CrossLink ZTNA

The way ZTNA should be: simple to deploy, highly secure, highly scalable, cloud-based, for all applications and devices. An enterprise-grade access solution that meets the challenges of today and beyond, without ignoring the investments of the past.

Request a trial

The CrossLink Difference

There are many ZTNA vendors on the market and even more promises. So why choose CrossLink?

Proven in a Fortune 5 deployment.

For over 10 years, a Fortune 5 oil and gas supermajor has chosen CrossLink as its global remote access solution. The deployment encompasses 80,000 employees and over 30,000 third-party contractors, spanning every single imaginable use case, with over 30 CrossLink servers across the world in a geographically-redundant hybrid setup of cloud and on-premises instances. CrossLink is simple enough for the smallest enterprise, yet powerful enough for the largest.

Built for the cloud, like the cloud.

CrossLink is delivered as a cloud-based subscription service running on both AWS and Azure, ensuring a globally-distributed point-of-presence fabric of CrossLink nodes. CrossLink is built like the cloud: massively parallel, massively scalable, reliable and agile, able to quickly adapt to changes in the enterprise.

Simplicity without compromise.

Security is hard. Your ZTNA solution should not make it harder. CrossLink is built on the idea of simplifying ZTNA. With CrossLink, there are no firewall rules to change, no network to reconfigure. Enabling access to resources can be done in a matter of minutes. And unlike other vendors, CrossLink does not require any compromises on the applications, devices, or users that can be supported. CrossLink: powerfully simple.

All Applications. All Users. All Devices.


Most ZTNA offerings force an implicit choice on the applications, users, or devices that are supported. Are legacy applications supported or only modern web applications? Is the experience the same for third-party contractors as it is for employees? Is there a consistent user experience across mobile and non-mobile devices? With CrossLink, there are no compromises. Built to handle all use cases—from legacy VPN replacement to modern agile applications—CrossLink provides a single platform for all applications, to all users, on all devices.

Some ZTNA products can only handle web-based traffic. Others can only handle DNS-based resources. To handle the complexities of the modern enterprise with these products requires deploying multiple point solutions—VPN for legacy applications, one ZTNA for DNS-based resources, another ZTNA for web and SaaS, and so on. CrossLink is different. CrossLink provides ZTNA to all applications and protocols across the entire network stack from a single unified solution. Legacy IP-based applications, DNS-based resources, web-based applications and SaaS, and even application-level resources like file shares and printers can be managed by a single CrossLink deployment. This makes CrossLink unique among ZTNA products in the market today.
The access requirements of employees are different than those of third-party contractors. An unmanaged third-party user typically requires an agentless solution, while an employee benefits from an agent-based approach. Most ZTNA products only support one option. CrossLink is different. CrossLink has agents for all major mobile and non-mobile platforms, as well as an agentless browser-based option. Additionally, CrossLink provides a lightweight dynamic agent that is loaded on demand through a browser and offers an agent-like experience without requiring any agent installation, especially valuable for third-party and "work from home" users. Regardless of agentless, dynamic agent, or agent, CrossLink consistently applies access policies.
A mobile device has different risk characteristics than a non-mobile device, while an IoT device will have different authentication requirements than a user-driven device. ZTNA products that fail to distinguish these differences open the enterprise to risk. CrossLink is different. CrossLink is able to enforce consistent access policies across all devices, and dynamically adapt these policies according to the risk of the device. For instance, a user connecting via a mobile device may have a more restrictive access policy than one connecting via a managed enterprise laptop. Additionally, CrossLink is able to ensure that device health policies are met—not just during the initial connection phase, but during the entire access lifecycle. If the device ever falls out of compliance, remediation options are presented to the user, or access is simply terminated.
Users should not need to concern themselves with the intricacies of access policies, device configuration, or authentication requirements in order to access their applications securely. And yet, many ZTNA offerings fall short by requiring users to be aware of what resources they're accessing, what device they're on, or what network they're connected to—leading to frustration on the part of users and increased risk for the enterprise. CrossLink is different. Crosslink is built from the ground up to provide a seamless access experience, where secure connectivity to resources is managed automatically and behind-the-scenes—ensuring that users can simply go about their business and be productive while at the same time enforcing the access policies that keep enterprise resources secure.

Zero-Touch Deployment


Deploying an access control solution is typically one of the most complex and costly parts of the process—a reality that most ZTNA vendors choose to gloss over. CrossLink is different. The CrossLink Inside-Out Connector provides a simplified way of enabling secure access to applications and resources. With the Inside-Out Connector, enabling secure access takes a matter of minutes. There is no network configuration to modify, no firewall rules to change. Simply deploy the Inside-Out Connector on any server, VM, or container, configure access policies, and users will be able to connect to their applications. This "zero-touch" deployment model provides a quick and simple way to start granting access to your applications.

With the CrossLink Inside-Out Connector (IOC), enabling access to a resource or application is as simple as installing a piece of software on any server, VM, or container. The CrossLink IOC connects back to the CrossLink cloud service to provide a secure channel to provide access to resources. Unlike other ZTNA vendors, the CrossLink IOC can enable connectivity to the entire gamut of resources—from a single URL or service to an entire network segment. Zero-trust access policies are applied regardless of connectivity according to the established access control profiles.
Though Inside-Out Connectivity is the preferred connectivity model for simplicity, CrossLink also fully supports an Outside-In Connectivity model. Outside-In Connectivity typically involves the use of site-to-site connectivity between the CrossLink cloud service and the enterprise networks. Outside-In Connectivity is useful for large enterprises that need a direct and streamlined connectivity pipeline between the CrossLink cloud servers and internal resources.
Hybrid Connectivity involves a mix of both Inside-Out Connectivity and Outside-In Connectivity. Through the same centrally-managed CrossLink cloud service, both modes are supported concurrently under the same deployment. Hybrid Connectivity is especially useful for enterprises undergoing their own cloud transformation: as internal services and resources are migrated to the cloud, access to these resources can now be quickly enabled via Inside-Out Connectivity. Additionally, CrossLink servers, which typically run in a cloud environment, can also be deployed on-premises as part of a single deployment.

