As businesses scale, so do their digital identities. Every user, device, application, API, or workload becomes part of your trust ecosystem. But maintaining compliance across all these identities can be overwhelming—and a single non-compliant identity can put your business at risk.

This can be addressed by leveraging the NetFoundry APIs in combination with custom code and cloud-native tools to manage identities and automatically trigger actions based on their compliance status.

Okay — let’s see how it works in the real world

Overview

Detect and handle non-compliant Ziti identities effectively to ensure security and policy adherence. Ingest these identities into Cosmos DB or AWS databases for centralized storage and management. Run compliance actions automatically on any changes detected in Cosmos DB by leveraging Azure Functions to maintain up-to-date enforcement and monitoring.

Architecture Overview

1. If the Wazuh server (XDR) detects an endpoint as non-compliant, the Wazuh agent on that endpoint executes code.
2. When the Wazuh agent runs code, it extracts all identity information from WDE and sends it to CosmosDB for centralized storage.
3. A change in CosmosDB triggers an Azure Function app.
4. The code runs in a Docker container within the Function app. When triggered, it collects the latest identity information from CosmosDB and sends a POST request to MOP via API to disable the identities.
5. Upon receiving the signal, MOP disables the identities on the controller for the specified duration

The result: Stronger security, smoother operations, and greater confidence in every connection your business depends on. It provides a layer of protection that works silently in the background, ensuring your operations stay secure without adding complexity for your teams.

1. Always-On Oversight

Instead of periodic audits or manual reviews, Ziti Compliance Check continuously monitors every identity. This ensures that risk is always minimised, with no dependency on human effort or timing.

2. Immediate Risk Reduction

When a non-compliant identity is detected, the system responds instantly—preventing potential threats from escalating. Identities are automatically disabled until they meet your organization’s standards.

3. Centralized Visibility

Business leaders and IT teams gain a unified, real-time view of compliance across the organization. This improves decision-making, simplifies reporting, and creates transparency across business units.

4. Designed for Modern Cloud Environments

Whether your operations run on AWS, Azure, or hybrid cloud setups, Ziti Compliance Check integrates seamlessly, supporting your digital transformation strategies without disruption.

Why Identity Compliance Is a Business Imperative

Cyber threats have evolved, and so have the expectations of regulators, customers, and partners. A single non-compliant identity can expose an organisation to:

• Costly data breaches
• Interruptions in service delivery
• Brand and reputational damage
• Legal or regulatory penalties

For business leaders, this means compliance isn’t just an IT responsibility—it’s a strategic requirement.

You can leverage the flexibility provided by NetFoundry to bridge this gap by ensuring that every identity interacting with your business systems is trusted, up to date, and fully aligned with your security policies.

The Business Value: What Leaders Gain

Beyond improved security, this approach delivers measurable value across operations and governance.

Reduced Operational Risk

Automated compliance removes blind spots, minimizes identity-related vulnerabilities, and keeps unauthorized access at bay.

Lower Resource Burden

Your teams no longer need to manually track, validate, or deactivate non-compliant identities. Time saved can be redirected toward innovation and high-impact initiatives.

Stronger Regulatory Alignment

By ensuring consistent compliance, organizations stay audit-ready and can prove adherence to security frameworks with confidence.

Enhanced Customer & Partner Trust

Demonstrating robust, automated identity compliance reinforces your commitment to security—strengthening stakeholder relationships and brand credibility.

The post Securing Ziti Identities in Alignment with Your Organization’s Security Policies appeared first on NetFoundry.

Although NetFoundry has options ranging from air-gapped to multicloud native NaaS versions, this post focuses on the NaaS, since it is the most asked about. Likewise, NetFoundry products include white-label, resell and OEM options, but we’ll also keep those separate.

TL;DR — NetFoundry invented, developed, open sourced and continues to lead and maintain OpenZiti software. NetFoundry sells the world’s leading zero trust native networking products, which include:

• OpenZiti software
• NetFoundry patented software
• NetFoundry-managed networks (supporting billions of sessions per month)
• Enterprise support (24×7) and SLAs (up to 99.95%)
• Air-gapped and on-prem solutions (including FIPS-compliant) 
• Enterprise and OEM functionality (including white-label options)
• Certifications and compliance
• Third-party integrations

OpenZiti is software – it is not a product, but it is great for home use, non-production use cases and learning about some of NetFoundry’s capabilities.  NetFoundry provides products.

NetFoundry NaaS products

NetFoundry zero trust native overlays can be deployed as fully managed NaaS, hybrid, on-premises or air-gapped.  NetFoundry products are used by two of the largest five companies in the world, governments and critical infrastructure on three continents.  

NetFoundry also provides OEM and white label products for providers to embed zero trust into their products.  However, this post is about NetFoundry NaaS and focuses mainly on unique NetFoundry product capabilities (but all the other OpenZiti software capabilities are included in NetFoundry products).

