALG) Application Layer Gateway (ALG) is a security component that enhances firewall and CGNAT operations. ALG allows you to use customized NAT traversal filters to support address and port translation for application layer control and data protocols such as FTP and SIP. For these protocols to work through CGNAT or a firewall, either the application has to identify an address–port number combination that allows incoming packets or NAT has to monitor control traffic and dynamically open up port mappings by creating firewall pinholes. | ✗ | ✓ | ✓ |
Secure access to business applications and protection of company data
| Secure access to business applications and protection of company data | Basic | Plus | Premium |
|---|---|---|---|
| Configure SASE Private Application Protection Rules SASE private application protection rules are firewall rules that you configure to define protection for custom applications. You configure these protection rules on a per-tenant basis. Private application protection is similar to internet protection, except that private application protection applies only to custom applications. You cannot configure private application protection for predefined applications or for application groups. | ✓ | ✓ | ✓ |
| Configure Azure Connectors An Azure connector connects a system or service, such as Microsoft Information Protection (MIP), to Azure. After you create an Azure connector, you can create MIP labels and use them in DLP policies for actions such as set, remove, and match. Note that MIP is supported only on PDF, .docx, .xslx, and .pptx files. | ✗ | ✓ | ✓ |
| Configure SASE TLS Decryption Transport Layer Security (TLS) decryption is an industry-standard protocol that is used to provide a secure communications channel between clients (end devices) and servers (destination sites) over the internet. | ✗ | ✓ | ✓ |
| Configure SASE Site-to-Site Tunnels You can use site-to-site tunnels to encapsulate packets that are transmitted by a transport protocol. You can configure secure IPsec tunnels and generic routing encapsulation (GRE) tunnels from beemNet SASE gateways to data centers and to on-premises routers in an enterprise network. Site-to-site IPsec tunnels provide users with secure access to applications and workloads that are hosted in the cloud. The gateway device can be either a physical device or a cloud-based SD-WAN device. The remote (peer) device can be a cloud-managed service or a third-party device that supports IPsec tunnels. | ✓ | ✓ | ✓ |
| Configure Application Reverse Proxy Application reverse proxy protects against data loss and malware when unmanaged devices access your enterprise cloud and resources. This enables enterprises to provide secure software as a service (SaaS) and private application access to clientless users and devices. | ✓ | ✓ | ✓ |
| Configure Remote Browser Isolation Remote browser isolation (RBI) is a cloud-based solution that provides zero-trust access to browser-based applications. | ✗ | ✓ | ✓ |
| Configure Network Obfuscation You can configure network obfuscation to hide the internal network topology and remote beem clients from each other. With network obfuscation, you can obscure the physical resource hosting the application (that is, the server IP address) from end users, thus helping to secure devices against attack vectors, such as port scanning and lateral movement. | ✗ | ✓ | ✓ |
| Configure SASE Certificates A certificate authority (CA) is a trusted third-party organization that issues electronic documents, called digital certificates. A CA certificate verifies a digital entity’s identity on the internet. CA certificates are an essential part of secure communication. You can onboard and manage the certificates needed by your tenant. You use these certificates when you configure profiles and rules. | ✗ | ✓ | ✓ |
| Publish SASE Gateways The publish action publishes (commits) a configuration to the gateways. When a user makes configuration changes on the portal, the changes are stored locally. The publish action triggers the pushing of the configurations to the gateways. | ✓ | ✓ | ✓ |
Protection of company data
| Protection of company data | Basic | Plus | Premium |
|---|---|---|---|
| Configure Cloud Applications to Use with API-Based Data Protection API-based data protection (API-DP) secures SaaS and IaaS applications using APIs provided by cloud services. | ✗ | ✗ | ✓ |
| Configure CASB Profiles Cloud Access Security Broker (CASB) is on-premises or cloud-based policy enforcement that secures the data flowing between users and cloud applications in order to comply with corporate and regulatory requirements. CASB applies enterprise security policies when users access cloud-based resources. | ✓ | ✓ | ✓ |
| Configure SaaS Tenant Control Profiles You use SaaS tenant control profiles to block users from directly accessing select services, such as web-based Office365, without going through a beemNet gateway. When you configure a SaaS tenant control profile, the tenant control profile inserts fields and values in the HTTP header when traffic goes through the gateway. | ✓ | ✓ | ✓ |
