Networking
1860524 Members
3391 Online
110411 Solutions
New Article
NetworkExperts

Zero trust vision to implementation: The case for inline segmentation

Zero trust inline segmentation stops lateral movement by enforcing identity-based policy at the access switch—without overlays, fabrics, or proprietary NAC—making microsegmentation practical now.

Ransomware doesn’t stop at the edge. Once attackers get in, they move laterally—system to system, quietly escalating access before anyone catches on. Microsegmentation is the right answer: divide the network into identity-governed zones at the device level, enforce least-privilege access, and lateral movement becomes dramatically harder.

Figure 1. Employee connecting to a secure network in a coffee shop.jpg

Figure 1. Employee connecting to a secure network in a coffee shop

The problem has never been the vision. It’s been the implementation tax. Every existing approach to microsegmentation comes with a prerequisite that most enterprises can’t meet—a proprietary network access control ( NAC) engine, an EVPN fabric build out, or an overlay tunnel that hairpins traffic through a central gateway. Today we’re changing that. Zero trust inline segmentation (ZTIS) enforces policy at the access switch, inline, with no overlay, no tunneling, no EVPN dependency, and no proprietary NAC solution required.

Read the IDC paper on The Imperative of Zero Trust and Network Access

Three approaches, three barriers

Figure 2. Security services need to be up and running 24-7.jpg

Figure 2. Security services need to be up and running 24/7

To understand why that matters, it helps to see where previous approaches broke down.

The proprietary tag-based model requires a dedicated external policy engine to govern tag assignment and manage the policy matrix—substantial licensing costs, operational complexity, and a dependency on specialized skills that are consistently in short supply. Tag propagation is hardware specific, so where compliant devices are absent, additional tunneling fills the gaps. The model assumes a homogeneous, single-vendor infrastructure. Most enterprises don’t have that and can’t afford to build it.

The standards-based fabric approach—EVPN/VXLAN with an IP-Clos spine-leaf design—is the right architecture for large campus and data center deployments. But building that fabric is a multiphase infrastructure project, and enforcement waits until the fabric does. For branch environments or distributed enterprises that haven’t made that architectural commitment, waiting isn’t a strategy.

The overlay approach abstracts segmentation entirely, tunneling client traffic to a central enforcement gateway regardless of where it originates. In contained environments this can work. In a distributed enterprise it creates a central chokepoint and a dependency on owning the full overlay stack. Traffic from a branch hairpins to the gateway and back. The latency and operational costs compound exactly as the network grows more distributed—which is the direction most enterprise networks have been moving.

What ZTIS changes

Figure 3. Operations teams conduct a strategy discussion.jpg

Figure 3. Operations teams conduct a strategy discussion

ZTIS removes all three prerequisites. Enforcement happens inline at the access switch—closest to the source of traffic—with no external policy engine, no fabric build out, and no central gateway in the path.

The mechanism is group-based policy (GBP) tags, a standards-based way to carry identity context forward from the point of authentication. GBP enforcement requires platform support, and the HPE Networking EX Switch Series provides it natively. That’s what makes inline enforcement possible without additional infrastructure. Policies are defined centrally in HPE Mist using tags assigned statically or received dynamically through RADIUS attribute-value pair (AVP)—centralized in intent, distributed in implementation.

Read the Campus Fabric guide

This works in branch environments without a campus fabric. It controls east-west traffic within a VLAN with Layer 4 granularity—ports and protocols, not just allow or deny—while also securing north-south traffic leaving the network. The policy framework is consistent across wired and wireless, and it works alongside existing NAC solutions; no forced vendor replacement.

For teams already using HPE Mist platform, HPE Mist Networking Access Assurance adds a fully integrated, cloud-native NAC layer—onboarding, identity, and policy management in a single platform across wired and wireless environments. It can significantly simplify operations. But it’s an option, not a requirement.

Security intrinsic to the network

Picture 4.jpg

ZTIS is part of a broader shift: security that’s built into the network rather than bolted on top of it. Policy sandboxing lets teams validate segmentation intent against real traffic before enforcement goes live. Enhanced self-driving capabilities in HPE Mist Networking Wired Assurance move the network from observation toward autonomous detection and remediation. ZTIS extends that posture to the access layer—closing the lateral movement gap in the environments where it has historically been widest.

If you’ve been waiting for microsegmentation that works on the network you actually have, not the one you plan to build someday, it’s available now.

Learn more about HPE Mist Networking Access Assurance.

 

Meet the author:

Sanjoy Dey, VP of Product Management, HPE
https://www.linkedin.com/in/sanjoyd  

0 Kudos
About the Author

NetworkExperts