Antikor - ZTSA (Zero Trust Service Access)

General Introduction

Antikor ZTSA is a Zero Trust Service Access (ZTSA) platform developed as an alternative to traditional VPNs, operating via a browser. It is a solution that provides highly secure and low-risk connections by carrying only user interactions (screen and mouse movements) without granting users direct access to services.

What is Zero Trust Service Access (ZTSA)?

ZTSA (Zero Trust Service Access) is an access security model based on the “Zero Trust” approach. In this model, no user or device on the network is trusted beforehand. Every access request is granted permission only after passing through authentication and authorization filters. In short, it follows the logic of “Never trust, always verify.”

Antikor ZTSA allows users and devices to access only the applications and services they need via a secure tunnel, rather than accessing the network itself. This way, it:

  • Minimizes the attack surface caused by the direct server access provided by a VPN. Clients cannot connect directly to the server.
  • Users connect to the Antikor ZTSA portal via HTTPS instead of accessing services like RDP or SSH directly. Antikor ZTSA acts as the protocol adapter in between.
  • In this context, service scanning and exploit attempts that can be carried out over VPN connections are completely eliminated.
  • Prevents lateral movements and ransomware risks.
  • Provides full visibility by meticulously logging all access requests.
  • Unlike industry PAM products; it can operate agentlessly and provides access to services other than RDP and SSH, such as K8s, Telnet, VNC, Web applications, and File Transfers (FTP, SFTP/SCP, SMB/CIFS, WebDAV, S3, Google Drive).
  • It also has capabilities such as live participation in active sessions and collaborative session management.
  • Thus, Intranet applications, monitoring applications, and similar web interfaces can also be securely exposed for access.
  • Our ShareMyScreen feature, unlike solutions like Anydesk / Teamviewer, offers a secure remote control experience in your remote support processes by keeping the data on-prem (within the company) without moving the screen sharing traffic to the cloud.
  • Our product strengthens corporate security policies with advanced authentication layers (MFA, LDAP/ActiveDirectory, RADIUS-Challenge, SSO). Simultaneously, through Audit Logging and SIEM (CEF, JSON) integrations, it offers full compliance with corporate auditability standards and legal regulations.
  • The presentation of our solution as a Virtual Appliance provides a fast and flexible deployment advantage, requiring no changes to your existing network topology.
  • Its container-based internal architecture offers the ability to dynamically scale horizontally in response to increasing platform demands.

Product Architecture

It is offered to the market as a Virtual Appliance (VMWare ESXi / vSphere, Microsoft Hyper-V, Proxmox, KVM-Based Hypervisors) and is fully compatible with All Firewalls. It offers remote access to internal systems with an entirely new approach. Unlike traditional VPNs, it does not allow users to directly access the server. This reduces security vulnerabilities to zero.

ztsa2

Regulations Regarding the Use of Antikor ZTSA

Antikor ZTSA integrally meets the requirements specified in the following regulations for:

  • “keeping connection logs” (ZTSA Access Log)
  • and more importantly, “creating user activity audit trails” (ZTSA Video and Text Session Recordings)

In the CBDDO Information and Communication Security Guide:

  • Section B.10.4 – Remote Access explicitly states that authentication and access logs must be kept for remote access:
    “It must be ensured that connection logs are kept and monitored during remote access.”

  • Section B.3.6 – Audit Trails and Incident Management states:
    “Audit trails must be created for access to systems, user activities, and security incidents, and reviewed regularly.”

In the CBDDO Audit Guide:

  • It is stated that access controls and records must be audited based on the asset group within the scope of the audit. Access methods such as SSH/RDP are specifically evaluated within the “servers” and “user systems” asset group.

  • Furthermore, among the measures included in ANNEX-F: Measure Effectiveness Status section, the auditing of whether audit trails are kept is included as an audit subject.

Supported Services

  • Unconfigured, Agentless Web Proxy (http / https)
  • RDP (Remote Desktop Protocol)
    • Secure File Sharing
    • Audio, Clipboard, and Printer Sharing
    • Ability to define an Initial Program
  • SSH - Secure Shell
    • Password & Public Key Authentication
  • Screen Sharing with Remote Control Capability
  • VNC (Virtual Network Computing)
  • K8s & Kubernetes Console
  • Telnet
  • Remote Web Browsing (Browse the Internet remotely and securely)
  • Safebrowsing / Web Sandbox (Open the browser in an isolated environment, examine without risk)
  • Screen Sharing (Remote Control Access via Link)
  • Proxy Access via Agent (Windows, Mac OS, Linux Supported)
  • File Access via File Browser
    • FTP - File Transfer Protocol
    • SFTP - SSH File Transfer Protocol
    • SMB/CIFS - Server Message Block (Common Internet File System)
    • WebDAV - Web Distributed Authoring and Versioning
    • SCP - Secure Copy Protocol
    • Google Drive integration
    • AWS S3 compatible Storages (MinIO)
  • Wake on LAN support
  • Active Session Joining: Screen Monitoring / Management (Multiple users)

