Universal ZTNA: Why access management needs rethinking

Work environments have evolved considerably, and in the face of increasingly complex security threats, companies must rethink their access control strategies. The concept of Universal ZTNA (Zero Trust Network Access) is emerging as a promising response to these new challenges, unifying access protection whether from local networks, the cloud, or remote environments.

in partnership with HPE Aruba Networking

A Security Model Running Out of Steam

Access control architectures used by companies have evolved little in recent years. On one hand, Network Access Control (NAC) ensures the management of connections to internal networks by controlling user identity and equipment compliance. On the other hand, Zero Trust Network Access (ZTNA) has established itself as a model better suited to remote and cloud environments, granting access based on context and identity.

These two approaches are still too often treated as independent solutions. With the widespread adoption of hybrid work, the proliferation of unmanaged devices, and the rise of SaaS applications, this segmentation is becoming a hindrance.

According to Gartner, by 2026:

60% of companies will have replaced their traditional VPNs with ZTNA,
80% will adopt a zero trust approach for access management.

However, these evolutions are not enough. A deeper transformation is necessary: a Universal ZTNA model, which merges the principles of NAC and ZTNA for seamless and coherent access management, both locally and remotely.

A recent Gartner report (“Quick answer – What is the Future of NAC” July 11, 2024) predicts a significant decline in the NAC market by 2028, in favor of zero trust network access (ZTNA), and particularly its advanced version, Universal ZTNA (UZTNA). This trend reflects a broader transition to Zero Trust security frameworks, better adapted to modern and dynamic environments.

Why NAC and ZTNA Must Converge

Strengths and Limitations of NAC

Historically, NAC was designed to secure access to local infrastructures, relying on rigid segmentation (VLAN) and strict compliance rules. This model works well in controlled environments but becomes unsuitable in the era of cloud and hybrid work.

Its strengths:

Effective security for Wi-Fi and wired networks,
Compliance with access control regulations,
Fine-grained management of equipment connected to the internal infrastructure.

Its limitations:

Poorly adapted to cloud and SaaS usage,
Administrative complexity due to static segmentation,
Lack of flexibility for managing unmanaged devices and IoT.

Strengths and Limitations of ZTNA

ZTNA brings a more modern response by applying dynamic and contextual authentication to secure access to applications. By focusing solely on connections to cloud and remote resources, it neglects the management of internal network access.

Its strengths:

Securing access regardless of connection location,
Risk reduction by applying a least privilege model,
Abandonment of classic VPN access, often too permissive.

Its limitations:

Lack of control over local network access,
Sometimes complex integration with existing NAC infrastructures,
Limited management of unmanaged devices and industrial equipment.

Universal ZTNA: A Necessary Convergence, But Not Without Challenges

Combining NAC and ZTNA into a single model is a logical evolution, but it raises several technical challenges that must be anticipated.

Routing Performance

Routing local traffic to a remote control point can generate latencies and additional costs, particularly for internal communications like voice over IP.
Some providers offer local application solutions, but their implementation and scaling remain complex.
The situation is evolving rapidly and improvements are expected in the coming year. Efficient routing management remains a key issue.

Management of Unmanaged Devices

Unlike managed equipment, unmanaged devices cannot incorporate a security agent, which complicates their authentication and control.
Adaptation of the network infrastructure (routing, DNS) can provide an initial response but does not always block lateral movements.
A Universal ZTNA solution must integrate specific mechanisms to monitor and secure these devices without complicating the existing infrastructure.

Securing IoT and OT Environments

Most connected objects and industrial equipment do not support classical authentication methods, making their integration into a zero trust model more difficult.
There is no universal standard, and security often relies on solutions specific to each manufacturer.
An effective approach will need to combine dynamic segmentation and access controls adapted to these environments.

How to Successfully Transition to Universal ZTNA

This convergence should not be a simple technical overhaul. It is a profound transformation that must align with the business challenges and operational constraints of each organization.

1. Progressively Integrate NAC into a Zero Trust Approach

Rather than abruptly eliminating NAC, it should be integrated into a broader ZTNA architecture.
NAC can continue to play a key role in controlling internal equipment and managing compliance.

2. Extend ZTNA to Internal Environments

Test the application of ZTNA on campuses and branches, not just for remote access.
Favor a hybrid architecture, combining cloud management and local application points, to avoid latency and traffic optimization issues.

3. Better Manage Unmanaged Devices and IoT

Implement active monitoring and dynamic segmentation to limit lateral movements.
Encourage IoT and OT manufacturers to integrate advanced authentication mechanisms, allowing better integration into a zero trust model.

Migration Plan

Implementing zero trust is a multi-phase process requiring organizational change management and buy-in from operations and leadership. Here are some key steps:

Define the Zero Trust Strategy and Scope

Establish fundamental principles to guide security controls,
Set outcome-driven metrics (ODM) to measure risk reduction and adoption progress.

Consolidate Identity and Access Management (IAM)

Unify identity sources and enable identity federation (e.g., OpenID Connect, SCIM);
Strengthen identity governance and privileged access management (PAM).

Device Inventory and Context-Based Access

Centralize device inventory,
Define context and posture requirements for access,
Implement device certification,
Establish patch compliance policies.

Modernize Remote Access

Enable secure and contextual access for employees and third parties,
Reduce dependency on full-tunnel VPN connections.

Network Segmentation and Encryption

Deploy macro-segmentation for IT workloads, CPS, and data centers,
Implement DNS over TLS and encrypted protocols where possible.

Zero Trust Pilot Implementation

Select an initial application for a proof of value pilot
Ensure backup access methods remain available during testing

The boundary between NAC and ZTNA is becoming increasingly blurred. In a world where users, equipment, and applications are distributed between local networks, the cloud, and remote environments, it’s time to adopt unified access management. Universal ZTNA is not a minor evolution. It’s a new paradigm that must be considered today to avoid ending up with obsolete and difficult-to-secure infrastructures.

HPE Aruba Networking ZTNA: A Modern Alternative to VPN

HPE Aruba Networking strengthens its cybersecurity with AI for Network Detection and Response (NDR) in Aruba Central, enabling the identification of malicious behaviors, particularly on IoT devices.

In parallel, the company extends its Zero Trust Network Access (ZTNA) approach to campus local networks for homogeneous protection on-site and in the cloud (Universal ZTNA) through these two solutions:

HPE Aruba Networking SSE: An alternative to VPNs integrating ZTNA, Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Digital Experience Monitoring (DEM) to secure access to private applications, web browsing, and SaaS applications.

HPE Aruba Networking ClearPass: Identity-based access control solution with granular security policies to protect wired and wireless networks. The integration of these technologies ensures consistent and simplified protection across the entire IT infrastructure.

Aina Rampanana:

With solid experience in software-defined networks, product management, and cloud architecture, Aina has developed deep expertise in digital transformation. Formerly Principal Consultant at Orange Consulting, he specialized in SASE, SD-WAN, and network automation before joining HPE Aruba Networking following the acquisition of Axis Security. He also teaches cloud architecture and SDx/SASE design at ESGI and EFREI, combining field experience and academic teaching.