| Configure Offline Data Loss Prevention Offline data loss prevention (DLP) is a set of tools and processes for detecting and preventing data breaches, cyber exfiltration, and unwanted destruction of sensitive data. You use DLP to protect and secure an organization's data and to comply with regulations | ✗ | ✗ | ✓ |
| Configure API-Based Data Protection Policies for IaaS API-based data protection (API-DP) protects and secures organization data that resides in infrastructure as a service (IaaS) applications. | ✗ | ✗ | ✓ |
| Configure API-Based Data Protection Policy for SaaS API-based data protection protects and secures organization data that resides in software as a service (SaaS) applications. | ✗ | ✗ | ✓ |
| Configure Email Protection in Concerto Email protection detects, prevents, and responds to cyberattacks that are delivered through outbound and inbound email. | ✗ | ✗ | ✓ |
| Configure Legal Hold Profiles in Concerto Legal hold is a process for preserving all relevant information that might be submitted as evidence in a legal procedure. | ✗ | ✗ | ✓ |
| Configure Data Loss Prevention in Concerto Data loss prevention (DLP) is a set of tools and processes for detecting and preventing data breaches, cyber exfiltration, and unwanted destruction of sensitive data. You use DLP to protect and secure an organization's data and to comply with regulations. | ✗ | ✗ | ✓ |
| Configure Offline CASB Profiles Offline cloud access security broker (CASB) is on-premises or cloud-based policy enforcement that secures data between users and cloud applications to comply with corporate and regulatory requirements. | ✗ | ✗ | ✓ |
| Configure Quarantine Profiles in Concerto Certain Data Loss Prevention (DLP) rule types—such as File Type, Exact Data Match (EDM), and Optical Character Recognition (OCR)—support the quarantine action. | ✗ | ✗ | ✓ |
| Integrate with Microsoft Defender for Cloud Apps Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across cloud services. | ✗ | ✓ | ✓ |
| Configure SASE User-Defined Objects Objects are configuration elements that you use to build larger configurations, such policy rules and profiles. | ✓ | ✓ | ✓ |
| Update and View Shadow IT Discovery Applications Shadow IT refers to IT devices, software, and services that operate within an organization's network without explicit management, control, or approval of the IT department. | ✗ | ✓ | ✓ |
Client devices and user accounts
| Client devices and user accounts | Basic | Plus | Premium |
|---|---|---|---|
| Configure SASE Secure Client-Based Access Profiles Secure client-based access profiles define the application monitors, browser access, DNS resolvers, and routes that are used to bind public keys to the client. | ✗ | ✓ | ✓ |
| Configure SASE Secure Clientless Access Policy Rules Clientless access is a method of providing secure access to enterprise resources without requiring users to install client software on their devices. Instead, users access resources through a web browser using web-based technologies. | ✗ | ✓ | ✓ |
| Configure SASE Secure Client-Based Access Rules You use secure client-based access rules and profiles to manage client applications running on personal computers and mobile phones, such as EIP and Always On. | ✗ | ✓ | ✓ |
| Configure Device Risk Profiles in Concerto The device risk profile in Concerto allows you to weigh the importance of different categories of device risk. You do this by assigning a weighting value, given as a percentage, for each category. | ✗ | ✓ | ✓ |
| Configure Endpoint Information Profiles To protect the enterprise network and resources, you can create endpoint information profiles (EIPs), which ensure that the endpoint devices that access the enterprise network maintain and adhere to enterprise security standards before they access enterprise network resources. | ✗ | ✓ | ✓ |
| Configure SASE Secure Client Access Routes and DNS Resolvers for Secure Client Access Secure client access profiles define routes and DNS resolvers that are used to bind public keys to the client. | ✗ | ✓ | ✓ |
Protection against complex attacks
| Protection against complex attacks | Basic | Plus | Premium |
|---|---|---|---|
| Use the GenAI Firewall to Secure Generative AI The adoption of generative AI in the workplace has introduced security risks, as employees adopt AI tools independently without organizational approval. This unmonitored usage, known as "shadow AI", creates a significant risk of data leakage, security gaps, and regulatory violations. | ✗ | ✓ | ✓ |
| Integrate with CrowdStrike and Trend Micro for Threat Exchange Integrate CrowdStrike or Trend Micro for threat exchange | ✗ | ✓ | ✓ |
| Configure Vulnerability Rules Vulnerability rules determines the level of protection against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. | ✗ | ✓ | ✓ |
| Configure Offline Custom Malware Protection Profiles Offline malware is malicious software that is specifically designed to disrupt computers and computer systems. | ✗ | ✗ | ✓ |
