Log inBook a demo

Complementary User Entity Controls

This page summarizes the customer security responsibilities for Dispel’s SaaS and on-prem deployments.

This document speaks to comprehensive security controls for security. For specific technical shared responsibiliites, please visit: https://help.dispel.io/en/articles/10517167-shared-responsibilities

Introduction

As part of Dispel’s commitment to security and transparency, we publish this Complementary User Entity Controls (CUECs) document to identify the security responsibilities that rest with our customers. These controls are complementary to those implemented by Dispel and are critical to ensuring that the combined security program for your environment—spanning Dispel’s Zero Trust Engine (ZTE), remote access workflows, micro-segmentation, and threat-detection features—operates effectively.

Because Dispel serves organizations operating in highly regulated sectors—including industrial manufacturing, critical infrastructure, utilities, defense contractors, and operators of OT/ICS environments—we align our CUECs with the frameworks most commonly used by our customers:

  • IEC 62443-3-3 (System Security Requirements and Security Levels), widely used for OT and industrial control systems; and

  • NIST SP 800-53 Rev. 5 High Baseline, used across U.S. federal and defense programs and often adopted by enterprises seeking strong cybersecurity controls.

We encourage customers to view Dispel’s controls and their own controls as a shared-responsibility model. Dispel secures the cloud infrastructure, platform features, and connective workflows. Customers secure the assets, identities, networks, and processes they manage.

The specific division of responsibilities depends heavily on how Dispel is deployed, and our customers use Dispel in two distinct ways:

  1. Dispel-Hosted SaaS Deployment — Dispel operates the entire platform infrastructure.

  2. On-Premises / Customer-Cloud Deployment — The platform is deployed fully inside customer-controlled infrastructure, and the customer assumes operational hosting responsibilities.

This document will help you understand how to fulfill your part of both models.

Why Dispel Uses IEC 62443-3-3 and NIST SP 800-53 High

Our customers overwhelmingly operate in sectors subject to rigorous regulatory, operational, and safety requirements. By grounding CUECs in IEC and NIST:

  • Customers can readily map Dispel’s controls into their existing compliance obligations.

  • Audit cycles are clearer and faster, as customer-side responsibilities are expressed in a familiar framework.

  • The shared responsibility structure aligns with global expectations for critical infrastructure and high-assurance systems.

Understanding Complementary User Entity Controls

CUECs identify the security controls the customer must operate so that Dispel’s platform—whether hosted by us or by you—functions securely.

  • In SaaS deployments, Dispel handles platform hosting, infrastructure security, and system availability.

  • In On-Prem / Customer-Cloud deployments, customers assume many of those functions and must perform platform-level operations as well as site-level security.

Each section below highlights what customers must do in each deployment model.

Customer Responsibilities by Security Domain

Identity & Access Management (IAM)

Mapping: IEC 62443 SR-1.1–1.5; NIST AC-2, AC-3, AC-5, AC-6, IA-2, IA-5

Why this matters

Attackers commonly target identities. Dispel integrates with your IdP, but you control authentication upstream.

Customer Responsibilities

SaaS Deployment

  • Maintain user lifecycle processes for your IdP (provision/de-provision).

  • Enforce MFA on your enterprise IdP.

  • Maintain least-privilege role assignments.

  • Secure customer-managed credentials, API keys, and certificates.

On-Prem / Customer-Cloud Deployment

All SaaS responsibilities plus:

  • You are responsible for securing, maintaining, and hardening the identity systems you integrate with Dispel.

  • You must configure, secure, and monitor the authentication infrastructure used by the Dispel instance (e.g., SAML/SCIM endpoints hosted internally).

  • You are responsible for access control on all platform servers, VMs, and support systems.

Asset, Configuration & Change Management

Mapping: IEC 62443 SR-7.1–7.6; NIST CM-2, CM-3, CM-6, CM-8

Why this matters

Dispel secures connectivity; you control the assets connected behind it (PLCs, firewalls, HMIs, servers).

Customer Responsibilities

SaaS Deployment

  • Maintain inventory of assets behind Dispel micro-segments.

  • Maintain secure configurations of OT/ICS/IT assets connected to Dispel.

  • Validate that only authorized assets reside in Dispel segments.

  • Follow change-control processes for systems integrated with Dispel.

On-Prem / Customer-Cloud Deployment

All SaaS responsibilities plus:

  • You operate and patch the virtual machines, servers, storage, networking, and OS layers that host the Dispel platform.

