Use Cases
Four ways Cloud Area Networking replaces the network you've been forced to live with.
One policy plane. One identity model. From a branch in Bavaria to a hyperscaler region — the same everywhere.
Use Case 01 — Locations
Branch offices, without the baggage.
Your home office runs on a basic router and an endpoint you trust with your most sensitive work. So why does every new branch still demand a firewall, an SD-WAN box, a NAC stack, and a VPN concentrator before a single employee can log in?
Locations have been hardened from the outside in for two decades. Every site means new hardware, new VLANs, new tunnels back to HQ, new contracts, new attack surface. The moment one employee opens a laptop at a café, the whole construct is bypassed anyway. You're paying enterprise-firewall prices to defend a building — not the data.
Security belongs at the endpoint, not the entrance. With Cloud Area Networking, every device carries a cryptographic identity. NAC, segmentation, posture enforcement, and policy travel with the user — at home, at the office, on the road, at a customer site. The location itself becomes deliberately boring: a router, internet, and a CanMe Gate. Nothing public. Nothing exposed. Nothing to attack.
A 12-person branch in Munich with two printers, one NAS, a small on-prem server, and one legacy MES terminal still running SMB-v1. A Hardware Gate sits behind a basic business router. The NAS is published as a Dark service, accessible only to the teams that own it. The printers are reachable within the site. The MES terminal is reachable only by named engineers, only when their identity says so. Everything else on the LAN is invisible to everything else. No public IP. No firewall rules. No site-to-site VPN. The site goes live the same afternoon the Gate is plugged in.
What you get
Branch CapEx collapses
A Gate replaces the firewall, NAC, and VPN concentrator in one device.
Roll-out in minutes, not weeks
Plug in, claim in Core, define services, done.
Zero public attack surface
What can't be seen can't be attacked.
Modern, legacy and OT — one site
Isolated by identity, not VLAN.
Use Case 02 — Multi-Cloud & Datacenter
Multi-cloud, without the hub-and-spoke tax.
The cloud was supposed to be elastic. Then we wrapped it in NAT, IPSec tunnels, and a hub-and-spoke topology designed for a world that no longer exists.
Every hyperscaler relationship adds a contract, a tunnel, a routing table. Dev, Test, and Prod can't share an address space without breaking something. M&A integrations stall on overlapping CIDRs. SaaS access is forced through an MPLS line because that's where the firewall lives. The agile cloud story dies the moment the network team gets a ticket.
Cloud Area Networking removes the network from the decision. Users and machines reach services because policy says so — not because two subnets happen to be routable. IP overlap stops mattering, because there are no IP routes between zones in the first place. Extend the CAN to any hyperscaler, any hoster, any partner datacenter, any on-prem system — even a developer's home lab — with the same security posture and the same policy plane.
Three Azure subscriptions all running 10.0.0.0/16 for Dev, Test, and Prod. One production OT machine in Ingolstadt. A short-lived load-test workload spun up at Hetzner. A developer at home pushes a container from the Hetzner workload to the Ingolstadt machine for a one-day validation run. Traditional path: re-IP, change requests, firewall exceptions, MPLS upgrade — three weeks. CanMe path: the developer's identity grants service-level access for the test window. When the window closes, access is gone. The network never knew the workload existed.
What you get
No hub-and-spoke tax
Traffic goes where it needs to go — not through a central choke point.
Overlapping IPs are a non-issue
Routing is identity-driven, not range-driven.
New environments in hours
Any cloud, any hoster, any partner — same policy.
Sandbox without exposure
Let teams experiment anywhere, without opening a single port.
Use Case 03 — Identity & Access
PIM is done. PAM is what's next.
You spent two years getting Entra ID right. Then you walked into a server room and realized access to the things that actually matter still depends on a firewall rule someone wrote in 2017.
Privileged Identity Management got users into applications cleanly. Privileged Access Management — the network and infrastructure layer — is still jump hosts, VPN accounts, manual firewall tickets, and tribal knowledge. Onboarding is fast. Off-boarding is a prayer. An external auditor, a maintenance crew, a machine vendor's technician — every one of them is a credential waiting to be forgotten.
Access becomes a property of identity, and identity lives in your IDP. Add a user to a group in Entra ID, and the network access they need appears — scoped to exactly the services that group is entitled to. Remove them, and access is gone everywhere, in real time. No firewall change. No ticket. No exception.
An external auditor needs read access to a financial reporting database for five business days. A new manufacturing engineer needs SCADA access from day one. A machine vendor's technician needs an urgent remote session to a CNC controller — right now, at 22:00, on a Sunday. All three are handled by group membership in your existing IDP. The auditor's group has a five-day expiry. The engineer inherits role-based access from their team. The vendor technician is added to a time-bound group, gets in within seconds, and is removed automatically when the ticket closes. Zero firewall changes. Full audit trail per identity, per service, per session.
What you get
Deterministic off-boarding
One source of truth. No orphaned accounts.
Access reviews stop being a fire drill
Entra ID is the report.
Real-time response
Emergency vendor access measured in seconds, not hours.
One model across IT, OT, cloud, SaaS
PAM that finally matches PIM.
Use Case 04 — OT, Legacy & Compliance
Bring production into zero trust — without touching a single machine.
NIS-2 doesn't care that your highest-revenue machine still speaks SMB-v1. Your auditor doesn't either.
Industrial and legacy systems can't be patched, replaced, or wrapped in an endpoint agent. The air-gap that used to protect them is fiction the moment a vendor plugs in for remote maintenance. Regulation — NIS-2, KRITIS, IEC 62443 — demands segmentation and access control. Operations demands uptime. The two are usually in a knife fight, and the network team loses either way.
The Hardware Gate sits in front of the machine, the line, or the cell. The machine doesn't change. The PLC doesn't change. The protocol doesn't change. What changes is who can reach it — and that decision is made by identity, in real time, from Core. Vendors get scoped, time-bound, fully logged access to exactly the systems they support. Internal engineers get role-based access. Everything else sees nothing. The same policy plane that protects your IT estate now protects your OT estate. One controller. One audit trail. One story for the regulator.
A factory floor with 40 production machines across three protocols (SMB-v1, Modbus, OPC UA), one MES, one legacy ERP terminal, and twelve machine vendors who each need occasional remote access. Hardware Gates sit per line, fronting the machines. Each vendor is mapped to an identity group that grants service-level access to their machines only — never to the line next door, never to the MES, never to anything else on the floor. Internal maintenance engineers have broader role-based access. The plant has zero public IPs and zero open inbound ports. When the auditor asks who touched machine 14 last Tuesday at 03:47, the answer is one query away.
What you get
NIS-2 & KRITIS, no machine swaps
Segmentation and access control without touching production.
Vendor remote support, managed
Stops being your largest unmanaged risk.
Brownfield, greenfield, cloud, OT
One policy model across the estate.
Compliant by construction
Operationally simple, audit-ready by default.
One network. One policy. One identity model.
From the home office to the factory floor, from a hyperscaler region to a branch in Bavaria — Cloud Area Networking is the same everywhere, because security should be a property of identity, not a property of location.
Ready to advance without firewalls?
Book a 30-minute demo. See how CanMe transforms your network security posture — without a rip-and-replace.
Book a Demo →Or write to us at hello@canme.cloud