Why ‘Trust No One’ Is the New Standard
A closer look at the solutions from Extreme Networks and Cisco
The end of the secure perimeter
Not long ago, network security was, in a sense, simple. You built a wall around your corporate network, firewalls, VPNs, DMZ zones, and everything inside was trusted. It was tidy, if a little naïve in hindsight.
But those days are gone.
The shift to hybrid work, the move to cloud applications, the explosion of IoT devices, and increasingly creative cyberattacks have quietly made the traditional perimeter irrelevant. Employees work from home, from cafés, from different time zones entirely. Applications no longer live in a company’s own data centre, they’re scattered across multiple clouds. And attackers, for their part, have become quite good at squeezing maximum damage from a single compromised credential.
The question security teams used to ask was: ‘Is this user inside or outside our network?’ The question they should be asking now is: ‘Does this specific user, on this specific device, at this moment, actually have the right to access this particular resource?’ That shift in thinking is, more or less, what Zero Trust is about.
What Zero Trust actually means
Zero Trust is not a product. You can’t buy it off a shelf and be done with it. It’s more of a philosophy, or an architecture, a way of thinking about security that rests on three core ideas.
The first is never trust, always verify. No user or device is automatically trusted, even if they’re already inside the network. The second is least privilege access: people and systems should only be able to reach what they genuinely need, nothing more. The third is perhaps the most uncomfortable: assume breach. Operate as if an attacker is already somewhere in your network, and design your defences to limit the damage they can do.
The concept was introduced in 2010 by analyst John Kintervag from Forrester Research and later put into practice at scale by Google through their internal BeyondCorp project. Today it’s considered something of a baseline by organisations like CISA and NIST, as well as most serious IT vendors.
Why VPNs aren’t enough on their own
There’s a version of this conversation that’s awkward to have with some IT teams, particularly those who’ve invested heavily in VPN infrastructure. The honest answer, though, is that relying purely on VPNs for remote access creates a meaningful risk.
The problem is what happens after login. Once a user authenticates via VPN, they typically get broad network access, without any ongoing verification. That’s an ‘once in, always trusted’ model. And if that credential ever gets stolen, an attacker can move laterally through the infrastructure without much friction.
Zero Trust sidesteps this by re-evaluating every access request as it happens, even from users who are already logged in. Identity, device health, and context all play a role. It’s more demanding to implement, but it’s also considerably harder to abuse.
Extreme Networks: Universal ZTNA as a core strategy
Extreme Networks has made Zero Trust a central part of what they offer, which is worth acknowledging because plenty of vendors treat it as a feature rather than a foundation.
What makes their approach somewhat distinctive is the effort to bring network management and security into a single platform, where previously you’d have needed separate tools for each.
ExtremeCloud Universal ZTNA
The flagship product here is ExtremeCloud Universal ZTNA, which combines Network Access Control and Zero Trust Network Access in one cloud-delivered platform. At the centre of it is a single policy engine that manages both network access and application access, regardless of whether someone is working in the office, at home, or somewhere in between.
The identity-based access model means access decisions depend on who the user is, what device they’re using, and where they’re connecting from, not simply their network location. Security policies can be applied automatically across switches, access points, and cloud infrastructure, including third-party hardware, which is a practical consideration for organisations that don’t run a homogeneous environment.
There’s also a shadow IT management capability. The platform can detect which private applications employees are actually using, including unapproved AI tools, and let administrators allow or block them. I suspect that feature alone is quietly very useful for a lot of IT departments.
Integration covers the usual identity providers, Microsoft Entra ID, Google Workspace, and Okta, which keeps the onboarding process reasonably straightforward.
Extreme Platform ONE Security
In December 2025, Extreme launched Extreme Platform ONE Security, which takes the integration further by bringing network and security management together in a single place. AI is woven in to automate policy enforcement and support real-time visibility across the network. In practice, that means security policies can be pushed out to all connected devices in one action, rather than needing to configure things piece by piece.
Extreme Fabric
Extreme Fabric handles segmentation, both at the macro level and right down to individual workloads. When something changes in the network, the security policy adjusts automatically. For dynamic environments like hospitals, campuses, or manufacturing floors, where devices are constantly connecting and disconnecting, that kind of automatic adjustment is probably more useful than it might first appear.
Wi-Fi 7 and the 4000 Series switches
On the hardware side, Extreme’s 4000 Series cloud-managed switches include direct integration with ExtremeCloud Universal ZTNA through what they call ‘instant secure port’. New devices connecting to the network are immediately pulled into the Zero Trust framework without requiring manual configuration. It’s a small thing, but for larger deployments it saves a meaningful amount of time.
Cisco: Zero Trust built into the network itself
Cisco’s position in this space is a little different, as they’re one of the few vendors with genuine depth in both networking and security, which gives them the ability to anchor Zero Trust at multiple levels of the infrastructure simultaneously.
The result is a broader ecosystem, which has advantages and disadvantages. More comprehensive, certainly. Potentially more complex to deploy, depending on your environment.
Cisco Secure Access and Universal ZTNA
Cisco’s Secure Access platform sits at the centre of their Zero Trust approach. It brings together ZTNA, Secure Internet Access, and a VPN client in a single unified client. The idea is that users are protected everywhere, without needing to switch between tools depending on what they’re doing or where they are.
Cisco describes four key Zero Trust functions: establishing trust, enforcing trust-based access, continuously verifying trust, and responding when trust changes. That last one, responding when trust changes, is perhaps the bit that separates a real Zero Trust implementation from one that’s mostly theoretical.
