PulseSecure-PPS learner - Pulse Policy Secure (PPS) Deployment Implementation and Configuration Updated: 2024

Pulse Secure plans to roll out on-demand provisioning and pay-per-use pricing to reduce the up-front investment required from MSSPs.

The San Jose, Calif.-based cybersecurity vendor said revised MSSP packaging including user-based licensing will be available to Pulse Secure's channel partners through distribution at the end of November. It will retail at $6 per concurrent user, per month for the first 500 users, Pulse Secure said, with higher discounts available for larger user counts.

The offering will make it easier for cloud service providers and even traditional resellers going through two-tier distribution today to become managed security service providers, Pulse Secure CEO Sudhakar Ramakrishna told CRN. Instead of tying up money in up-front equipment purchases, Ramakrishna said the savings can be used for customer acquisition and new services so their business can expand faster.

[Related: CRN Exclusive: Pulse Secure Lands New CMO To Drive Partner Growth Around Services, Consulting]

The new packaging cuts capital expenditures by enabling MSSPs to spin up or spin down virtual Secure Access instances and licenses at a cost based on the number of concurrent monthly users. By allowing the managed service to scale on demand, partners and customers can buy Secure Access in the same way and avoid oversubscribing or buying overcapacity, said Pulse Secure CMO Scott Gordon.

On-demand provisioning and tiered, user-based pricing give service providers the flexibility needed for customer on-boarding, growth spurts and business downturns, according to Pulse Secure. Specifically, Gordon said it will result in less stress for MSSPs, who will no longer have to predict their customer's growth trajectory well in advance or do last-minute purchasing to meet capacity requirements.

RKON Technologies has up until now bought and built Pulse Secure's technology into its compliant-ready cloud, forcing the Chicago-based MSP to make a major capital outlay and then get paid back as it sells at volume, said co-founder and CEO Jeff Mullarkey. Usage-based pricing, though, aligns better with how RKON bills clients, Mullarkey said, making it easier for the company to work with Pulse Secure.

"It preserves capital," Mullarkey told CRN.

RKON has to continually make investments since it's in a leading-edge market, he said, but only has so much cash available at any given moment. But now, Mullarkey said RKON will no longer have to make a big up-front investment to take on Pulse Secure's product.

The transaction is also simplified from a billing perspective, Mullarkey said, since RKON is charging customers and paying Pulse Secure at the same point in the process. This should reduce administrative costs for RKON, according to Mullarkey, and allow the company to be more competitive and aggressive from a pricing standpoint.

"They're no longer our little secret," he said. "They're really a competitive advantage for quality players that understand and know how to solve security challenges."

Secure Access will be offered to solution providers in three tiers: Essentials, Advanced and Enterprise. Essentials provides network and cloud access with management, Ramakrishna said, with Advanced adding mobile access, and Enterprise infusing in enforcement capabilities.

MSSPs today are typically interested in the Enterprise and Advanced levels since they need not only connectivity and security, according to Ramakrishna, but also visibility and compliance available at the higher tiers.

MSSPs will have access to free ramping over a three-month period, Gordon said, and will then be asked to make a monthly decision around how many licenses they want. All told, Ramakrishna said the new packaging will shift MSSPs from fixed up-front investments to investments that are variable with customer demand, with partners only buying more licenses as they procure more customers.

The Pulse Secure Access Suite for MSSPs will include an integrated virtual private network, enterprise mobile management, network access control and a virtual application delivery controller within a unified management framework for data center and hybrid IT implementation, according to the company.

The integrated product sets will make it easier for MSSPs to add services quickly rather than having to build them in silos, according to Ramakrishna.

The offering also includes a multitenant, centralized management system and licensing server that gives MSSPs operational oversight while also providing clients with dashboard visibility. The Pulse Secure Access Suite includes virtual appliance form factors for VMware, KVM and Hyper-V, and supports deployment in hosted cloud environments such as Microsoft Azure and Amazon Web Services.

Between 90 percent and 95 percent of Pulse Secure's overall business flows through channel partners today, Ramakrishna said, with nearly 25 percent of sales being transacted by MSSPs or cloud service providers (CSPs). Pulse Secure has between 100 and 200 MSSP and CSP partners today, Ramakrishna said, and hopes to add an additional 100 to 200 MSSP or CSP solution providers worldwide within the next year.

Ramakrishna said Pulse Secure is most focused on customer engagement and success scores, the number of customers being served through the channel, and new partner recruitment from either traditional partners becoming MSSPs or CSPs or longstanding MSSPs or CSPs joining the program. All told, Ramakrishna said Pulse Secure wants to grow the MSSP and CSP slice of the overall channel pie.