Access Control Features

  • Service, Group, User, and Role-based Access Control
  • Access permission expiry date control
  • Granting access permission on specific days
  • Granting access permission during specific hours
  • Connection Security with Additional Approval (Sponsored)
    • Ensures that the OTP is sent to an authorized user and the connection can be established with the authorized user’s approval

Security Features

  • Encrypted Credentials Storage
  • File Transfer Security
    • ACL-based, Antivirus Scanning Support
    • Optional Sandbox API Integration
  • Client - RDP drive share isolation
  • Session Recording in RDP and VNC
    • Screen Video recording
    • Text Screen Recording for SSH, Telnet, K8s
  • Encrypted Credentials Storage
    • Session Start and End Logs

Integration Features

  • SIEM / Syslog Integration
    • CEF, JSON Formats
  • Audit Log Integration
  • External Sandbox Integration
  • External Antivirus Integration

Authentication Methods

  • Local User
  • Single Sign On
    • SAML2.0
    • OAuth2.0
    • OpenID Connect
  • RADIUS - MFA and Challenge Supported
  • LDAP / Active Directory
  • MFA - Multi-Factor Authentication (OTP, TOTP)

Management Interface Features

  • HTML5 Responsive Web Interface
  • Event Notification Infrastructure
    • SMS, Email, Browser Notification, Webhook
  • Access Logging
  • Personalized Favorite Services
  • Override Support for Authorization-Dependent Configuration
  • Light / Dark Mode Support
  • Grid / List View Support
  • Service Grouping Support
  • Access Request Management Module
  • Quick Search Module
  • Reporting Module
  • Authorization Management

Scalability

Antikor zetAccess is designed to be compatible with modern container orchestration architectures such as Kubernetes and Docker Swarm. This allows the system to scale out horizontally automatically, even under heavy user load.

Depending on the resources provided by the infrastructure, the system can seamlessly manage and connect thousands of people to services simultaneously. Since it can work integrated with existing virtualization, Kubernetes, or Docker Swarm infrastructures, organizations do not need to make an additional hardware investment.

For High Availability, both authentication services and the services it offers to users are managed with load balancing and failover mechanisms. This structure guarantees service continuity.

Key Advantages

  • High Security & Zero Trust Architecture: Users are not given direct access to systems. Only screen output and input interactions are carried. This minimizes the attack surface.
  • Browser-Based Access & Installation-Free Use: No software or agent installation is required on the user side. Instant access to RDP, SSH, VNC, Telnet, and more is provided with just a web browser.
  • Secure Alternative to VPNs: Antikor ZTSA is a more secure and easy-to-manage alternative compared to VPNs. Alternatively, it can connect via its own Agent if desired.
  • Advanced Authentication & SSO Support: Provides integration with existing corporate user accounts: secure, single-click login with SAML 2.0, OAuth 2.0, OpenID Connect.
  • Resource-Based Authorization: Each user can only see and access the systems they are authorized for. Access control is easily managed from a central panel.
  • Logging and Audit Mechanism: All sessions can be monitored and audited. Entry-exit, access logs, and system behaviors can be analyzed retrospectively.
  • Fast Setup, Easy Management: You can deploy the system in minutes and manage all access centrally. This offers great operational ease for IT teams.
  • Flexible Integration: Easily integrates with different data centers, identity providers, and security solutions. There is no need to change your existing infrastructure.
  • Ideal for Remote Work: Offers secure, limited, and traceable access to your personnel working outside the company. Secures location-independent work.

Example Use Case

Secure, Installation-Free, and Auditable Access from Off-Campus

Scenario: In a university or an affiliated hospital; applications such as Web of Science, Scopus, YÖK Thesis, EBYS are only accessible from within the campus. However, needs extend beyond the campus.

For Academics — Installation-Free and Secure Access

  • Secure remote access to academic resources (TRDizin, Scopus, etc.)
  • Single-click login with corporate SSO
  • No extra password or installation required
  • Reduces IT support, improves user experience

RDP Access Granted to External Companies

  • External support access is provided without a VPN
  • Access is granted only to the relevant system
  • Browser-based, secure, and traceable

SSH and Web Accesses to Network Devices (Switch, AP, Firewall)

  • Access definition only for authorized devices
  • Browser-based access to SSH and Web interfaces
  • Logged, secure, and restricted connection
  • No direct connection to the device — attack surface is reset