TroutTrout
Zero-Trust Overlay

Zero-Trust for On-Premise and Legacy Systems

As connectivity and remote access reach deeper into OT, deploy a software-defined security layer on top of your existing network. No cloud dependency, no rewiring, no downtime.

Trusted by leading companies

John CockerillOrange CyberdefenseElna MagneticsThales
Access Gate
by Trout Software

You are about to access ACME CUI Server:

  • Proceed according to our internal security policy.
  • You can contact IT at it@acme.com
I agree
What is actually happening

Flat networks run on implicit trust.

Inside most plants and sites the network is flat: once a user, contractor, or device is on it, it can reach almost everything. Trust is implicit, granted by network location rather than identity. A single phished laptop, an over-permissioned vendor, or a compromised jump host inherits that trust and moves laterally to the systems that matter.

Traditional fixes do not fit OT. Agents cannot be installed on PLCs, HMIs, or RTUs. Cloud-routed proxies break availability and data-residency rules. VPNs extend the flat network to remote users instead of constraining them. The control layer keeps running on the assumption that everyone inside is trustworthy.

Zero Trust replaces location-based trust with verified identity on every session. The hard part in OT is enforcing it without touching the endpoints or rewiring the network, which is exactly where a network-layer overlay earns its place.

The model

Zero Trust, applied where agents cannot go.

Zero Trust, as set out in NIST 800-207, rests on a few principles: never trust by default, verify every request by identity, grant least privilege, and assume breach so one compromised account cannot reach the whole estate. The model is well understood. Implementing it on equipment that cannot run an agent is the gap.

Access Gate enforces those principles at the network layer. Every session is authenticated against your existing identity provider, authorised per asset and protocol, and continuously logged. Resources a user is not entitled to are cloaked, invisible at the network layer, so the attack surface shrinks to exactly what each identity is allowed to see.

Reference architecture: Access Gate as a Zero Trust overlay between the IT subnet and the OT zones, brokering identity-bound sessions to SCADA, PLCs, and HMIs.
Access Gate adds the identity and policy plane as an overlay. The existing switching, routing, and VLANs stay unchanged; trust moves from network location to verified identity.
How Access Gate deploys

Zero Trust without rewiring or agents.

PHASE 1

Overlay, live in hours.

Access Gate deploys as a software-defined overlay on top of the existing network. No agents on endpoints, no VLAN changes, no downtime. Identity-based access control, encryption, and per-session logging are immediate, and every resource is cloaked from identities that are not authorised for it.

PHASE 2

Enforce least privilege estate-wide.

Sessions migrate behind the gate, which becomes the enforcement point: policy per user, device, and protocol, MFA from your existing IdP, and continuous verification that re-authenticates when risk changes. New assets, plants, or sites are added as a configuration change, not a network redesign.

Compliance mapping

NIST 800-171, NIS2, and IEC 62443, evidenced continuously.

Identity-bound access maps directly onto the access-control families auditors look for: NIST 800-171 AC and IA controls, NIS2 Article 21 access management and logging, and the IEC 62443 requirements for identification, authentication, and use control. MFA is enforced at the proxy, least privilege is the default, and every decision is recorded.

Because enforcement and logging happen at the gate, audit evidence is generated continuously, with user, asset, protocol, and timestamp on every session, instead of being reconstructed from scattered device logs the week before an assessment.

Benefits at a Glance

Zero-Trust That Works for Industrial Networks

The Trout Access Gate brings zero-trust principles to environments where traditional identity solutions can't reach, legacy OT, air-gapped networks, and production floors.

Identity-First Access

Every user and device is authenticated before accessing any resource. No exceptions, no implicit trust.

Least Privilege

Users see only what they need. Everything else is cloaked and invisible at the network layer.

Continuous Verification

Sessions are monitored in real-time. Risk changes trigger re-authentication automatically.

Compliance Mapping

Direct mapping to NIST 800-171 AC controls, NIS2 access management, and IEC 62443 requirements.

Complete Audit Trail

Every access attempt, policy decision, and session logged and searchable for compliance evidence.

Overlay Architecture

Deploys on top of your existing network. No rewiring, no cloud dependency, no downtime.

The second layer of value

Access Gate secures your assets first, then exposes the simple services your teams and vendors actually want, so they run through the sanctioned path, not around it.

OT runs through you, not around you.

Datasheet

Download the Access Gate Datasheet.

Get the complete product overview with technical capabilities, deployment model, compliance alignment, and customer references.

Done

What's Inside

Product architecture, deployment model, key capabilities (proxy enforcement, micro-DMZs, identity-based access), compliance alignment, and real-world customer deployments.

4 pages

See It in Action

Request a live demo to see how the Access Gate deploys on your network without rewiring or downtime.

FAQ

Questions and Answers

0

Agents required. The Access Gate enforces zero-trust at the network layer without installing software on endpoints, PLCs, or legacy equipment.

A VPN extends your flat network to remote users, once connected, they can reach everything. The Access Gate enforces per-user, per-device, per-resource policies. Users only see what they're authorized to access. Everything else is cloaked at the network layer.

Yes. The Access Gate enforces access control at the network layer, not on the endpoint. Legacy PLCs, HMIs, and SCADA systems are protected without installing agents or modifying their configuration. The overlay sits between users and resources.

The Access Gate integrates with Active Directory, Entra ID, Okta, and any SAML or OIDC-compatible provider. Users authenticate with their existing credentials and MFA. No separate identity system to manage.

Yes. The Access Gate operates entirely on-premise with no cloud dependency. Identity verification, policy enforcement, and audit logging all happen locally. It's designed for classified, air-gapped, and regulated environments.

You can add new assets, plants, or sites without re-architecting. The overlay is software-defined, adding a new enclave or extending policies to a new location is a configuration change, not a network redesign.

Access Gate implements the NIST 800-207 pillars at the network layer: every session is verified by identity, granted least privilege per asset and protocol, and continuously evaluated, with unauthorised resources cloaked. It does this without agents on endpoints, so it covers the OT and legacy systems that agent-based Zero Trust tools cannot reach.