October 14, 2025
Blog
Scope note:
In this article I'm focusing on ZTNA and NAC from the endpoint access perspective, not server and IoT networks. Servers and critical back-end segments are typically static, predictable, and benefit from simpler, lower‑change controls.
Overview
The big question and the motivation for writing this article is to understand whether NAC solutions are still relevant when a Full Zero Trust architecture is in-place?
As I see it, NAC and Zero Trust Network Access (ZTNA) are complementary but often misunderstood
At their core, NAC and Zero Trust Network Access (ZTNA) are designed to complement each other in a layered security architecture. NAC acts as a gatekeeper, verifying device identity, posture, and compliance before granting network access. ZTNA extends this by continuously authenticating users and devices, enforcing least-privilege, and controlling access to specific applications regardless of network location.
Together, they form the foundation and superstructure of modern access control: NAC ensures devices are trustworthy before stepping inside, while ZTNA governs what those devices and users can do within the environment - so far so good.
However, reality tells another story. we see that many organizations continue to use NAC as if the security perimeter has not shifted. They treat NAC as a static gatekeeper - and neglect to incorporate dynamic, identity- and application-centric controls that ZTNA provides. Essentially, while the "cheese" has moved to identity, context, and cloud, many have not recalibrated their architecture or processes accordingly.
This misalignment leads to inefficiencies, increased complexity, and missed opportunities to strengthen security postures.
The Changing Security Landscape
Modern enterprise environments are no longer confined to data centers or traditional internal networks. Cloud adoption, remote work, and BYOD models have rendered network location less meaningful as a basis for trust.
Contemporary security models focus on protecting identities, devices, and applications wherever they reside. Solutions like Microsoft’s Zero Trust and ZTNA platforms exemplify this approach, enforcing adaptive, continuous verification beyond network borders - but they are just examples in a broader ecosystem embracing similar principles.
NAC’s Role and Limitations Today
NAC remains important for authenticating and assessing devices, especially unmanaged endpoints and IoT devices that often lack identity credentials. It plays a valuable role in device visibility, compliance enforcement, and network segmentation.
Yet, NAC’s traditional perimeter-bound methodology has limitations:
- It relies on static network boundaries that no longer exist in cloud or hybrid environments.
- Without integration into dynamic Zero Trust frameworks, NAC leads to redundant controls and operational overhead.
- NAC alone cannot enforce granular application-level access or adapt to modern threats targeting identities and sessions.
Rethinking Lateral Movement Prevention: Private VLANs and Endpoint Firewalls
Many organizations look to NAC to prevent lateral movement within internal networks. While NAC can enforce segmentation policies, private VLANs (PVLANs) offer a simpler, lower-risk alternative by isolating devices at Layer 2 and forcing all inter-device traffic through inspection points like firewalls.
Combined with rigorous endpoint-local firewalls on Windows, macOS, Linux, etc., this approach provides transparent, maintainable, and effective lateral movement protection that aligns well with Zero Trust principles.
Making NAC Work with Zero Trust
If NAC is part of an organization’s security stack or under consideration, it is critical to ensure it integrates tightly with the Zero Trust ecosystem. For example, integration with endpoint management and compliance platforms (such as Microsoft Intune or other tools) enables NAC to consume real-time device health information and enforce risk-based policies dynamically.
Without this integration, NAC risks operating as an isolated gatekeeper - limited in visibility and flexibility, and out of step with the adaptive Zero Trust model.
Example Architecture Combining NAC, Intune, Conditional Access, PVLAN, and OS-Level Firewall:
Here’s how a modern, layered Zero Trust architecture might look, integrating NAC without relying solely on legacy controls:
Endpoints live in an Endpoint PVLAN (VLAN 100) that prevents peer-to-peer at Layer 2, so lateral movement is blocked by default.
Internal applications sit in a separate App PVLAN (VLAN 200); any access to them must traverse the Perimeter Firewall.
The Perimeter Firewall is the single inspection point for all east–west traffic between PVLANs and brokers north–south flows to the internet and cloud.
Cloud/SaaS access is governed by IdP + Conditional Access, which evaluates identity, device state, risk, and location before granting sessions.
Each managed device enforces local OS firewall rules and runs EDR and other security agents, adding endpoint-level containment alongside PVLAN segmentation.
This architecture marries trusted device verification (via NAC and Intune) with dynamic, identity-based access management, network segmentation, and endpoint enforcement—reducing risks while simplifying operations.
Conclusion: NAC Is Still Relevant—but Must Evolve
NAC is not obsolete. It still plays a foundational role in device authentication, visibility, and network segmentation—especially for unmanaged and IoT devices. But in a full Zero Trust architecture, NAC must evolve from a traditional, static perimeter controller into a dynamic, integrated component working alongside ZTNA and modern endpoint protections.
Organizations that fail to adjust risk running redundant complexity, missed security benefits, and fractured architectures. Leveraging alternatives like private VLANs for lateral movement control and enforcing local endpoint firewalls can simplify operations and improve security.
In today’s hybrid, cloud-first world, protecting identities, devices, and applications anywhere is paramount—network access control alone is not enough. The future lies in seamlessly integrated, layered controls that combine NAC’s device assurance with ZTNA’s dynamic, identity-based application access.