Pulse Secure is expanding its secure access portfolio to services and applications, as the company announced on Thursday it plans to acquire Brocade's virtual Application Delivery Controller (vADC) business.

The terms of the deal were not disclosed. The planned acquisition includes all assets associated with the business, including research and development, customer support, and maintenance contracts.

In a blog post about the announcement, CEO Sudhakar Ramakrishna said the acquisition would allow Pulse Secure to continue building on its Secure Access Suite. In particular, it boosts Pulse Secure's access capabilities around hybrid cloud, helping control access to applications on premise, in the cloud, and in cloud service marketplaces, he said.

[Related: Partners Struggling To Close Brocade-Ruckus Sales Amid Restructuring; Channel Chief Pledges To Resolve 'Confusion']

"At Pulse Secure, we have a core belief that security should be about access and not (just) control. This belief system, combined with innovations that make it real, facilitates the economic delivery of Secure Access to our customers," Ramakrishna said in the blog post.

"There’s always a concern with how well a product will continue to be developed through numerous acquisitions like this as it often causes some of the key talent to leave, but I really like Pulse Secure's management team," said Dominic Grillo, executive vice president at Branchburg, N.J.-based Atrion Communication Resources. "We had definitely liked the vADC solution when it was part of Riverbed, so hopefully Pulse Secure can make something of the technology."

Brocade had acquired the vADC technology as part of its 2015 acquisition of Riverbed Technology's SteepApp product line. As a long-time Pulse Secure partner, supporting the technology through multiple acquisitions, Grillo said the acquisition will likely help Pulse Secure drive revenue from more areas of its portfolio, as well as compete better in the marketplace against companies like Citrix.

"Pulse Secure has a definite need to derive more revenue from products other than their Connect Secure SSL VPN so I think this is a good thing. It will likely help them compete better against Citrix’s NetScaler solution which competes directly with Pulse Secure," Grillo said.

The acquisition is also the latest example of Brocade evolving its business model, including the May 2016 acquisition of Ruckus Wireless for $1.2 billion. However, partners were quickly left confused as Broadcom announced in November that it was acquiring Brocade for $5.9 billion, a deal expected to close later this year. Broadcom said at the time that it was looking to unload the Brocade and Ruckus networking business.

Since then, Brocade agreed to sell its network-edge portfolio, which includes the Ruckus Wireless and ICX Switch product families, for $800 million to Arris International. It also agreed to sell its data center networking business to Extreme Networks for $55 million. Both the Extreme and Arris acquisitions are set to take place this year after Broadcom closes its deal to acquire Brocade.

"Pulse Secure is a great fit for our vADC business, and a positive outcome for our employees, customers and partners," Brocade's Senior Vice President and General Manager of Software Networking Kelly Herrell said in a statement. " Our vADC family is highly complementary to Pulse Secure's current portfolio, and is expected to enhance Pulse's capability to deliver a complete end-to-end secure access solution."

Pulse Secure said it "intends to hire certain Brocade employees associated with the vADC business." CEO Ramakrishna said in his blog post that he is "thrilled to have the vADC teams join Pulse Nation" and that the company is "fortunate to have such a great group of people joining Pulse Secure."

Pulse Secure was formed in July 2014 from the spinout of Juniper's mobile security portfolio Junos Pulse to Siris Capital for $250 million. As a standalone company, Pulse Secure offers SSL VPN, unified access control and workspace virtualized containerization of applications on mobile devices. The company added Ramakrisha, a former Citrix executive, as CEO in June 2015 and around the same time launched its first independent partner program.

The acquisition is expected to close between late June and mid-July. It is expected to close prior to Brocade's anticipated acquisition by Broadcom.

This post summarizes provisions of SECURE 2.0 that retirement plans may need or want to implement for 2024. While no amendments are required for plans heading into 2024, plan operations may see some updates, especially if the plan sponsor wishes to implement some of the new optional features. We have provided an overview of many of these SECURE 2.0 provisions through our blog in the past, and this post provides a run-down of those features to remind you of these provisions.

2024 Required Plan Operation Changes

SECURE 2.0 requires plans to begin implementing the following provisions starting in 2024.