| Configure Custom IPS-Filtering Profiles The intrusion prevention system (IPS) mitigates security vulnerabilities by responding to inappropriate or anomalous activity. Responses can include dropping data packets and disconnecting connections that are transmitting unauthorized data. | ✗ | ✓ | ✓ |
| Configure Custom Signatures To configure custom signatures, you upload intrusion prevention system (IPS) signature files in .zip or .rules format,and then publish them to push the files to all beem gateways on which the tenant is present. | ✗ | ✓ | ✓ |
| Configure Offline Advanced Threat Protection Antivirus software is typically installed on endpoint machines. When a new malware outbreak occurs, antivirus software vendors update their definition or data file for the antivirus software so that the software detects the new malware. | ✗ | ✗ | ✓ |
| Configure Endpoint Detection and Response Endpoint detection and response (EDR) is a cybersecurity technology that monitors and responds to threats coming from endpoint devices such as laptops, mobile phones, and internet-of-things (IoT) devices. EDR primarily detects advanced threats that can evade front-line defenses and successfully enter the network environment. | ✗ | ✓ | ✓ |
| Configure Forensic Profiles in Concerto Data forensics is a methodology for collecting and analyzing data, such as user activity and system data, on computing devices, network devices, phones, or tablets. The results are often used in legal procedures, regulatory and company investigations, investigations of criminal activity, and other types of investigations that involve digital evidence. | ✗ | ✗ | ✓ |
| Configure IPS Override An intrusion prevention system (IPS) mitigates security vulnerabilities by responding to inappropriate or anomalous activity. Responses can include dropping data packets and disconnecting connections that are transmitting unauthorized data. | ✗ | ✓ | ✓ |
| Configure Advanced Threat Protection Antivirus software is typically installed on endpoint machines. When new malware outbreaks occur, antivirus software vendors update their definition or data file for the antivirus software so that the software detects new malware. | ✗ | ✗ | ✓ |
| Configure Custom Malware Protection Profiles Malware is malicious software that is specifically designed to disrupt computers and computer systems. There are many types of malware, including computer viruses, worms, Trojan viruses, spyware, adware, and ransomware. | ✗ | ✓ | ✓ |
Security policies and Analytics
| Security policies and Analytics | Basic | Plus | Premium |
|---|---|---|---|
| Application Confidence Score The confidence scoring incorporates weights for the various security controls to indicate the importance associated with each based on the organizational requirements. | ✗ | ✓ | ✓ |
| View References to SASE Profile Objects You can view all references to any SASE object for real-time protection profiles from other levels of the configuration hierarchy. An object reference shows all of the locations in the hierarchy in which the object is used. | ✓ | ✓ | ✓ |
| Sample beem ATP Reports When you use beem advanced threat protection (ATP) to submit files for analysis, a detailed analysis report is generated for each file. | ✗ | ✗ | ✓ |
beem App
| beem App | Basic | Plus | Premium |
|---|---|---|---|
| Configure SASE Secure Client-Based Access Profiles Secure client-based access profiles define the application monitors, browser access, DNS resolvers, and routes that are used to bind public keys to the client. | ✗ | ✓ | ✓ |
| Configure SASE Secure Clientless Access Policy Rules Clientless access is a method of providing secure access to enterprise resources without requiring users to install client software on their devices. Instead, users access resources through a web browser using web-based technologies. | ✗ | ✓ | ✓ |
| Configure SASE Secure Client-Based Access Rules You configure secure client-based access rules and apply them to secure access clients. | ✗ | ✓ | ✓ |
| Configure Device Risk Profiles in Concerto The device risk profile in Concerto allows you to weigh the importance of different categories of device risk. You do this by assigning a weighting value, given as a percentage, for each category. | ✗ | ✗ | ✓ |
| Configure Endpoint Information Profiles To protect the enterprise network and resources, you can create endpoint information profiles (EIPs), which ensure that the endpoint devices that access the enterprise network maintain and adhere to enterprise security standards before they access enterprise network resources. | ✗ | ✓ | ✓ |
| Configure SASE Secure Client Access Routes and DNS Resolvers for Secure Client Access Secure client access profiles define routes and DNS resolvers that are used to bind public keys to the client. | ✗ | ✗ | ✓ |
| Certificate Pinning Certificate pinning can interfere with TLS decryption and inspection because it restricts which certificates are considered valid for a particular application or website. Since the application expects a specific certificate, it rejects any certificate that does not match the pinned one. | ✗ | ✗ | ✓ |