SmartLink + ZTNA: The Double Security Barrier
Context
Claire is the CISO at BioLab, a laboratory with 90 people spread across three sites and remote work. The company hosts critical internal applications — LIMS (laboratory management), ERP, regulatory document database — on its own servers. Claire wants to secure access to these applications without exposing the internal network to the Internet and without imposing a traditional VPN on her teams.
The problem without SmartLink + ZTNA
With a traditional VPN:
- Once connected to the VPN, the user has access to the entire internal network ("castle and moat" model)
- If a device is compromised, the attacker has access to the whole network
- The VPN is cumbersome to maintain, slow, and degrades the user experience
- No granularity: impossible to give access to a single application
- VPN credentials are an additional attack vector to manage
With ZTNA alone (Tailscale/Headscale):
- The network is segmented, but application authentication remains classic (login/password)
- Passwords for internal applications remain a weak link
- No visibility on who accesses what at the application level
- No centralized management of application access
The solution: SmartLink + Tailscale/Headscale
By combining SmartLink with a Zero Trust network (Tailscale or its open source alternative Headscale), you get two complementary layers of security:
Layer 1 — SmartLink: controls who can access and under what conditions (identity, device, location)
Layer 2 — ZTNA: controls which machines the user can connect to on the network (micro-segmentation)
With SmartLink + ZTNA
Step 1 — Deploy the Zero Trust network
Claire installs Headscale (self-hosted to retain data sovereignty) or activates Tailscale (Business plan). Each server hosting an internal application joins the Zero Trust network.
Step 2 — Connect SmartLink as the identity provider
Claire configures SmartLink as an OpenID Connect (OIDC) provider for Tailscale/Headscale. Now, to join the Zero Trust network, an employee must authenticate via SmartLink and their VaultysID.
Step 3 — Define ACLs by group
Claire defines network access rules based on SmartLink groups:
- The "Laboratory" group accesses only the LIMS and the document database
- The "Finance" group accesses only the ERP
- The "Management" group accesses all applications
- No one accesses a server unless explicitly authorized
Step 4 — Add SmartLink policies
Claire strengthens security with SmartLink Device Access Policies:
- Access to the LIMS requires a biometric VaultysID and a device on the company network or the ZTNA
- Access to the ERP requires an up-to-date browser and a supported operating system
Step 5 — The daily user experience
Paul, a remote researcher, opens his browser:
- He authenticates on SmartLink with his VaultysID (QR scan + fingerprint)
- The Tailscale/Headscale client automatically authenticates via SmartLink SSO
- Paul clicks on LIMS in his SmartLink dashboard
- SmartLink connects him automatically to the application via the encrypted tunnel
Everything is seamless. Paul did not enter any password or manually launch any VPN.
Zero Trust architecture in detail
What does it protect?
| Threat | Traditional VPN | ZTNA alone | SmartLink + ZTNA |
|---|---|---|---|
| Credential theft | ❌ Full network access | ⚠️ Limited network access, but applications exposed | ✅ Cryptographic identity (VaultysID) + segmented network |
| Compromised device | ❌ Whole network exposed | ⚠️ Segment of network exposed | ✅ Device policy blocks non-compliant devices |
| Lateral movement | ❌ Free on the whole network | ✅ Micro-segmentation | ✅ Micro-segmentation + application control |
| Application password theft | ❌ Access to the application | ❌ Access to the application | ✅ No known password (vault) |
| Access after departure | ⚠️ Slow revocation | ⚠️ Network revocation only | ✅ Network AND application revocation in 1 click |
| Compliance audit | ❌ Scattered logs | ⚠️ Network logs only | ✅ Network + application traceability |
The Zero Trust principle applied
"Never trust, always verify"
- Verify identity → VaultysID (passwordless cryptographic authentication)
- Verify device → SmartLink Device Access Policy (OS, browser, IP)
- Least privilege access → Tailscale/Headscale ACLs (only necessary servers)
- Controlled application access → SmartLink SSO (only authorized applications)
- End-to-end encryption → Tailscale/Headscale WireGuard tunnel
- Continuous monitoring → SmartLink logs + combined ZTNA logs
Tailscale or Headscale?
| Criteria | Tailscale | Headscale |
|---|---|---|
| Hosting | Cloud (Tailscale Inc.) | Self-hosted |
| Data sovereignty | Data with Tailscale | 100% under your control |
| Ease of implementation | Very simple | Requires admin skills |
| Cost | Paid (Business plan required for SSO) | Free and open source |
| Support | Commercial support | Community |
| SmartLink integration | SSO OIDC + WebFinger | SSO OIDC |
Both options are fully compatible with SmartLink via OpenID Connect.
What changes
| Without this combination | With SmartLink + ZTNA |
|---|---|
| VPN = full network access | Micro-segmentation by user and by application |
| VPN credentials + application passwords | Single VaultysID authentication |
| Internal applications exposed to the Internet | Applications invisible from the Internet |
| Slow and incomplete revocation | Instant network + application revocation |
| Scattered and incomplete logs | Complete end-to-end traceability |
| Perimeter security ("castle and moat") | Zero Trust security (continuous verification) |
Features used
- 🔗 SSO OpenID Connect — SmartLink as identity provider
- 🌐 Tailscale Integration — Tailscale SSO configuration guide
- 🌐 Headscale Integration — Headscale SSO configuration guide
- 🛡️ Access Policies (DAP) — Device and access condition control
- 📁 Folder Management — Organize access by group
- 🔐 VaultysID — Passwordless cryptographic identity