Long-Term, Part-Time Employee Eligibility and Vesting

SECURE 1.0 and SECURE 2.0 changed the eligibility and vesting requirements for long-term, part-time employees for 401(k) and 403(b) plans. For plan years beginning on or after January 1, 2024, 401(k) plans must allow employees who are credited with at least 500 hours of service in each of three consecutive 12-month periods and have attained age 21 to make elective deferrals to the plan, with service before January 1, 2021, disregarded for purposes of determining eligibility. For plan years beginning on or after January 1, 2025, only two consecutive 12-month periods with 500 hours of service worked will be required, with service before January 1, 2023, disregarded. Effective for plan years beginning after December 31, 2024, 403(b) plans will also be subject to these long-term, part-time employee rules. For details, see our blog post here.

Catch-up Contributions as Roth Contributions

Participants 50 or older may make catch-up contributions to their retirement plans on a pre-tax or Roth basis (if the plan permits Roth contributions). A retirement plan may permit a participant who would be 50 or older by the end of a taxable year to make additional catch-up contributions for that year without regard to otherwise applicable limits.

SECURE 2.0 provides that catch-up contributions for employees whose wages exceed $145,000 may be made only as Roth contributions. Most plans permit catch-up contributions, but many do not provide for Roth contributions.

The IRS announced a two-year administrative transition period for employers to comply with this Roth mandate for highly paid employees, extending the compliance deadline to December 31, 2025. For more information on this relief, see our blog post here.

Required Minimum Distribution Changes

Roth Required Minimum Distributions

Retirement plans must include required minimum distribution rules in the plan documents to maintain tax-qualified status. For taxable years beginning after December 31, 2023, the required minimum distribution rules will not apply to Roth accounts in 401(k) and other defined contribution plans. The required minimum distribution rules will continue to apply to pre-tax accounts.

Surviving Spouse Election to be Treated as Employee

For years beginning after December 31, 2023, a surviving spouse may elect to be treated as if they were the deceased employee for purposes of the required minimum distribution rules.

Optional SECURE 2.0 Provisions that Can be Implemented in 2024

SECURE 2.0 contains optional provisions that may benefit participants and be a valuable tool to ensure greater employee participation in retirement programs. The following elective provisions may be implemented starting in 2024.[1]

Matching Contributions for Student Loan Payments

For plan years starting after December 31, 2023, defined contribution plans may treat an employee’s qualifying student loan repayments as elective deferrals or after-tax contributions for purposes of the plan’s matching contribution. The provision allows employees to receive the employer match, even if the employee does not contribute to the plan. Qualified student loan payments must be for the repayment of a qualified education loan for higher education of the employee, the employee’s spouse, or an individual who was the employee’s dependent at the time the debt arose. Student loan payments may be treated as qualified student loan payments to the extent that those payments combined with the employee’s elective deferrals during a plan year do not exceed the annual limit on elective deferrals.

Currently, there is no generally applicable guidance on how to set up this provision in a plan document.

Emergency Savings Accounts Linked to Individual Account Plans

Effective for plan years after December 31, 2023, a sponsor of an individual account plan may include a pension-linked emergency savings account for non-highly compensated employees with a cap of up to $2,500 (as adjusted) to be funded with employee contributions. Employers may also provide an auto-enrollment feature at a rate of up to 3% of pay into these accounts. For more details, see our blog post here.

Penalty-Free Withdrawals

We recently published a blog on “New Options for Retirement Plan Distributions under SECURE 2.0,” which discusses the new penalty-free distribution options a plan can make available.

Withdrawals for Certain Emergency Expenses

For plan years beginning after December 31, 2023, defined contribution plans may allow participants to take up to $1,000 of their vested account balance in a calendar year as an emergency personal expense distribution without a penalty for early withdrawals. An emergency personal expense distribution is meant to meet unforeseeable or immediate financial needs relating to necessary personal or family expenses.

If the participant wants to repay the distribution, it must be repaid within three years, beginning the day after the distribution was received. Additionally, an individual cannot take a subsequent emergency personal expense distribution until it is repaid or the aggregate amount of the participant’s elective deferrals and employee contributions made to the plan after the previous distribution is at least equal to the amount of the previous distribution that has not been repaid. The plan administrator may rely on an employee’s certification that their expense satisfies the applicable conditions.

Domestic Abuse Penalty-Free Withdrawal

For plan years beginning after December 31, 2023, a defined contribution plan may also allow withdrawals for domestic abuse victims up to the lesser of $10,000 or 50% of their vested account balance during a one-year period. If the participant wants to repay the amount withdrawn, repayment must be made within three years, beginning the day after the distribution was received. The plan may rely on the participant’s self-certification that they qualify for the withdrawal.

403(b) Hardship Withdrawal

For plan years beginning after December 31, 2023, 403(b) plans may allow distributions of qualified nonelective contributions, qualified matching contributions, and earnings on those contributions and elective deferrals in the event of a hardship. The plan may rely on the participant’s self-certification that they qualify for the withdrawal.