Cisco Hybrid Mesh Firewall
Announced at Cisco Live 2025, the Hybrid Mesh Firewall is a distributed security architecture that extends Zero Trust segmentation across data centres, campus networks, and IoT environments. It works alongside Universal ZTNA to deliver consistent security across the infrastructure. For large organisations managing multiple environments simultaneously, that kind of coherence across the whole stack is genuinely hard to replicate with point solutions.
Cisco Duo: identity as a foundation
Cisco Duo handles multi-factor authentication and identity verification, and it’s probably the piece of the Cisco portfolio that most people have already encountered. It covers MFA, passwordless login, single sign-on, and device verification, all in one place.
SASE: networking and security as a single thing
Cisco’s wider vision here is their Single-Vendor SASE approach, bringing Cisco Secure Access and Catalyst SD-WAN together in one platform. The aim is consistent Zero Trust policies covering users, applications, devices, and networks, wherever they happen to be. For organisations that have spent years managing networking and security as entirely separate concerns, this kind of unified model represents a fairly significant shift in how the whole thing is run.
Securing AI agents
At Cisco Live 2026, Cisco also flagged something that’s going to matter more over time: securing AI agents. As companies deploy autonomous AI systems to handle more tasks, those systems need to be verified, monitored, and constrained in the same way any other user or device would be. Cisco is building mechanisms to register AI agents, manage their access through short-lived tokens, and flag unusual behaviour in real time. It’s early days, but it’s the right problem to be thinking about.
Extreme vs. Cisco: a quick comparison
Neither vendor is objectively better. They’re targeting slightly different problems, and the right choice depends a lot on your organisation’s size, complexity, and existing infrastructure.
| Category | Extreme Networks | Cisco |
| Core solution | ExtremeCloud Universal ZTNA | Cisco Secure Access + Duo |
| Approach | Network & security in one platform | Broad ecosystem of specialised tools |
| Key strengths | Simplicity, fast deployment, hardware integration | Scalability, enterprise-grade, full SASE |
| AI integration | Agentic AI for policy automation | AI agent security, Shadow AI management |
| Target audience | Mid-to-large organisations, campuses | Enterprise, government, multi-cloud |
| Identity providers | Microsoft Entra, Google Workspace, Okta | Cisco Duo + external IdPs |
| On-premises support | Yes, with cloud + on-prem NAC | Yes, with hybrid private access |
Zero Trust is no longer optional
This isn’t a trend or a marketing cycle. Zero Trust is a genuine response to the way the threat landscape and working patterns have changed over the past decade or so. The traditional network perimeter doesn’t really exist anymore, and the security model built around it is struggling to keep up.
Extreme Networks makes a compelling case for organisations that want speed and simplicity: one platform, one policy engine, and hardware that connects cleanly to the security strategy. If you want to move quickly without getting tangled up in a complex implementation project, that’s probably the more attractive path.
Cisco offers something different: depth and breadth across the full infrastructure, from identity through to network, applications, and now AI workloads. For large, complex environments with demanding security requirements, that level of coverage is difficult to match.
Either way, the direction of travel is clear. Every day an organisation still operates on the assumption that everything inside the network is trustworthy is, frankly, a day that attackers can take advantage of. The switch to Zero Trust isn’t a question of if anymore, it’s a question of how quickly you get there.
Before you can control access, you need to know what’s there
There’s a step that often gets skipped in Zero Trust conversations, and it tends to come back to bite organisations later. Before any policy engine can decide who gets access to what, it needs an accurate picture of everything connected to the network. Not just the laptops and servers you know about, but the IoT sensors, the ageing printer in the corner, the device someone plugged in six months ago and forgot about. In practice, that inventory is almost never complete.
That’s where a tool like runZero becomes relevant. It’s an asset discovery and exposure management platform that scans your entire network without needing agents installed on every device or credentials for every system, and builds a full picture of what’s actually there: IT, OT, IoT, cloud, mobile. The reasoning is straightforward enough. Zero Trust policy engines are only as good as the asset data they’re working from. If a device isn’t in your inventory, it doesn’t get a policy applied to it, and it becomes exactly the kind of quiet entry point that attackers look for. RunZero feeds that foundation layer, so that by the time tools like ExtremeCloud ZTNA or Cisco Secure Access start enforcing access rules, they’re working from a complete and current picture of the network rather than an optimistic one.
Ready to get started?
If this has got you thinking about where your organisation actually stands, that’s probably the right reaction. Most networks have more unknown devices, more gaps in policy coverage, and more legacy assumptions baked in than people realise until they start looking. The good news is that you don’t have to figure it out alone.
Damovo is a key partner for Extreme Networks, Cisco, and runZero, which means they can help you approach Zero Trust as a complete process rather than a collection of separate tools. Whether you’re starting with a visibility assessment to understand what’s actually on your network, or you’re further along and looking to tighten up access controls and segmentation, Damovo has the experience to guide you through it. If you’d like to talk through where to begin, or what a realistic roadmap might look like for your environment, get in touch with the team.
Sources
Extreme Networks — extremenetworks.com/resources/blogs/extreme-platform-one-security
Extreme Networks — extremenetworks.com/solutions/security/ztna
Cisco Newsroom — cisco.com (Cisco Live 2025 announcements, June 2025)
Cisco Blogs — blogs.cisco.com/cisco-on-cisco/cisco-its-zero-trust-evolution (November 2025)
Business Wire — Extreme Networks Universal ZTNA enhancements (October 2024)
ScienceDirect — Zero Trust Networks: Evolution and Application (February 2025)