Infrastructure Zero Trust Architecture
Pillar 06 · Zero Trust

Identity is the new perimeter.

VPN grants network-layer access to a user's whole device context. Zero Trust grants application-layer access only to what the user's identity and device posture earn. Netcom designs the identity fabric, the ZTNA broker, and the segmentation policy that make it real.

Talk to an Engineer See Reference Architectures
0
implicit-trust zones — every request authenticated, every session scoped
4
ZTNA platforms we design on — Zscaler, Cloudflare, FortiClient, Cisco Duo
CISA
Zero Trust Maturity Model — we map your current state to the pillars
Zero Trust · Identity Broker
Zero Trust reference architecture with IdP, posture check, ZTNA broker, and microsegmented resources
The Problem

VPN was never a security boundary. It was a convenience tunnel.

Once a remote user connects via VPN, they're inside the perimeter. Their laptop gets an internal IP. Everything on the corporate LAN is one network-layer hop away. If that laptop is compromised — unpatched OS, malware-laced browser extension, stolen credentials — the attacker now has lateral-movement potential across your entire network.

Zero Trust inverts the model. There's no perimeter. Every access request — from a laptop in the office, a phone at an airport, or a server-to-server API call — authenticates the identity, checks the device posture, and is authorized only for the specific application or resource it needs. Network location grants nothing. Identity + posture + policy grant everything.

The mistake most organizations make: "we bought Okta, we're zero trust." SSO is table stakes. Real zero trust requires an identity provider plus a posture-check agent plus a ZTNA broker plus microsegmentation inside the data center and cloud. Netcom designs all four layers so they actually enforce policy — not just log it.

Reference Architectures

Three maturity stages. Specific vendor stacks.

Zero Trust is a journey, not a product. Each tier below is a realistic starting point based on where your organization is today.

Okta + Duo + Cloudflare Access
Identity-first starter: SSO for every app, MFA everywhere, and Cloudflare Access in front of internal web apps. Replaces client VPN for 80% of workloads in 90 days.
Stage 1 · organization is on SSO but still VPN-dependent for internal apps

Identity + ZTNA starter — retire 80% of VPN in 90 days

The fastest first step. Land every SaaS and internal web app behind an identity provider with enforced MFA. Put Cloudflare Access or Duo Network Gateway in front of internal web applications so they're reachable via identity-aware proxy — no VPN required. The VPN stays for legacy non-web protocols, but 80% of remote-access traffic moves off it within the first quarter.

RoleVendor & ModelNotesLicense
Identity provider (IdP)Okta Workforce Identity · Microsoft Entra IDSSO · lifecycle management · SAML/OIDCPer-user
MFADuo Security · Okta VerifyPush · WebAuthn · phishing-resistantPer-user
ZTNA for internal web appsCloudflare Access · Duo Network GatewayIdentity-aware reverse proxy · no client installPer-user
Endpoint posture (lite)Duo Device Trust · Cloudflare WARPDevice registration · OS/patch checksPer-device
Legacy VPN (retained)Existing FortiGate / Meraki SSL VPNFor non-web protocols until Stage 2Existing
Vendor Fit

Which zero-trust stack for which starting point.

The recommendation depends on your identity provider, your security estate, your regulatory profile, and how much VPN baggage you're carrying. Here's how Netcom thinks about it.

Starting pointPrimaryAlternates
Microsoft 365 shop · Entra ID in placeEntra Conditional Access + DefenderOkta + Zscaler
Okta-estate customer · SaaS-heavyOkta + Cloudflare Access / ZscalerOkta + Duo Network Gateway
Fortinet-estate · fabric-consistentFortiClient ZTNA + FortiGateZscaler + FortiGate termination
Cisco-estate · Duo and ISE in placeDuo + Cisco Secure AccessCisco SSE + ThousandEyes
Fast retirement of SSL VPNCloudflare AccessZscaler Private Access · Twingate
Regulated · financial services · HIPAAZscaler ZPA + CrowdStrike + SailPointPalo Alto Prisma Access + Wiz
Government / DoD · CMMC 2.0 Level 2+FedRAMP-authorized stack (per contract)Microsoft GCC High · Zscaler Gov
Software microsegmentation (VMs + cloud)Illumio CoreGuardicore · VMware NSX
Hardware microseg in the data centerAruba CX 10000Cisco ACI · Arista MSS-T
Cloud-native · Kubernetes workloadsIstio / Linkerd service mesh + WizConsul + Prisma Cloud

What Netcom delivers

  • Zero Trust Maturity assessment mapped to the CISA Zero Trust Maturity Model
  • Identity provider architecture — primary IdP selection, federation, lifecycle
  • MFA rollout with phishing-resistant methods (WebAuthn, hardware tokens)
  • ZTNA broker design and deployment with posture integration
  • Application inventory and ZTNA-readiness scoring — which apps to onboard first
  • VPN retirement sequence — phased cutover with rollback criteria
  • Microsegmentation policy model (if Stage 3) with label taxonomy and enforcement plan
  • Optional managed service: 24/7 monitoring via our NOC partner with Netcom as your named engineer, policy change management, quarterly access reviews

Our design process

  • Discovery: application inventory, user directory, device fleet, current VPN dependencies
  • Maturity scoring against CISA ZTMM pillars (Identity, Device, Network, Apps, Data)
  • Gap analysis with quick wins and strategic investments labeled
  • Target architecture selection based on existing estate and regulatory profile
  • Pilot cohort: one department, one critical app, VPN-off by end of pilot
  • Rollout sequence prioritized by business value and technical complexity
  • Operational runbook: access reviews, policy change control, incident response
  • Measurement: VPN concurrent-user decline, ZTNA adoption rate, posture compliance %
Applied In Industries

Where identity-first access stops being optional.

Verticals where VPN can't carry the regulatory weight anymore, where clinician, officer, engineer, and faculty mobility need better guardrails than network-layer trust.

Healthcare

FortiClient ZTNA replaces VPN for telehealth · ClearPass device-class policy on-network.

Government

Cisco Secure Access for remote officers · Duo Advanced Authentication mapped to CJIS 5.6.2.2.

Industrial

Identity-aware access into the OT DMZ · microsegmentation east-west across Purdue levels.

Education

Staff and faculty ZTNA · SIS/LMS SSO · no shared VPN credentials circulating.

Pairs naturally with

Security & Firewall

NGFW as the enforcement point for server-to-server zero trust at the segmentation boundary.

Explore →

Wireless

802.1X + certificate-based authentication for corporate SSID — no PSK, ever.

Explore →

Switching

Dynamic VLAN assignment and TrustSec SGTs enforce identity at the first hop.

Explore →

Ready to retire VPN for good?

Send us your app inventory and a rough user-count. Within 10 business days you'll get a maturity assessment, a target architecture, and a phased VPN-retirement plan.

Request a Zero Trust Assessment Back to Infrastructure