Zero trust access gateway architecture

Kemp ZTAG is an innovative approach to providing lightweight, low friction, multilayered secure access to critical applications.

Start evaluation

Secure access to your applications and services

Kemp's Zero Trust Access Gateway is designed to simplify the application of a zero trust model for secure access to published workloads and services using your existing load balancer deployment the architecture leverages Kemp’s Loadmaster ADC, IAM integration and intelligent based contextual traffic steering to protect proxied applications. The API-based policy builder allows for the definition and application of Zero Trust Access Gateway policies to be automatically deployed to LoadMaster load balancer instances.

Remote application access

  • iDP Integration
    Integrate with cloud identity providers to validate client identity and credentials prior to granting access to protected applications and services.
  • Location-based policy logic
    Leverage the location of client requests, combined with other communication characteristics to make decisions about service access and request routing.
  • Selective authentication
    Control authentication requirements levels for client sessions based on their pre-defined security zones.

Access Segmentation

  • Multi-network segment service publishing
    Publish shared resources and services across multiple access zones or VLANs with dedicated rules and logic based on trust level. Logical isolation of individual application services means that deployments based on microservices architectures can also be supported.
  • PCI DSS compliance
    Traffic to access sensitive information can be limited to select isolated client source zones with forced encryption and additional multi-factor authentication requirements. These capabilities combined with web application firewall services and encryption of data in transit, contribute to PCI DSS satisfaction.

Consolidate and reduce costs

  • Solution consolidation
    Increased remote work environments can double expenses associated with secure application publishing and access solutions – consolidating services onto a unified solution simplifies management and reduces operational costs.
  • Maximize return on investment
    When Kemp load balancers are leveraged as Zero Trust Access Gateways (ZTAG), return on investment for existing infrastructure is maximized.

Limit lateral movement to mitigate internal threats

  • Security group access validation
    Take advantage of integration with common directory services and identity providers to include security group membership as a logic input for determining required application access entitlement.
  • Active traffic steering policies
    Leverage a user’s security group membership to determine the services within an application that they should be allowed connectivity to along with the communication types they can execute. Actively redirect non-validated connections and apply more stringent authentication before they reach high trust services to mitigate brute force access attempt.

Protect microservices and container applications

  • East-West traffic management
    Apply a zero-trust model to intra service communications to benefit from a defense in depth model for microservices architectures and to reduce damage potential in the event of environment compromise.
  • Service level access control
    Implement fine grained access control to the individual services within an application as opposed to an all-or nothing model that traditional security access models often require.
  • Kubernetes integration
    Taking advantage of Kemp’s Kubernetes endpoint publishing and ingress controller capabilities enables access policies applied to traditional workloads to be extended to containerized ones.

Object storage access control

  • Method based access policies
    Granularly control application and user access to S3 buckets down to storage operations based on client security zone and identity (e.g. enable clients in security zone A to only execute reads and while those in security zone B are trusted to also execute writes but not deletes).
  • Contextual S3 traffic flow awareness
    Use traffic header information common to S3 traffic flows such as authentication headers to make decisions about object storage bucket access and traffic steering decisions.
Learn more about zero trust access for object storage

Key Features

  • Identity Provider (iDP) integration
  • Multi-factor authentication & SSO
  • Complex access control and traffic steering for proxied applications
  • Granular policy tuning based on traffic flow characteristics
  • Automated configuration & deployment via REST-based policy builder
  • Application reverse proxying
  • Infrastructure as code (IAC) configuration model
  • Identity-based application access isolation
  • Secure multi-network service publishing


Sizing calculator background image

Zero Trust Access Gateway Overview

Watch now
Free virtual trial

Zero Trust Access Gateway Tech Deep Dive

Watch now

Zero Trust Access Gateway Reference Architecture

Learn more

Zero Trust Access Library

Why not check out these resources to help you get started with a zero trust model for your environment.

Solution brief
Blog series
Zero Trust for object storage
Quick start guide
ZTAG policy builder

Start your Zero Trust
access gateway


Loading animation