Why NetFoundry NaaS (in plain terms)

Outcomes & assurances

• Proven at billions of sessions/month with private, customer-dedicated overlays (not shared between customers).
  24×7 support and SLA up to 99.95%.
• Global reach with operations across 100+ PoPs for consistent performance.
• Deploy anywhere: extend overlays via agentless and endpoint options; host endpoints and site gateways with one-click deploy/suspend on AWS, Azure, GCP, OCI.

Privacy, sovereignty & compliance

• End-to-end encryption with key sovereignty at your endpoints—NetFoundry cannot access customer data.
• Dedicated instances by default; customers may make them multi-tenant, but overlays are never shared across customers.
• SOC 2 Type II. Guidance and options for NIST 800-171, FFIEC/COBIT, FIPS, CJIS, HIPAA, PCI DSS, FedRAMP/GovCloud, NIS2, IEC 62443, NERC CIP, EU CRA, DORA.
• Crypto choices: high-performance libsodium (default) with the ability to toggle FIPS-compliant and post-quantum encryption modes.

Operate from day one

• Powerful console & abstractions: service-centric policies and automation reduce toil—no DIY dashboards or glue code. Built in RBAC and full APIs so you keep control.
• Instant org & tenant bootstrap: we auto-create your Organization, Network Group, and first Network at signup—no YAML, scripts, or CLI loops—so teams can onboard the same day.
• Multi-tenant (your way): every customer gets a private, dedicated instance; within it you can structure your own tenants for lines of business, customers, or environments.
• White-label & vanity domains: theme the console, BYO DNS/TLS, present a branded experience.
• Billing & usage metering: built-in dashboards for chargeback/showback—see consumption by app, team, or tenant.
• Rich telemetry & audit logs: including which people/devices consumed which services and applications (with usage insights).

For Dev & DevOps: What “Managed” Actually Gets You 

Reliability, performance & scale (how it’s delivered)

• HA by design across control and data planes, with ingress/egress load balancing and auto-scaling.
  NetFoundry-operated control/data planes across 100+ PoPs; endpoints/routers dynamically optimize paths to use the best connections.
• Hardened, tested, certified OpenZiti endpoints for any OS, supplemented with eBPF and endpoint wrappers.

Management, identity, authn/authz

• All-batteries-included: identity, authentication, authorization; turnkey IdP (Auth0, OIDC) and CA integrations with centralized control.
  Automated provisioning via SCIM; universal identities for humans and NHIs; integrations with Keycloak, CyberArk, and support for SPIFFE.
• API-first + RBAC: fine-grained token scopes, service accounts, user/role admin, audit trails.
• Multi-tenant, your way: private instance for your org; model tenants inside it (by LOB/customer/env) with hierarchical RBAC and policy boundaries.

Platform services you don’t have to build

• Dedicated, managed PKI: automated per-network hierarchies with optional external CA chaining.
• Lifecycle ops as buttons: start/stop, suspend/resume, rolling upgrades, backups with safe defaults and rollbacks; updates & upgrades are automated with customer-controlled windows.
• Instant org & tenant bootstrap: on signup we create your Organization → Network Group → first Network—no YAML/scripts/CLI loops.

Reach & access workflows

• Choose agentless (zero trust proxy / reverse proxy) or endpoint-based connectivity.
• Host endpoints and site gateways (edge routers) with one-click lifecycle in AWS/Azure/GCP/OCI.
• Access models: JIT, one-time, time-bound, persistent, integrated with leading ticket/workflow systems.

Observability, compliance modes & APIs

• Dashboards, traces, alerts, audit logs, and usage out of the box.
• Crypto modes on demand: toggle FIPS-compliant and post-quantum options as needed.
• API-first + RBAC for CI/CD and ops automation.
  

Start in Minutes

Whether you’re connecting SaaS to private data, securing AI/agent traffic, or segmenting OT networks, NetFoundry gets you there faster and more securely.

Start a free trial or book a live demo and ship your next secure service without the network complexity.

Notes

• This post focuses on global, NetFoundry-hosted and managed NaaS products, but NetFoundry also provides hybrid, on-premises and air-gapped products. 
• This includes providing a management solution which is based on NetFoundry’s global NaaS management suite (which manages billions of sessions per month) and customized for on-premises use cases.  
• Likewise, NetFoundry enables partners to integrate NetFoundry software into products in partner, OEM and white-label models, creating secure by design products (built-in zero trust connectivity and networking).

About NetFoundry

Thousands of businesses, including 2 of the largest 5 in the world, use NetFoundry to securely connect any workflow, via NetFoundry NaaS, on-premises and partner models, replacing anything from VPNs to SD-WANs. NetFoundry’s overlays are the first to be driven by built-in, cryptographically authenticated identities for humans and non-humans (NHI for devices, AIs, OT). Providers use NetFoundry to embed zero trust in their products in an OEM model. NetFoundry is the inventor and maintainer of the world’s most used open source zero trust platform, OpenZiti. Start a free trial, book a live demo or learn more. 

The post Comparing NetFoundry and OpenZiti appeared first on NetFoundry.

