Home / Solutions / Industrial Networking & Datacom / Zero-Trust Network Access
DOMAIN 02 · INDUSTRIAL NETWORKING

Zero-Trust Network Access (ZTNA / NAC): Verify Every Identity, Grant Least Privilege, Trust No Location by Default

Traditional networks trust whatever is already inside: connect to the LAN or the VPN and you are, in effect, on the trusted side — free to reach far more than your job needs. Zero trust removes that assumption. Every user, on any device, from anywhere, proves who they are and that their device is healthy before they reach a single resource, and they are granted one application at a time, not the whole network. This solution combines a software-defined perimeter with single-packet authentication, dynamic least-privilege authorization, on-site admission control (802.1X / NAC) and precise access tracing. Unlike our Enterprise Edge Security page, which guards the internet boundary — keeping the outside out — this page governs identity and access on the inside: the network stops trusting by location and starts authorizing by identity.

Why the Inside Is the Weak Point

Four gaps that a firewall at the edge was never designed to close:

The VPN hands over the whole networkA classic VPN authenticates once and then drops the user onto the internal network with broad reach — far more than the two or three apps they actually use.
Flat trust: one machine, whole networkOnce anything inside is compromised, it can move sideways unchallenged — from one infected laptop to file servers, admin consoles and backups.
Contractors and guests are hard to controlUnmanaged laptops and personal phones plug in every day. You cannot install your agent on all of them, yet they still need some access — safely.
No precise record of who reached whatWhen something goes wrong, "a user on the LAN" is not an answer. Without per-identity, per-app logging you cannot say who touched a system, when, or from which device.

Architecture: Verify First, Then Connect

No resource is reachable until identity and device are proven; each grant is one app, for one session, continuously re-checked:

ANY USER · ANY DEVICE · ANYWHERE staff · managed laptop staff · mobile contractor · unmanaged visitor / guest device nobody is trusted by network location — everyone proves identity and device posture 802.1X / NAC admission at the port on-site: NAC checks the device before it gets an address at all remote: single-packet auth, no open listening port to scan TRUST BROKER verify first, then connect · identity: who is this, really (SSO/MFA) · device posture: patched, compliant? · context: location, time, sensitivity · grant one app, not the whole network · re-check continuously, revoke on change least privilege · per-session · per-app every grant logged for precise tracing request RESOURCES · MICRO-SEGMENTED Finance systemreachable only bypermitted identities HR / recordsseparate grant,separate policy Dev / sourceengineers only Backupstightly restricted one allowed app everything else: denied NO LATERAL MOVEMENT a compromised laptop can reach only the one app its identity was granted — not the flat network the internet-facing firewall still guards the perimeter; zero trust adds the inside layer it never covered every access recorded — precise who/what/when trace

Architecture drawn by AtlasCommTech following carrier-grade network design practice. Diagram labels are kept in English for engineering clarity.

Why us: our founder spent 13 years inside the Huawei partner ecosystem delivering carrier networks, where the edge is attacked every single day. We design your edge with that assumption, not with optimism.

Equipment Options

The solution is sized to your requirements and budget first — the same architecture can be delivered on several vendors' product lines. We help you choose by supply availability in your destination country, budget and your team's operating habits.

Huawei — enterprise campus, WAN and security linesMature ecosystem with a global service network.
ZTE & Wantone — comparable datacom linesPrice-performance direction; supply runs smoother in some markets.
H3C — campus and data-center linesWidely deployed campus and data-center portfolio.
Atlas industrial switches — industrial-scenario access layerOur own industrial line — compatible with any brand's core layer.

What the Design Delivers

Six controls that together move you from location-based trust to identity-based authorization:

Software-defined perimeter (SDP)Resources are dark until a verified request opens them. There is no public listening port for an attacker to scan or hit — you cannot attack what you cannot see.
Single-packet authenticationThe first packet itself carries proof of identity; only a valid one gets any response at all, so scans and brute-force against the front door find nothing to talk to.
Dynamic least-privilege authorizationAccess is decided per request from identity, device posture and context, and grants one application — not a subnet. Change the context, the grant is re-evaluated or revoked.
On-site admission control (802.1X / NAC)On the LAN, a device is checked before it even gets an address: compliant staff machines land in their zone, unknown or non-compliant ones into quarantine or guest-only.
Consistent policy for managed and unmanagedEmployees, contractors and guests all pass the same broker; unmanaged devices reach only what their identity is entitled to, through the browser, without an agent.
Precise access tracingEvery session is recorded against a named identity, device and application, so "who reached what, when, from where" is a query, not a guess.

