Zero Trust Internet Access (ZTIA)
Identity-aware, posture-enforced internet access
Evolving Zero Trust Internet Access (ZTIA) brings true Zero Trust enforcement to outbound traffic. Instead of assuming devices and users can access the internet and then filtering what they do, ZTIA makes internet access itself conditional – based on policy, posture, identity, and context.
This isn’t SDWAN plus security bolted on like so many other providers. It’s the convergence of routing, enforcement, segmentation, access control, encryption.
Before any traffic flows out, we validate who the user is, what device they’re using, and whether it meets policy. If it doesn’t, there’s no access. Not just no access to certain sites – no access at all. A true Zero Trust approach to Internet.
This goes well beyond traditional Secure Web Gateways (SWGs) and Secure Internet Access, which typically rely on static tunnels or browser PAC files and operate without those all important trust checks.
ZTIA is not a filtering service – it’s a Zero Trust control plane for outbound access.
What makes it different
Most vendors position Secure Internet Access as a cloud filtering layer. Traffic is routed to their inspection point, and policies are applied there.
Some, like Microsoft, require the deployment of multiple agents, rely entirely on their ecosystem, and stitch together products like Defender for Endpoint, Tunnel, Entra Conditional Access, and Edge browser controls.
We take a different approach
Open source platform
Single client
Integrates with any IdP – not just Entra
Enforces Zero Trust with identity and posture checks
The ZTIA enforcement model
Authenticate the user and device using our Secure Access Client or gateway
Evaluate posture – OS version, AV, MDM status, certificates, etc.
Check policy – is this device and user allowed to access the internet?
If allowed, establish an encrypted path through the Secure Access Fabric
Apply inline filtering and threat controls via the integrated Secure Web Gateway
Log, observe, and enforce every flow in real time
If identity fails, posture fails, or policy denies it – the internet is unreachable. Not just filtered – blocked at source.
Key Capabilities
Delivered through the Secure Access Fabric
ZTIA is not a standalone filtering product. It’s a capability of the evolving ZERO platform, delivered through the same unified Secure Access Fabric as:
Evolving ZTNA
Replaces traditional VPNs with identity- and policy-based access control for applications – delivered via the platform.
Evolving Secure SDWAN
Replaces traditional VPNs with identity- and policy-based access control for applications – delivered via the platform.
Evolving ZT Segmentation
Replaces traditional VPNs with identity- and policy-based access control for applications – delivered via the platform.
Evolving Secure Web Gateway
Replaces traditional VPNs with identity- and policy-based access control for applications – delivered via the platform.
This means consistent enforcement, a single client or EVX deployment, and one set of policies. Whether traffic is destined for internal apps or the open internet, the same Zero Trust model applies.
Why it matters
Traditional SWG models make assumptions. They assume the device is trusted. They assume the network path is safe. They assume the filtering point can stop bad outcomes.
ZTIA assumes nothing.
Every flow is permissioned. Every route is policy-bound. Every session is encrypted and logged. And everything starts with identity and posture.