Adaptive Identity Security


Following the principle of "least privilege," CrossLink enforces real-time decisions about what a user can access, when, and for how long. These decisions are made on a strongly-authenticated identity, not an IP address. CrossLink access policies adapt dynamically according to changes in the health of the user device, location, network characteristics, and other factors. With adaptive identity security, CrossLink ensures that users can access only what they have been explicitly granted access to, tightening and locking down policies automatically as the usage environment changes.

By definition, zero-trust network access (ZTNA) means that access is implicitly denied unless it is explicitly granted. This is in contrast to a VPN, for instance, where broad access is granted (usually to an entire network) and users can move laterally to access resources and services that they should not be able to access. With CrossLink, users only have access to those resources that were explicitly granted. Unlike other ZTNA vendors, CrossLink is able to enforce zero-trust through the entire network stack—from the IP level to the application level. This means that all applications and protocols—from legacy IP-based protocols to modern web applications—are protected by a single, unified zero-trust fabric.
The old model of access control implicitly granted broad lateral access to a device identified by an internal IP address (as granted by a VPN). With CrossLink, all access control decisions are made on a strongly-authenticated identity, not an IP. Users must first authenticate themselves (either through an Identity Provider or through a strong authentication mechanism directly through CrossLink) before an access control policy is applied directly against the verified identity. Significantly, CrossLink factors in users' device characteristics as part of their identity when constructing access control profiles. This means that a user connecting via a mobile device might automatically see a more restrictive access policy than the same user connecting via a laptop.
With the rise of BYOD for third-party access and user-owned device for "work from home" (WfH), there has never been a greater need to ensure trust in a device than today. CrossLink allows device health policies to be tied directly to the access control profile. Significantly, CrossLink ensures that the device meets this health policy not just during the initial connection, but also during the entire access lifecycle. This means that if a device falls out of compliance at any point, the access control profile will be modified accordingly (for instance, suggesting remediation options for the user, asking for step-up authentication, or simply terminating connectivity). CrossLink offers a rich set of health policies that can be applied, including extensive scripting support to handle even the most complex of policies.

Visibility and Control


It is not enough to produce a full audit record of all access activity; it is also necessary to have tools that allow rapid visualization of all this information, along with specific alerts triggered during suspicious activity. CrossLink not only provides a full audit trail of every user session, but it also integrates directly with SIEM tools while providing a dashboard for visualization and analysis of key events.

CrossLink maintains a full audit trail of all access activity generated by an identity. With this audit trail, the entire access history of a user can be reconstructed, down to the single URL or file that was accessed by the user. CrossLink offers tools directly integrated within its management console to visualize this information and generate reports. Alerts can be set to trigger on suspicious activity.

Simplified Management


Whether your CrossLink deployment is a single instance in the cloud or a complex, multi-node deployment mixing on-premises and cloud instances, CrossLink offers a single point of control for all gateways and unified management of access policies. As your access requirements grow or transition from on-premises to cloud, management of CrossLink remains the same, ensuring that operations remain efficient and cost-effective.

CrossLink is offered as a cloud-subscription service available on AWS and Azure, ensuring a globally-distributed point-of-presence (PoP) fabric that embraces the global nature of remote access. Additionally CrossLink instances can be deployed within enterprise-managed cloud environments (i.e., by deploying a CrossLink VM within the enterprise cloud), and also directly on-premises (i.e., within an enterprise data center or network point-of-presence). Any mix of these delivery modes is supported concurrently under a single CrossLink deployment, and any mix can be centrally managed under a unified management environment.
One of the biggest challenges in moving away from an uncontrolled platform like VPN to the zero-trust model is creating access policy profiles. Enterprises that have given broad access to their employees often do not know what these users are accessing and would find the process of manually creating access profiles prohibitive. The CrossLink Policy Discovery Engine greatly simplifies the transition from open access to the zero-trust model. The Policy Discovery Engine uses machine learning to automatically construct access control profiles based on user access events, which can then be tweaked manually as needed. In most situations, the Policy Discovery Engine is able to capture 98% of all policy access rules automatically over a period of a few weeks. This greatly simplifies the transition process from open access profiles, reducing the time and cost to do so.

Easy Integration


Pre-packaged integration with existing infrastructure saves time and cost. CrossLink offers extensive integration options out-of-the-box, including support for a wide range of identity providers (IdP), MDM/EMM solutions, SIEM offerings, and change management tools. CrossLink can integrate directly with these and more—without requiring any changes to these services.

A fundamental tenet of ZTNA is providing zero-trust access to a strongly-authenticated identity. For those enterprises that are already using an identity provider for identity information, CrossLink can integrate directly with this IdP for authentication and identity management. Access control profiles in CrossLink can directly target groups or individuals within the IdP. For those enterprises that are not using an identity provider, CrossLink can directly integrate with a directory for user information and various authentication providers for user authentication, or authentication and identity management services can be done directly within CrossLink itself. Support for all types of authentication are supported, including PKI certificates, multi-factor services like Azure MFA, smart cards, tokens, and others.

Ready to Learn More?

Download the product whitepaper or request a trial to see what CrossLink can do for you.