How does Cipherscale provide Zero Trust Network Access (ZTNA) – Cipherscale Support Center

Zero Trust Network Access (ZTNA) is a security framework based on the principle of "never trust, always verify." Unlike traditional perimeter-based security (VPNs), ZTNA assumes threats exist both inside and outside the network. It requires strict identity and posture verification for every user and device before granting access to specific resources.

The Four Pillars of Cipherscale Zero Trust

Cipherscale simplifies ZTNA implementation by embedding security controls directly into its AI-native architecture. Below is how cipherscale fulfills the core principles of Zero Trust:

1. Identity Verification

Every cipherscale session begins with a mandatory identity check.

External IdP Integration: Authentication is delegated to trusted providers like Google, Microsoft (OIDC), or SAML-based Identity Providers.
Customer Control: Because authentication is delegated, your existing Multi-Factor Authentication (MFA), password complexity, and conditional access policies are automatically enforced.
No Local Accounts: By eliminating local user databases, cipherscale prevents credential silos and reduces the risk of account misuse.

2. Least Privilege Access

Cipherscale moves away from broad "network-level" access and focuses instead on granular "application-level" access.

Granular Resources: Admins define resources by specific domain names or IP addresses, thereby discouraging overprivileged network access.
Protocol Filtering: You can restrict access to specific application protocols (e.g., allow HTTPS but block SSH).
User-Level Precision: Access can be tuned for specific groups, individual users, or even a user's specific device, ensuring everyone has exactly what they need—and nothing more.

3. Dynamic Micro-Segmentation

Cipherscale creates "Identity-Based Microsegments" that prevent attackers from laterally moving.

On-Demand Routing: Routes are limited to the authorized applications, which are added to the user's device only after all policy checks are cleared.
Gateway Firewall Provisioning: Simultaneously, the cipherscale Gateway is provisioned with temporary firewall rules that allow traffic from only that specific authorized device to the authorized application.
Cipherscale Spaces: For deep organizational isolation, you can create multiple "Spaces" (e.g., separating IoT traffic from Financial operations) under a single management umbrella.

4. Continuous Posture Monitoring

Trust is not a one-time event; it is continuously re-evaluated. Cipherscale links access policies to Admission Rules that check for:

Device Health (Posture): Requirements such as Disk Encryption, Antivirus status, and the presence of specific digital certificates or security processes.
Contextual Signals: Location-based access (Geofencing), time-of-day restrictions, and OS version requirements (Android, iOS, macOS, Windows).
Adaptive Security: A user might be allowed to access a public SaaS app with basic security, but denied access to a sensitive private database if their disk encryption is disabled.