- Community Home
- >
- HPE Networking
- >
- Networking
- >
- Zero trust vision to implementation: The case for ...
Categories
Company
Local Language
Forums
Discussions
- Integrity Servers
- Server Clustering
- HPE NonStop Compute
- HPE Apollo Systems
- High Performance Computing
Knowledge Base
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Knowledge Base
Forums
Discussions
- Cloud Mentoring and Education
- Software - General
- HPE OneView
- HPE Ezmeral Software platform
- HPE OpsRamp Software
Knowledge Base
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Receive email notifications
- Printer Friendly Page
- Report Inappropriate Content
Zero trust vision to implementation: The case for inline segmentation
Zero trust inline segmentation stops lateral movement by enforcing identity-based policy at the access switch—without overlays, fabrics, or proprietary NAC—making microsegmentation practical now.
Ransomware doesn’t stop at the edge. Once attackers get in, they move laterally—system to system, quietly escalating access before anyone catches on. Microsegmentation is the right answer: divide the network into identity-governed zones at the device level, enforce least-privilege access, and lateral movement becomes dramatically harder.
Figure 1. Employee connecting to a secure network in a coffee shop
The problem has never been the vision. It’s been the implementation tax. Every existing approach to microsegmentation comes with a prerequisite that most enterprises can’t meet—a proprietary network access control ( NAC) engine, an EVPN fabric build out, or an overlay tunnel that hairpins traffic through a central gateway. Today we’re changing that. Zero trust inline segmentation (ZTIS) enforces policy at the access switch, inline, with no overlay, no tunneling, no EVPN dependency, and no proprietary NAC solution required.
Read the IDC paper on The Imperative of Zero Trust and Network Access
Three approaches, three barriers
Figure 2. Security services need to be up and running 24/7
To understand why that matters, it helps to see where previous approaches broke down.
The proprietary tag-based model requires a dedicated external policy engine to govern tag assignment and manage the policy matrix—substantial licensing costs, operational complexity, and a dependency on specialized skills that are consistently in short supply. Tag propagation is hardware specific, so where compliant devices are absent, additional tunneling fills the gaps. The model assumes a homogeneous, single-vendor infrastructure. Most enterprises don’t have that and can’t afford to build it.
The standards-based fabric approach—EVPN/VXLAN with an IP-Clos spine-leaf design—is the right architecture for large campus and data center deployments. But building that fabric is a multiphase infrastructure project, and enforcement waits until the fabric does. For branch environments or distributed enterprises that haven’t made that architectural commitment, waiting isn’t a strategy.
The overlay approach abstracts segmentation entirely, tunneling client traffic to a central enforcement gateway regardless of where it originates. In contained environments this can work. In a distributed enterprise it creates a central chokepoint and a dependency on owning the full overlay stack. Traffic from a branch hairpins to the gateway and back. The latency and operational costs compound exactly as the network grows more distributed—which is the direction most enterprise networks have been moving.
What ZTIS changes
Figure 3. Operations teams conduct a strategy discussion
ZTIS removes all three prerequisites. Enforcement happens inline at the access switch—closest to the source of traffic—with no external policy engine, no fabric build out, and no central gateway in the path.
The mechanism is group-based policy (GBP) tags, a standards-based way to carry identity context forward from the point of authentication. GBP enforcement requires platform support, and the HPE Networking EX Switch Series provides it natively. That’s what makes inline enforcement possible without additional infrastructure. Policies are defined centrally in HPE Mist using tags assigned statically or received dynamically through RADIUS attribute-value pair (AVP)—centralized in intent, distributed in implementation.
Read the Campus Fabric guide
This works in branch environments without a campus fabric. It controls east-west traffic within a VLAN with Layer 4 granularity—ports and protocols, not just allow or deny—while also securing north-south traffic leaving the network. The policy framework is consistent across wired and wireless, and it works alongside existing NAC solutions; no forced vendor replacement.
For teams already using HPE Mist platform, HPE Mist Networking Access Assurance adds a fully integrated, cloud-native NAC layer—onboarding, identity, and policy management in a single platform across wired and wireless environments. It can significantly simplify operations. But it’s an option, not a requirement.
Security intrinsic to the network
ZTIS is part of a broader shift: security that’s built into the network rather than bolted on top of it. Policy sandboxing lets teams validate segmentation intent against real traffic before enforcement goes live. Enhanced self-driving capabilities in HPE Mist Networking Wired Assurance move the network from observation toward autonomous detection and remediation. ZTIS extends that posture to the access layer—closing the lateral movement gap in the environments where it has historically been widest.
If you’ve been waiting for microsegmentation that works on the network you actually have, not the one you plan to build someday, it’s available now.
Learn more about HPE Mist Networking Access Assurance.
Meet the author:
Sanjoy Dey, VP of Product Management, HPE
https://www.linkedin.com/in/sanjoyd
- Back to Blog
- Newer Article
- Older Article
-
AI-Powered
23 -
AI-Powered Networking
109 -
Analytics and Assurance
4 -
Aruba Unplugged
7 -
Cloud
9 -
Corporate
3 -
customer stories
4 -
Data Center
49 -
data center networks
19 -
digital workplace
2 -
Edge
4 -
Enterprise Campus
9 -
Events
5 -
Government
10 -
Healthcare
2 -
Higher Education
2 -
Hospitality
4 -
Industries
1 -
IoT
8 -
Large Public Venue
1 -
Location Services
3 -
Manufacturing
1 -
midsize business
1 -
mobility
17 -
Network as a Service (NaaS)
12 -
Partner Views
4 -
Primary Education
1 -
Retail
1 -
SASE
21 -
SD-WAN
12 -
Security
185 -
small business
1 -
Solutions
7 -
Technical
5 -
Uncategorized
1 -
Wired Wireless WAN
144 -
women in technology
2
- « Previous
- Next »