CrossLink ZTNA

Some ZTNA products can only handle web-based traffic. Others can only handle DNS-based resources. To handle the complexities of the modern enterprise with these products requires deploying multiple point solutions—VPN for legacy applications, one ZTNA for DNS-based resources, another ZTNA for web and SaaS, and so on. CrossLink is different. CrossLink provides ZTNA to all applications and protocols across the entire network stack from a single unified solution. Legacy IP-based applications, DNS-based resources, web-based applications and SaaS, and even application-level resources like file shares and printers can be managed by a single CrossLink deployment. This makes CrossLink unique among ZTNA products in the market today.

The access requirements of employees are different than those of third-party contractors. An unmanaged third-party user typically requires an agentless solution, while an employee benefits from an agent-based approach. Most ZTNA products only support one option. CrossLink is different. CrossLink has agents for all major mobile and non-mobile platforms, as well as an agentless browser-based option. Additionally, CrossLink provides a lightweight dynamic agent that is loaded on demand through a browser and offers an agent-like experience without requiring any agent installation, especially valuable for third-party and "work from home" users. Regardless of agentless, dynamic agent, or agent, CrossLink consistently applies access policies.

A mobile device has different risk characteristics than a non-mobile device, while an IoT device will have different authentication requirements than a user-driven device. ZTNA products that fail to distinguish these differences open the enterprise to risk. CrossLink is different. CrossLink is able to enforce consistent access policies across all devices, and dynamically adapt these policies according to the risk of the device. For instance, a user connecting via a mobile device may have a more restrictive access policy than one connecting via a managed enterprise laptop. Additionally, CrossLink is able to ensure that device health policies are met—not just during the initial connection phase, but during the entire access lifecycle. If the device ever falls out of compliance, remediation options are presented to the user, or access is simply terminated.

Users should not need to concern themselves with the intricacies of access policies, device configuration, or authentication requirements in order to access their applications securely. And yet, many ZTNA offerings fall short by requiring users to be aware of what resources they're accessing, what device they're on, or what network they're connected to—leading to frustration on the part of users and increased risk for the enterprise. CrossLink is different. Crosslink is built from the ground up to provide a seamless access experience, where secure connectivity to resources is managed automatically and behind-the-scenes—ensuring that users can simply go about their business and be productive while at the same time enforcing the access policies that keep enterprise resources secure.

With the CrossLink Inside-Out Connector (IOC), enabling access to a resource or application is as simple as installing a piece of software on any server, VM, or container. The CrossLink IOC connects back to the CrossLink cloud service to provide a secure channel to provide access to resources. Unlike other ZTNA vendors, the CrossLink IOC can enable connectivity to the entire gamut of resources—from a single URL or service to an entire network segment. Zero-trust access policies are applied regardless of connectivity according to the established access control profiles.

Though Inside-Out Connectivity is the preferred connectivity model for simplicity, CrossLink also fully supports an Outside-In Connectivity model. Outside-In Connectivity typically involves the use of site-to-site connectivity between the CrossLink cloud service and the enterprise networks. Outside-In Connectivity is useful for large enterprises that need a direct and streamlined connectivity pipeline between the CrossLink cloud servers and internal resources.

Hybrid Connectivity involves a mix of both Inside-Out Connectivity and Outside-In Connectivity. Through the same centrally-managed CrossLink cloud service, both modes are supported concurrently under the same deployment. Hybrid Connectivity is especially useful for enterprises undergoing their own cloud transformation: as internal services and resources are migrated to the cloud, access to these resources can now be quickly enabled via Inside-Out Connectivity. Additionally, CrossLink servers, which typically run in a cloud environment, can also be deployed on-premises as part of a single deployment.

By definition, zero-trust network access (ZTNA) means that access is implicitly denied unless it is explicitly granted. This is in contrast to a VPN, for instance, where broad access is granted (usually to an entire network) and users can move laterally to access resources and services that they should not be able to access. With CrossLink, users only have access to those resources that were explicitly granted. Unlike other ZTNA vendors, CrossLink is able to enforce zero-trust through the entire network stack—from the IP level to the application level. This means that all applications and protocols—from legacy IP-based protocols to modern web applications—are protected by a single, unified zero-trust fabric.

The old model of access control implicitly granted broad lateral access to a device identified by an internal IP address (as granted by a VPN). With CrossLink, all access control decisions are made on a strongly-authenticated identity, not an IP. Users must first authenticate themselves (either through an Identity Provider or through a strong authentication mechanism directly through CrossLink) before an access control policy is applied directly against the verified identity. Significantly, CrossLink factors in users' device characteristics as part of their identity when constructing access control profiles. This means that a user connecting via a mobile device might automatically see a more restrictive access policy than the same user connecting via a laptop.

With the rise of BYOD for third-party access and user-owned device for "work from home" (WfH), there has never been a greater need to ensure trust in a device than today. CrossLink allows device health policies to be tied directly to the access control profile. Significantly, CrossLink ensures that the device meets this health policy not just during the initial connection, but also during the entire access lifecycle. This means that if a device falls out of compliance at any point, the access control profile will be modified accordingly (for instance, suggesting remediation options for the user, asking for step-up authentication, or simply terminating connectivity). CrossLink offers a rich set of health policies that can be applied, including extensive scripting support to handle even the most complex of policies.

CrossLink maintains a full audit trail of all access activity generated by an identity. With this audit trail, the entire access history of a user can be reconstructed, down to the single URL or file that was accessed by the user. CrossLink offers tools directly integrated within its management console to visualize this information and generate reports. Alerts can be set to trigger on suspicious activity.

CrossLink is offered as a cloud-subscription service available on AWS and Azure, ensuring a globally-distributed point-of-presence (PoP) fabric that embraces the global nature of remote access. Additionally CrossLink instances can be deployed within enterprise-managed cloud environments (i.e., by deploying a CrossLink VM within the enterprise cloud), and also directly on-premises (i.e., within an enterprise data center or network point-of-presence). Any mix of these delivery modes is supported concurrently under a single CrossLink deployment, and any mix can be centrally managed under a unified management environment.

One of the biggest challenges in moving away from an uncontrolled platform like VPN to the zero-trust model is creating access policy profiles. Enterprises that have given broad access to their employees often do not know what these users are accessing and would find the process of manually creating access profiles prohibitive. The CrossLink Policy Discovery Engine greatly simplifies the transition from open access to the zero-trust model. The Policy Discovery Engine uses machine learning to automatically construct access control profiles based on user access events, which can then be tweaked manually as needed. In most situations, the Policy Discovery Engine is able to capture 98% of all policy access rules automatically over a period of a few weeks. This greatly simplifies the transition process from open access profiles, reducing the time and cost to do so.

A fundamental tenet of ZTNA is providing zero-trust access to a strongly-authenticated identity. For those enterprises that are already using an identity provider for identity information, CrossLink can integrate directly with this IdP for authentication and identity management. Access control profiles in CrossLink can directly target groups or individuals within the IdP. For those enterprises that are not using an identity provider, CrossLink can directly integrate with a directory for user information and various authentication providers for user authentication, or authentication and identity management services can be done directly within CrossLink itself. Support for all types of authentication are supported, including PKI certificates, multi-factor services like Azure MFA, smart cards, tokens, and others.