Zero Trust Architecture
What is Zero Trust?
Zero Trust is a security model built on one foundational idea: no user, device, or network should be inherently trusted, regardless of whether they are inside or outside the traditional network perimeter. In the conventional approach to network security - often described as the "castle and moat" model - organizations would establish a strong perimeter (the moat) around their internal network, and anything inside that perimeter was considered trusted. This model assumed that threats originated from the outside, and that any entity past the firewall could be trusted to access internal resources freely. The problem with this model is that it fails catastrophically when the perimeter is breached. A single compromised credential, a phishing attack, a vulnerable device on the network, or an insider threat can give an attacker access to everything inside the perimeter. Zero Trust rejects this assumption entirely. Instead, it operates on three core principles: verify explicitly (authenticate and authorize every request based on all available data points including user identity, location, device health, and the specific resource being requested), use least privilege (grant the minimum level of access required for the task at hand, and nothing more), and assume breach (design systems as if an attacker is already inside the network, and minimize the blast radius of any single compromise through segmentation and monitoring).
Zero Trust in Industrial Automation
The industrial automation sector is undergoing a fundamental transformation in how networks and devices are managed, driven by the convergence of Information Technology (IT) and Operational Technology (OT). Historically, industrial control systems - PLCs, HMIs, SCADA systems, and the networks connecting them - were physically isolated from corporate IT networks and the internet at large. This air gap provided a natural form of security. However, modern industrial environments increasingly require remote access for operators working from home or in the field, cloud-based analytics platforms that ingest telemetry from edge devices, vendor access for remote diagnostics and maintenance, and integration between OT systems and enterprise IT systems such as ERP and MES platforms. This IT/OT convergence means that industrial devices and the services running on them are increasingly network-reachable, creating new attack surfaces. Traditional VPN-based remote access partially addresses this, but VPNs have a significant limitation in the context of Zero Trust: they typically grant broad network-level access. Once a user connects to a VPN, they can often reach many or all devices and services on the network, far exceeding what they actually need. Zero Trust, by contrast, grants access on a per-service, per-user basis, with continuous verification. The National Institute of Standards and Technology (NIST) formalized this approach in Special Publication 800-207, "Zero Trust Architecture," which describes the principles and deployment models for implementing Zero Trust in enterprise environments.
How Horizon Implements Zero Trust
Horizon embeds Zero Trust principles into every layer of its design. At the most fundamental level, every circuit created in Horizon has its own independent, isolated access policy - there is no concept of "blanket access" where granting access to one circuit grants access to others. Each circuit is a standalone trust boundary. Identity verification is enforced through three distinct policy tiers: circuits can require no authentication (public), authentication as a project member, or authentication as a specifically named user on an explicit allowlist. Beyond identity, Horizon also performs network-level verification through IP blacklisting and whitelisting using CIDR notation, and through geographic restrictions that can block traffic from entire countries. Threat detection is handled by the automated bot and vulnerability scanner blocking system. Continuous monitoring is built in: every request, whether allowed or blocked, is logged with its source IP, geolocated country, request path, response status code, action taken, and the authenticated user's identity where applicable. These logs are available in real-time through the monitoring dashboard, and 24-hour aggregate statistics are computed automatically. Finally, Horizon supports time-bound access through its connection expiration feature, enabling circuits that automatically self-destruct after a specified date and time - ideal for granting temporary vendor access or time-limited demo environments.
Horizon vs CloudLink
Horizon and CloudLink serve complementary but fundamentally different purposes. CloudLink is Mutexer's private VPN service, built on WireGuard, that creates a secure, encrypted network between devices, virtual machines, and peers within a project. CloudLink operates on the 10.8.0.0/24 private network and is designed for device-to-device communication - for example, allowing a PLC on one site to communicate with a monitoring server on another site, or enabling an engineer's laptop to SSH into a remote device. Traffic on CloudLink never touches the public internet in an unencrypted form; it is always encapsulated in WireGuard tunnels. Horizon, by contrast, is designed for public-facing access to specific services with policy enforcement. It exposes individual services (not entire devices or networks) through publicly accessible HTTPS domains, with multiple layers of access control and security. CloudLink is appropriate when private, encrypted connectivity between devices and users within a project is required. Horizon is appropriate when controlled access to specific web-based services from the broader internet is needed. Both services can - and often do - coexist on the same project and the same devices, serving different access patterns simultaneously.
TIP
CloudLink functions as a private internal network connecting devices and engineers behind closed doors. Horizon functions as a controlled, monitored, policy-enforced front door that selectively allows the outside world to access specific services.