Gartner: ZTNA Anywhere (Rethinking Campus Network Security)

Today, most companies use different products to secure user access in campus networks versus remote workers. In Campus environments, we see companies investing in NAC products and/or deploying enhanced security capabilities. Specific examples include things like FortiNAC, Cisco SDA/ISE, Aruba ClearPass, ExtremeControl, etc…. We also see the configuration of technologies such as DHCP snooping, IP Source Guard, MACsec, 802.1X, private VLANs, dynamic ARP inspection, etc.

However, for teleworkers, companies are investing mainly in VPN technologies or (more recently) ZTNA. But, as employees shift to hybrid working (where they routinely work both remotely and in the office), this use of multiple products is inefficient because it leads to

  • Remote workers with different login experiences (such as loading VPN clients or authenticating differently).

  • Separate policy engines, which require organizations to define and manage policy in multiple places, increasing the likelihood of inconsistency

  • Troubleshooting the Swivel Chair on Multiple Consoles

  • Pay for two separate products and associated management infrastructure

Given this inefficiency, we believe this area is ripe for disruption. We believe that applying ZTNA products to campus networks is feasible and useful. It’s not just Gartner analysts who are academics, our end-user customers are also asking about this… Conversations go like this…

I use the cloud-based ZTNA service to support remote workers, and I like the security, visibility, and flexibility of the “as-a-service” model. Why can’t I use the same solution in on-premises campus and branch environments? Why do I have to manage complex and tedious vlan, ACL, port, 802.1x and NAC setups?

In other words, why can’t the network (hardware) be dumb and instead enforce security in a simple software stack. In some cases we hear that users have returned to the desktop and things are worse than at home…they complain to the IT department that “nothing works anymore…I can’t log in and my apps are slow and/or not working”.

While some ZTNA vendors technically support onsite workers, few ZTNA offerings are targeted, targeted, and/or specifically optimized for campus/branch environments. What if they were? What if we could use ZTNA on campus like we do at home? A single software solution (vs. separate disparate solutions) enables

  • Single security policy covering teleworkers and campus employees

  • Common experience for end users whether working remotely or onsite

  • Easier troubleshooting (i.e. one solution versus many)

  • Better economy and efficiency (using a solution for 2 use cases)

But why aren’t more providers already doing this? The primary reason vendors have not invested in ZTNA to support campus workers is for business reasons. Don’t get me wrong, there are also technical challenges (but they can be overcome). This disrupts the status quo for existing established NAC/shifting providers and is likely cannibalistic for existing revenue. Lack of investment is NOT because it is the wrong approach. However, such inefficiencies only last so long in markets before vendors step in and disrupt (see SDWAN).

ZTNA Anywhere: So as we transition to hybrid working, we hope vendors will overcome this with expanded/new offerings. Think of it as ZTNA Anywhere Where Universal ZTNA.


In this sense, we have just published a research (aimed at the provider community) to solve this problem.

Campus Network Security and NAC are ripe for market disruption
Summary: Enterprises are spending billions to secure campus networks through a combination of switching and NAC functionality – an approach poised to be disrupted by the shift to hybrid working. Product managers must extend ZTNA products to campus environments to drive revenue and business value, but they must act quickly.

Sincerely, André