I had always had trouble explaining to my eldest daughter what I did for my job and how our technology would change the world. She did not understand NetFoundry and our open-source platform OpenZiti, but she loves Ziggy (our pasta mascot).  I did have to explain that Ziti is our product code name based on the letters Z T and connected to Zero Trust of course. Then we began reading Harry Potter together, and I was reminded of Arthur C. Clarke’s Three Laws and, most memorably, the third law: “Any sufficiently advanced technology is indistinguishable from magic.” And it hit me; I could use magic and Harry Potter as a way to have my daughter understand what NetFoundry and open source OpenZiti did and, therefore, what my job was.

Castles and Cities (Zero Trust Identities and Access)

Let’s start with some background. “Castle-and-moat” is a network security model in which no one outside the network can access data on the inside, but everyone inside the network can. Imagine an organization’s network as a castle and the network perimeter as a moat. Over the last few years, this model has become outdated. Businesses have evolved into ‘corporate cities’ with open trade routes (APIs), apps, and users distributed everywhere with various security systems using the public internet as an information superhighway. While cities are drivers of innovation, they have a fundamental flaw; you cannot secure networks, only isolate them. Anyone can get between our cities in microseconds – kind of like the Floo Network. As a result, they are riddled with crime, a trillion-dollar drag on the global economy. Surveillance techniques known as scan-and-exploit have become the No. 1 attack vector for cyber-criminals. In recent years, Zero Trust has found significant industry adoption based on the principles laid out by NIST.

1. Enhanced identity governance.
2. Policy-based access controls.
3. All connectivity is micro-segmented.
4. Implementing software-defined perimeters and supporting hardware root of trust.

But not all zero trust is made equal. Together, my daughter and I settled on categorizing non-magical, partially magical, and magical zero trust to help explain the differences. Now she understands what I do and how our technology works.

Non-magical Zero Trust Networking

At the most basic level, we have security vendors (commonly firewalls or VPN providers) who have applied a ‘zero trust’ label to their products and have non-magically become zero trust vendors. These products act as a proxy point for the user and device verification to achieve principle 2, and possibly but not always 3, as defined by NIST. They have public IPs, inbound ports, and link listeners, subject to external network-level attacks. My daughter understands this as adding guards and ID verification to buildings (network), floors (host), and, maybe rooms (apps), within our cities. It’s better than a VPN, but there are still many attack vectors as the silly Muggles don’t believe in magic.

Partially-magical Zero Trust Networking

Non-magical zero trust has a problem; my daughter best describes it: “Imagine if any Muggle could walk into Kings Cross platform 9 3/4 by accident!!“. A few vendors introduced principle four and built a software-defined perimeter (SDP) into their products. The attack surface massively reduces external network attacks (and witches or wizards from muggles). SDP can use various techniques, including single packet authentication (or port knocking) or authentication and authorization-before-connectivity using strong identity and least-privileged access. This is a significant improvement for the security of our cities; apps can be “invisible like Diagon Alley or 12 Grimmauld Place“. Now malicious actors (and silly muggles) cannot find or attack your applications or cities. We didn’t stop there though…

Magical Zero Trust Networking

While reading Harry Potter, my daughter became bewitched with the idea of Portkeys, ‘magical objects which can instantly bring anyone touching it to a specific location’. She kept touching random objects around the house, expecting to turn up at the toy shop. But that does not sound much like a network traditionally bolted between our apps and users. However, this is *exactly* what happens when you embed an open-source OpenZiti SDK into your application! Now, regardless of where your endpoint is, it’s magically transported to the destination through the OpenZiti fabric. My daughter tells me it’s like putting a powerful spell of concealment and a Portkey directly into your app.

This software-powered OpenZiti network is configured using identities, services, and policies. It ensures there is no other way to reach your app as we have zero trust in the wide-area, local network and even OS network. Embedding zero trust into your apps makes them immune to network-based side-channel attacks [1]. Even if malicious actors or ransomware tried to attack the application from a device, they cannot – muggles cannot enter. They do not have the Portkey (or ‘port key’; wink, wink); it’s inside the app. Your APIs are dark, and your users have no idea. This magical, invisible network is concealed inside the application; it’s completely transparent. The application becomes multi-cloud native with absolutely no lock-in to cloud or telco ‘secure connectivity’ products. The app only needs commodity internet with a few outbound ports.

What is most magical about OpenZiti and NetFoundry is that we built it as a platform that supports any use case, from hybrid/multi-cloud to edge and IoT, across user access (including DevOps or user remote access), and app-embedded. Now, every business connectivity requirement can be magical.

As my daughter keeps telling her friends, “My dad does magic with technology,” and now she (sort of) knows what I do for my job.

[1] Phishing is a technique malicious actors use to trick users into installing malware on their devices. This malware might then look for servers or applications running on the device with listening ports and exploit them. This is an example of a side-channel attack that OpenZiti can render absolutely impossible.

The post Demystifying the Magic of Zero Trust Networking with my Daughter appeared first on NetFoundry.