Like most security terms, Zero Trust is a brilliant conceptual idea that, unfortunately, too often ends up as a hollow slogan smothered in “marketing-bullshit-caramel-sauce.” Just like when someone drops the term AI, it becomes crucial to peek under the hood and see what and especially how they actually mean it.I recently got asked what we “open source guys” actually use for Zero Trust Network Access (ZTNA). Well, for a few years now, our go-to has been OpenZiti.
OpenZiti is a full-blown open-source technology that allows you to cover every aspect of ZTNA: from strong identity-based authentication and micro-segmentation (Least Privilege Access) to making your environment go almost completely “dark.”
The kicker? It’s built for a modern software world. Because it’s fully open source and comes with a handy SDK and tons of extras, you can simply tuck it away inside your Docker containers or proxies. Everything is easily manageable via Infrastructure-as-Code; we use Ansible ourselves, but thanks to the API, virtually any tool will work.
Ziti was developed years ago by Netfoundry—an internal startup of TATA Networks—to solve a real internal problem. This leads us to another major plus: you can run it on your own infrastructure (on-prem or cloud), keeping full control without lock-in or digital sovereignty headaches.
Of course, like any powerful tech, there’s a learning curve. But if you don’t want to invest the time, if things get too complex with international requirements, or if you just need rock-solid enterprise support, you can seamlessly transition to the commercial Netfoundry product. Best of both worlds.
What can you actually do with it?
Make remote work simple (and safe) again: The first application most companies will care about is replacing traditional, often insecure VPNs with ZTNA. Completely “dark” (no externally visible ports), strongly authenticated with MFA, where the user only sees what they are allowed to see—all managed from a single dashboard with robust logging.
A secure wAN over the Internet: Whether you’re an SME or an Enterprise, you can use it as a secure overlay network that transparently leverages multiple internet connections for bandwidth and redundancy. It links your sites, cloud infra, and apps across different providers with the guarantees you need today: identity-based security and performance optimization.
Extra security in your own software through embedded networking: For those who want to go further, you can use the SDK to embed OpenZiti directly into your own software. This brings all these security features deep into your app or software infrastructure.
Real-world Case: CERM
We recently used this as the foundation for an international overlay network for one of our oldest and most technically challenging clients: CERM. It works there on so many levels—from Zero Trust remote work for consultants to a “dark” internal network connecting their infrastructure and cloud components across four continents. It’s all fully automated with Ansible to keep it manageable. It’s a story where all the pieces finally click into an integrated infrastructure and software solution that adds massive value to their core business.
How to get started?
My advice if you want to dive in: start with a “taster” in the form of a Proof-of-Concept.
What that looks like depends on your needs, but we’re happy to set it up for you and give your technical team hands-on training. That immediately flattens that steep learning curve for you.
Drop us an email if you’re interested in cutting through the noise.