In a world where work is no longer confined to an office or a network perimeter, traditional security models are under pressure. The password, once seen as the cornerstone of user authentication, has become one of the weakest links in cybersecurity.
As organisations adopt hybrid working, cloud applications, and remote connectivity, verifying identity and access has become far more complex.
Cyber attackers have adapted faster than many security strategies. Compromised credentials now account for a significant percentage of global breaches, often granting attackers legitimate access without triggering alarms. In South Africa, this risk is amplified by widespread remote connectivity and increased regulatory scrutiny under the Protection of Personal Information Act (POPIA).
The challenge is clear: how do you grant access to legitimate users while preventing unauthorised entry from compromised accounts or devices?
The answer lies in moving beyond passwords and adopting a unified access-control model built on Network Access Control (NAC) and Zero Trust Network Access (ZTNA).
The limits of traditional access control
Traditional access control relies on the assumption that users and devices within a corporate network are trustworthy. Once authenticated, they are often granted broad access to internal resources.
This perimeter-based model made sense when users and servers were physically located in the same building and data remained within the organisation’s own network.
However, today’s environment is distributed. Employees work remotely, applications are hosted in multiple clouds, and third parties frequently connect to internal systems. The old perimeter has dissolved, leaving security teams with limited visibility and inconsistent control.
Passwords, VPNs, and static policies cannot keep pace with this complexity. A single stolen password or compromised device can now provide attackers with unrestricted access across networks, systems, and cloud environments.
To regain control, organisations must adopt a dynamic, identity-centric approach that evaluates who is connecting, what they are connecting from, and how that connection behaves.
Understanding Network Access Control (NAC)
Network Access Control (NAC) provides the foundation for verifying devices before they connect to a network. It ensures that only authorised, compliant, and healthy devices are granted access.
NAC solutions authenticate both users and endpoints at the moment of connection, applying security policies based on role, device type, and posture. For example, a corporate laptop that meets compliance standards may receive full access, while a personal device may be restricted to guest Wi-Fi.
The key benefits of NAC include:
- Device visibility: NAC identifies every device on the network, including unmanaged or rogue endpoints.
- Policy enforcement: Access is determined by dynamic rules based on device posture, authentication, and context.
- Compliance alignment: NAC supports audit and reporting requirements under frameworks such as POPIA, ISO 27001, and Joint Standard 2 of 2024.
By acting as the bouncer at the door, NAC ensures that only verified devices can enter the network. However, once inside, it must be complemented by another layer of control that governs what users can access. This is where ZTNA becomes essential.
Zero Trust Network Access (ZTNA): security beyond the perimeter
Zero Trust Network Access (ZTNA) extends the concept of access control into the application layer. Instead of granting network-wide access through a VPN, ZTNA connects users directly to specific applications based on identity, device posture, and policy context.
The principle of Zero Trust is simple: never trust, always verify.
Every connection request is authenticated, authorised, and continuously validated. If the device posture changes or the user behaviour deviates from expected patterns, access is re-evaluated or revoked.
ZTNA effectively replaces legacy VPNs with a model that:
- Grants access only to authorised applications, not the entire network
- Hides infrastructure from public exposure by eliminating broad IP visibility
- Enforces least-privilege access across cloud, on-premise, and hybrid environments
- Integrates with multi-factor authentication (MFA) and identity providers for adaptive control
This approach significantly reduces the attack surface. Even if an attacker compromises credentials, they gain access only to the specific resource associated with those credentials, not the full network.
NAC and ZTNA: stronger together
While NAC and ZTNA serve different layers of the security stack, they are most powerful when combined.
NAC verifies the device before it connects to the network, while ZTNA verifies the user and application once access is requested.
Together, they form a unified access-control framework that ensures:
- Only healthy, compliant devices connect to the network
- Only verified users access authorised applications
- Access decisions are dynamic and context-aware
- Visibility extends from the endpoint to the cloud
This integrated approach closes a long-standing gap in many organisations where network and identity management operate in silos.
By consolidating these functions, security teams gain a single view of who is connecting, from where, and to what resource.
How unified access control supports compliance and governance
For South African organisations, regulatory compliance is more than a technical checkbox.
Under POPIA and Joint Standard 2 of 2024, financial and professional services firms are required to implement ongoing monitoring, access restriction, and event logging.
NAC and ZTNA directly support these obligations by:
- Providing complete audit trails: Each connection is logged, showing which user or device accessed specific resources.
- Enforcing least privilege: Access is granted based on necessity and automatically revoked when no longer required.
- Supporting continuous monitoring: Real-time posture assessment ensures compliance with internal security baselines.
- Reducing insider threat risk: Segmentation and visibility limit lateral movement, even for authorised users.
By building these controls into the access layer, organisations simplify compliance reporting and strengthen governance without increasing complexity.
Implementing a unified access-control strategy
Transitioning to a unified NAC and ZTNA model does not need to happen all at once. The process can be phased to align with business priorities and technical readiness.
Step 1: Assess the current environment
Identify all access points, devices, and applications that connect to the corporate network. Map out unmanaged or third-party endpoints that may bypass existing controls.
Step 2: Establish device visibility with NAC
Deploy NAC to create an inventory of connected devices. Begin with discovery mode, then move to policy enforcement once baselines are established.
Step 3: Define identity and application access policies
Integrate identity providers (such as Azure AD or Okta) to centralise authentication. Establish policies that match user roles with application access requirements.
Step 4: Introduce ZTNA for remote and cloud access
Replace broad VPN access with ZTNA gateways that connect users directly to applications. Ensure posture checks are performed continuously.
Step 5: Integrate and automate
Link NAC and ZTNA systems for unified policy enforcement. Automate incident response actions such as quarantining devices or revoking access based on behavioural anomalies.
Step 6: Monitor, review, and improve
Continuously assess metrics such as access request volume, policy violations, and device compliance rates. Use this data to refine security posture and demonstrate compliance maturity.
Practical benefits of unified access control
Beyond compliance, the business value of unified access control is clear:
- Reduced risk of unauthorised access: Attackers cannot move laterally within the network.
- Enhanced operational efficiency: Automated policy enforcement reduces manual oversight.
- Improved user experience: Employees access only the resources they need, through secure, seamless connections.
- Scalability for hybrid work: Policies follow users and devices wherever they connect.
- Stronger incident response: Integration with SOC workflows enables faster containment.
By adopting this model, organisations transform access control from a static process into a living, adaptive system that supports resilience and trust.
Moving beyond passwords
The future of cybersecurity lies in continuous verification, not single sign-on. Passwords will remain a part of authentication, but they can no longer serve as the first or only line of defence.
By combining the device-level enforcement of NAC with the user and application-level intelligence of ZTNA, organisations can ensure that every connection is verified, every device is assessed, and every session is protected.
Access control is no longer about where the user is connecting from, but whether they should be connecting at all.
Northbound Networks helps South African businesses implement unified access control that integrates NAC, ZTNA, and Secure SD-WAN for end-to-end protection.
Click to download Northbound Networks’ Definitive Guide to Modern Access Control and begin your journey toward identity-driven resilience.