Mandatory Cash-Out Limit Increase

Currently, retirement plans can automatically cash out the benefit of a vested participant who leaves service if the benefit is between $1,000 and $5,000 and roll that amount into an IRA. The limit is increasing to $7,000 for distributions made after December 31, 2023. This change may be beneficial to plans that have smaller accounts.

When Should Plan Amendments be Made for these SECURE 2.0 Changes?

IRS Notice 2024-2, published on December 20, 2023, has extended the already generous time periods for SECURE 2.0 amendments. Any elective or required change made operationally to a plan based on a SECURE 2.0 provision must be included in a plan amendment by:

1. December 31, 2026, for non-collectively bargained qualified plans and section 403(b) plans not maintained by a public school.
2. December 31, 2028, for collectively bargained qualified plans and collectively-bargained 403(b) plans.

Regardless of this extended amendment deadline, it may be advisable for plans that implement these provisions to make plan amendments close to the time the provision is implemented so that the details will not have to be reconstructed at a later date.

The IRS just couldn’t wait for Christmas to gift everyone Miscellaneous Changes Under the Secure 2.0 Act of 2022!  Notice 2024-2 is meant to provide guidance on discreet issues to assist with SECURE 2.0 implementation. The Notice provides guidance in the form of Q&As with respect to the following sections of SECURE 2.0:

• Section 101 -- expanding automatic enrollment
• Section 102 -- modification of credit for small employer pension plan startup costs
• Section 112 -- military spouse retirement plan eligibility credit for small employers
• Section 113 -- small immediate financial incentives for contributing to a plan
• Section 117 -- contribution limit for SIMPLE plans
• Section 326 -- exception to the additional tax on early distributions from qualified plans for individuals with a terminal illness
• Section 332 -- employers allowed to replace SIMPLE retirement accounts with safe harbor 401(k) plans during a year
• Section 348 -- cash balance plan accruals and interest crediting rate
• Section 350 -- safe harbor for correction of employee elective deferral failures
• Section 501 -- provisions relating to plan amendments (** The Notice generally extends the deadline to amend a qualified plan for SECURE Act, SECURE 2.0, the Miners Act and Sections 2022 or 2023 of the CARES Act to December 31, 2026. The extended deadline does not impact the requirement for plan operations to reflect applicable law prior to plan amendment. **)
• Section 601 -- SIMPLE and SEP Roth IRA contribution designations, and
• Section 604 -- optional treatment of employer contributions or nonelective contributions as Roth contributions.

The IRS is inviting comments to Section 113 and Section 348 to be submitted by February 20, 2024. In the meantime, KMK will be providing additional analysis to guide plan sponsors through these important developments. Stay tuned, and happy holidays.

The fun part of security audits is that everybody knows that they’re a good thing, and also that they’re rarely performed prior to another range of products being shoved into the market. This would definitely seem to be the case with fingerprint sensors as found on a range of laptops that are advertised as being compatible with Windows Hello. It all began when Microsoft’s Offensive Research and Security Engineering (MORSE) asked the friendly people over at Blackwing Intelligence to take a poke at a few of these laptops, only for them to subsequently blow gaping holes in the security of the three laptops they examined.

In the article by [Jesse D’Aguanno] and [Timo Teräs] the basic system and steps they took to defeat it are described. The primary components are the fingerprint sensor and Microsoft’s Secure Device Connection Protocol (SDCP), with the latter tasked with securing the (USB) connection between the sensor and the host. Theoretically the sensitive fingerprint-related data stays on the sensor with all matching performed there (Match on Chip, MoC) as required by the Windows Hello standard, and SDCP keeping prying eyes at bay.

Interestingly, the three laptops examined (Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X) all featured different sensor brands (Goodix, Synaptics and ELAN), with different security implementations. The first used an MoC with SDCP, but security was much weaker under Linux, which allowed for a fake user to be enrolled. The Synaptics implementation used a secure TLS connection that used part of the information on the laptop’s model sticker as the key, and the ELAN version didn’t even bother with security but responded merrily to basic USB queries.

To say that this is a humiliating result for these companies is an understatement, and demonstrates that nobody in his right mind should use fingerprint- or similar scanners like this for access to personal or business information.

WinSCP is a free, open-source file-transfer application that uses File Transfer Protocol, Secure Shell File Transfer Protocol and Secure Copy Protocol for plain or secure file transfer. The application is designed to work with Windows and supports common Windows desktop features, such as dragging and dropping files, jump list locations and context menu entries.