Never trust. Always verify.
Identity, everywhere.
Every connection into an Ultiblob workload terminates at an identity policy decision — never inferred from network position. The architecture below is what HIPAA, PCI, and SOC 2 auditors actually want to see, by default, on every tier.
Six layers, one policy decision point.
Identity is the perimeter. Every layer checks the same policy, signed by the same identity provider, audited at the workload boundary.
Verify against Entra ID + workload identity. Conditional access by device posture, geography, risk score.
Hover or tap a layer. The packet only proceeds if every prior decision returned allow.
- 01Identity
Entra ID for human identity, workload identities for services. SSO mandatory; no shared credentials, ever. Conditional access by device posture, geography, and risk score.
- 02Access broker
Browser-mediated SSH and VM access through our bastion service — short-lived certificates, no standing keys. Every session signed against a specific user × VM × window.
- 03Network
Per-tenant private network with microsegmentation per workload. No flat networks, no implicit east-west trust. Traffic between services authenticates by identity, not IP.
- 04Workload
Single-tenant compute with measured boot, encrypted disks (AES-256), and customer-held keys available on regulated tiers (BYOK/HSM-backed).
- 05Data
Encryption at rest + in transit (TLS 1.3). Per-tenant key separation. PHI, PCI, and regulated workloads have BYOK as the default, not the upsell.
- 06Observability
Every privileged action is logged at the workload boundary — not relying on perimeter logs. Compliance evidence is on-tap, not a project.
Each layer enforces the same identity-based policy decision. A compromise at one layer does not grant access at the next.
What “zero-trust” actually means here.
Aligned to NIST SP 800-207. Implemented as defaults — not add-ons, not consulting projects.
Verify explicitly, every request
Identity is checked at every hop — never inferred from network location. The workload doesn't trust its neighbor just because they share a VLAN.
Assume breach, contain blast radius
Every workload runs as if the perimeter is already compromised. Microsegmentation per tenant + per service contains a single breach to a single blast.
Least privilege, by default
Standing access doesn't exist. Privileges are issued just-in-time, scoped to a single action, signed, time-bound, and recorded.
Continuous verification
Identity is re-verified through the session, not just at login. Anomalous behavior revokes the session without a human-in-the-loop.
Identity-everywhere, not perimeter-first
Network position grants nothing. Every connection — from a developer laptop, from a VM, from a managed service — terminates at an identity policy decision point.
Audit at the workload, not just the edge
Logging captures the action and the actor at every layer. Compliance evidence is a query, not a quarterly fire drill.
What changes when identity becomes the perimeter.
Side-by-side: the assumptions you grew up with, vs. the assumptions Ultiblob ships with.
| Legacy perimeter | Ultiblob zero-trust |
|---|---|
| Login once to the corporate VPN; you're trusted on the network | Login is one signal. Device posture, geography, and behavior keep verifying through the session. |
| Engineers SSH to bastions, then jump to VMs with shared keys | Browser-mediated SSH via short-lived certs issued by identity, audited at the connection, no keys on disk. |
| Internal services trust each other by IP | Every service-to-service hop authenticates by identity. Microsegmentation contains the blast radius. |
| Compliance evidence is a quarterly screenshot exercise | Audit logs flow continuously from every workload. Evidence is a query. |
| Vendor accesses your data with their key custody | Customer-held keys (BYOK/HSM-backed) on regulated tiers — the vendor cannot read at rest. |
What zero-trust looks like for your industry.
Healthcare
PHI never crosses an implicit trust boundary. Every read is identity-scoped, time-bound, and audited at the EHR query layer — not at the VPN edge.
Finance & tax
Every privileged action against tax-prep software is signed against an Entra identity with conditional access. Auditor evidence is a query, not a quarter.
AI startups
Workload identities sign every inference call. Model weights and embeddings sit in customer-key-encrypted storage; the platform cannot decrypt them.
Zero-trust, asked + answered.
- Three things. (1) No implicit trust by network location — being inside the perimeter doesn't grant access. (2) Identity is verified at every hop, not just at login. (3) Privileges are scoped just-in-time and audited at the workload. The combination eliminates the categories of breach that a perimeter-trust model leaves wide open.
Move your perimeter from the network to the identity.
Free 30-minute zero-trust posture review with a senior engineer. We map your current architecture, identify the highest-risk gaps, and return a phased migration plan.