Three Sizes, One Design Logic

Zero trust is a phased programme, not a switch. The tier decides how far to start and how much to automate:

Numbers we design around:
Start scope: pilot on the crown-jewel systems, then widen
Identity source: your existing directory / SSO, plus MFA
Device coverage: managed with agent vs unmanaged via browser
Scale tierTypical siteWhat the design includes
Small & medium enterpriseOne site · a handful of key systemsNAC on the LAN plus a hosted ZTNA broker in front of the two or three systems that matter most; identity from your existing directory with MFA. A contained, high-value first step.
Mid-size, multi-branchSeveral sites · remote and on-site staffZTNA for all remote and branch access, NAC across every site, device-posture checks, and micro-segmentation of the main application groups, all under one policy console with continuous access logging.
Large enterprise / governmentMany sites · strict compliance obligationsEnterprise-wide identity-based access, fine-grained micro-segmentation between application tiers, automated response to posture and risk changes, and audit-grade tracing mapped to your regulatory framework.

Equipment Roles (Categories, Not Models)

Zero trust is built from these categories — brand and exact products are chosen with you, after your identity source, application list and device mix are known:

RoleWhat it does
ZTNA broker / access gatewayThe decision point: verifies each request, brokers a per-app connection and enforces least privilege — the resource is never exposed directly to the client.
Identity provider & MFAUsually your existing directory / SSO, extended with multi-factor authentication — the source of truth for who a user is before any grant is made.
NAC / 802.1X access switchesEnforce admission at the wired and wireless edge, checking each device before it joins and steering it to the right segment or to quarantine.
Segmentation firewall / policy enforcementDraws the internal boundaries between application groups so a granted session to one system cannot wander into another — micro-segmentation made real.
Endpoint posture / EDR (your side)Feeds the broker a health signal — patched, encrypted, protected — so posture, not just identity, decides access. We integrate what you have rather than force a rip-and-replace.
Access log & analytics platformRecords every grant and session by identity, device and app, keeps them for your retention period and turns them into the who-reached-what evidence auditors ask for.

Send us your identity source, the applications you want to protect first and your device mix — and the product list follows. Requirements first keeps the design honest.

Design Notes & Honest Limits

Read this before you commit:
  • Zero trust is a phased programme, not a one-shot cutover. Start with a pilot on the systems that matter most, prove it, then widen. Trying to enforce it everywhere on day one will block legitimate business and turn the whole organisation against the project. We plan the rollout in stages with you.
  • Zero trust does not replace your perimeter firewall — it completes it. The edge still keeps the internet's noise, exploits and floods out; zero trust adds the inside layer the firewall was never meant to cover. You need both: one guards the boundary, the other governs identity.
  • It only works if your identity source is clean. Stale accounts, shared logins and vague group memberships become policy holes on day one. Part of the project is tidying the directory and MFA first — we flag this early because it is often the real work, not the network side.
  • Unmanaged devices get browser-level access, not full parity. A contractor's laptop can reach a specific web application through the broker, but you cannot verify its deep health the way you can a managed endpoint. We set the risk-appropriate limit for each class of device and say plainly what it can and cannot reach.
  • Continuous monitoring has legal boundaries. What you may record about user activity, and for how long, differs by country and by employment law. We implement the technical tracing and flag clearly where your legal and HR teams must confirm the policy before it goes live.

FAQ

How is this different from your Enterprise Edge Security page?
Enterprise Edge Security guards the internet boundary — firewall zoning, NAT, intrusion prevention — keeping the outside out. This page governs the inside: identity and access. The edge assumes that once you are inside you are broadly trusted; zero trust removes that assumption and authorizes every request by identity and device, granting one application at a time. They are complementary layers, not alternatives — most organisations need both.
Do we have to rip out our VPN and firewalls?
No. Zero trust is added alongside what you have and usually replaces the VPN gradually, one application group at a time, as users move to the broker. The perimeter firewalls stay — they still do the edge job. We design a migration that runs old and new in parallel so nobody loses access during the change.
How do we handle contractors and personal devices?
Through the broker, without installing your agent on their machines. An unmanaged device reaches only the specific web application its identity is entitled to, in an isolated session, and nothing else on the network. On-site, NAC steers unknown devices to a guest or quarantine segment automatically. You give partners the access they need without extending them your internal trust.
Does zero trust hurt the user experience?
Done well, it usually improves it. Users sign in once through SSO and reach their apps directly, wherever they are, without hair-pinning through a slow VPN. The extra checks — device posture, context — run in the background. The failure mode to avoid is over-tight policy that blocks legitimate work, which is exactly why we pilot, tune, then widen rather than switching everything on at once.
Where should we start?
With your crown jewels and a clean identity source. Pick the two or three systems whose breach would hurt most — finance, source code, customer records — put them behind the broker, tidy the directory and turn on MFA. That is a contained, high-value pilot you can prove in weeks. Once it works and the team trusts it, we widen coverage system by system. Send us your app list and we will propose the first phase.

Send us your identity source and the systems you most need to protect

An engineer replies with a phased zero-trust plan, a pilot scope, an identity and device outline and the equipment-category list. Requirements first — the model list follows.

WhatsApp an engineer →

Related Solutions