by Georgios P. Katsikas

In today’s interconnected digital landscape, managing secure access to geo-distributed infrastructures is a challenge. Organizations often operate across multiple self-managed private domains, each with their own security policies, infrastructure constraints, and regulatory requirements. Sharing resources and services between these domains – especially in sensitive environments like manufacturing, critical infrastructure, and PPDR applications – requires strong security mechanisms that maintain trust, ensure compliance, and prevent unauthorized access.

Traditionally, organizations rely on Virtual Private Networks to establish secure connections between different domains. However, VPNs come with significant limitations: they require complex configurations, introduce administrative overhead, and do not provide fine-grained access control. Moreover, they fail to implement the principles of Zero-Trust Security, which assume that no user or device should be inherently trusted, even within an organization’s network.

A notable real-world example highlighting the vulnerabilities of traditional VPNs is a 2021 breach. In this incident, attackers exploited a vulnerability in a company’s VPN devices, compromising multiple organizations, including government agencies and defense companies. The breach allowed unauthorized access to sensitive systems for several months before detection. This event emphasizes the inherent risks associated with VPNs, such as their reliance on perimeter-based security and the challenges in promptly addressing vulnerabilities.

For managing large-scale distributed infrastructures, these challenges translate into operational inefficiencies, security risks, and integration difficulties. Different stakeholders seem to have different needs:

Infrastructure owners need a way to securely expose and integrate resources across domains without making them publicly accessible.

Service providers require seamless, secure, and dynamic service access management across multiple networks.

System administrators must ensure that access policies in critical infrastructures follow strict security and regulatory frameworks without relying on outdated security models like VPN-based perimeter security.

Failing to address these issues leads to higher security risks, lack of scalability, and fragmented access policies across networks.

Several technologies attempt to address this problem:

VPNs & Firewalls: While widely used, they create static tunnels, which are complex to manage, offer limited scalability, and expose entire networks instead of specific services.
SD-WAN Solutions: These improve networking flexibility but do not offer fine-grained access control at the service level.
Cloud-Based Identity and Access Management: Solutions like Azure AD and AWS IAM control user access but do not secure cross-domain service access dynamically.

The P2CODE Solution

To overcome these challenges, P2CODE introduces Zero-Trust Service Access Management (ZSAM), a programmable security fabric designed to provide secure connectivity between geo-distributed domains. ZSAM is built on the principles of Zero Trust and leverages the Software-Defined Perimeter model. Instead of creating static tunnels between domains, it establishes a dynamic, encrypted overlay network that controls access based on identity and security policies.

P2CODE’s ZSAM innovative approach lies in its ability to secure service access, is managed across distributed infrastructures, shifting from traditional network-centric security models to a service-centric, identity-driven approach. Unlike other solutions, it removes implicit trust and implements fine-grained, on-demand access control at the service level, significantly reducing the attack surface. ZSAM dynamically establishes short-lived, encrypted connections, ensuring that only authenticated and authorized services interact—without exposing entire networks. Most importantly this is done via API calls on-the-fly, thus eliminating human involvement in the runtime process of establishing secure tunnels. Additionally, ZSAM disassociates security enforcement from network infrastructure, making it highly adaptable across private and public domains, without requiring reconfiguration of existing networks.

Overall, the P2CODE approach on cross domain connectivity through ZSAM is characterized as scalable, interoperable, and lightweight compared to traditional solutions, which require complex policies, time-consuming human configurations, and high maintenance overhead.

Impact

The P2CODE ZSAM solution builds upon OpenZiti, an open-source community software for zero-trust networking. From the deployment of ZSAM (using OpenZiti as a basis) across the 4 P2CODE testbeds in Athens, Italy, Patras, and on Amazon, P2CODE will gather and disseminate to the OpenZiti community (i) lessons learnt regarding deployment issues and configurations and (ii) potential bug fixes which will help the community improve OpenZiti.

ZSAM is also integrated with P2CODE’s service (Maestro) and resource orchestrators (ETSI OpenSlice) demonstrating a powerful distributed orchestration platform with built-in security and trust.

Georgios P. Katsikas is Technical Manager at UBITECH | Networked Systems and Software (NSS), and P2CODE Technical Coordinator

Red Hat at Waterford Tech Meetup: Taking Kubernetes to the Edge

Project Update: INCODE Becomes P2CODE

Politecnico di Milano Wins Best Paper Award at GIECS 2024 for Human-Centric Industrial Innovation

8th Future of Information and Communication Conference 2025

IoT Solutions World Congress

The 25th IEEE international Symposium on Cluster, Cloud and Internet Computing

The P2CODE Solution

Impact

Privacy settings

With the slider, you can enable or disable different types of cookies:

This website will

This website won't