  • You maintain configuration baselines and change control for Dispel platform nodes, load balancers, databases, and endpoint services.

  • You must ensure secure installation, configuration, and dependency management for all platform components.

Logging, Monitoring & Incident Response

Mapping: IEC 62443 SR-6.1–6.3; NIST AU-6, AU-11, IR-4, IR-6, IR-8

Why this matters

Dispel logs platform activity. Customers log their internal environment.

Customer Responsibilities

SaaS Deployment

  • Monitor logs for systems not hosted by Dispel (local OT/IT networks).

  • Maintain and execute your internal IR plan.

  • Maintain an SIEM/SOC if you so choose.

  • Designate security contacts for coordination with Dispel.

  • Perform local containment (e.g., isolating plant networks).

On-Prem / Customer-Cloud Deployment

All SaaS responsibilities plus:

  • You must collect, store, protect, and monitor logs generated by the Dispel platform infrastructure itself.

  • You are responsible for maintaining uptime for monitoring systems (SIEM, log collectors).

  • You must integrate platform logs into your IR workflow and perform forensic preservation as needed.

  • You own the patching and security lifecycle of monitoring agents on platform nodes.

Physical & Environmental Security

Mapping: IEC 62443 SR-2.1–2.4; NIST PE-3, PE-4, PE-13, PE-18

Why this matters

Physical access defeats digital controls.

Customer Responsibilities

SaaS Deployment

  • Secure all local OT/ICS assets and workstations.

  • Protect engineering laptops used to access Dispel.

  • Maintain environmental protections on local systems.

On-Prem / Customer-Cloud Deployment

All SaaS responsibilities plus:

  • You must secure the physical servers, racks, data centers, and cloud resources hosting the Dispel platform.

  • You must ensure environmental controls (power, cooling, humidity) for all platform nodes.

  • You must physically restrict access to administrative consoles and hardware used by the platform.

Network Security & Communications Integrity

Mapping: IEC 62443 SR-5.1, SR-5.2, SR-7.6; NIST SC-3, SC-5, SC-7, SC-13

Why this matters

Dispel provides secure transport and micro-segmentation. Customers control surrounding networks.

Customer Responsibilities

SaaS Deployment

  • Maintain segmentation and firewall rules at your network boundary.

  • Patch and secure your local networking equipment (firewalls, routers, proxies).

  • Harden ICS protocols behind your network.

  • Validate contractor access before issuing credentials.

On-Prem / Customer-Cloud Deployment

All SaaS responsibilities plus:

  • You secure and operate the network that hosts the Dispel platform, including VLANs, subnets, cloud VPCs, and routing controls.

  • You must configure secure ingress/egress rules for platform components.

  • You are responsible for securing local load balancers, API gateways, VPN bridges, and HA pairs used by the platform.

  • You must protect and isolate platform management interfaces.

Data Governance & Recovery

Mapping: IEC 62443 SR-3.2, SR-4.1, SR-7.4; NIST CP-9, MP-2, SC-12, SC-13

Why this matters

Customers own their data and must maintain governance over how it is stored, transmitted, and backed up.

Customer Responsibilities

SaaS Deployment

  • Maintain backups of any data stored outside Dispel’s cloud.

  • Classify and handle data according to your internal policies.

  • Manage customer-owned materials used in integrations.

On-Prem / Customer-Cloud Deployment

All SaaS responsibilities plus:

  • You must back up and restore the Dispel platform infrastructure (databases, configs, platform nodes, etc.).

  • You must ensure secure storage, rotation, and protection of any encryption keys used by the platform.

  • You are responsible for backup media protection and disaster recovery processes for the entire deployment.

Endpoint Security

Mapping: IEC 62443 SR-3.4, SR-3.5, SR-4.1; NIST SI-2, SI-3, SI-7, SC-3

Why this matters

Compromised endpoints undermine remote access security regardless of platform protections.

Customer Responsibilities

SaaS Deployment

  • Harden and monitor endpoints accessing Dispel (antivirus/EDR, secure configuration, patching).

  • Secure target jump hosts or HMIs connected to through Dispel.

On-Prem / Customer-Cloud Deployment

All SaaS responsibilities plus:

  • You must secure the endpoints hosting Dispel platform services:

    • Admin consoles

    • Deployment servers

    • Orchestration servers

    • Any underlying OSes

  • You must maintain patching, vulnerability scanning, and malware protection for all platform nodes.

PreviousDispel Compliance Offerings

Last updated