Why network security remains essential to Zero Trust in distributed environments

For years, Zero Trust has been presented as the modern answer to enterprise security: verify identity, restrict access, remove implicit trust, and enforce policy consistently. That strategic direction remains sound.

However, as Forrester analysts note in their 2026 report, Zero Trust Domains: Secure Your Distributed Networks, many organizations interpreted this shift to mean that the network mattered less and redirected their attention primarily to identity. The assumption that the network would fade into the background as identity and cloud security took center stage is misleading.

Main role, not a supporting act

Instead, the network remains central to how Zero Trust works in practice. What has changed is not its importance, but its role. It is no longer just a perimeter to defend; it has become a distributed enforcement layer across users, applications, clouds, devices, and data flows.

That is what makes this report so timely. Forrester’s core message is not nostalgic. It is not a call to go back to perimeter-centric security. It is a recognition that, in modern environments, trust decisions still have to be enforced somewhere, and data still moves through real paths that can be inspected, segmented, controlled, and protected.

Hybrid work, SaaS adoption, cloud interconnection, IoT, and legacy systems did not reduce the importance of the network. They expanded the number of places where the network matters. As the report argues, traffic routes across on-premises, cloud, and hybrid environments remain attack surfaces, which means organizations still need network-level visibility, policy enforcement, and segmentation if they want their Zero Trust strategy to hold up in the real world.

Where Zero Trust gets harder in practice

This is where the discussion becomes more operational and certainly more interesting. The real issue is not whether organizations have bought enough Zero Trust tools. In many cases, they already have ZTNA for user access, SWG for web traffic, CASB for cloud control, firewalls still operating in parallel, and some mix of segmentation and endpoint technologies. The problem is not a lack of capability; it’s fragmentation. These controls often live in different consoles, follow different policy models, and are managed by different teams.

That is also why the Open Systems point of view is so simple: Zero Trust does not usually fail at the strategy level. The real gap is not architectural intent, but operational coherence, making sure policies, controls, and responsibilities stay aligned across the full security stack. This highlights a broader reality: Zero Trust is no longer just an architectural concept, it’s an operational discipline.

Seen through that lens, the network’s new role is not just technical. It is organizational. Identity can tell you who should have access. Endpoint tools can help assess device posture. But neither of those alone gives you full control over what is actually happening in motion between users and applications, across workloads, or between cloud and on-premises environments.

That is why Forrester places so much emphasis on segmentation, traffic visibility, and integrated enforcement. Network controls are still where organizations can reduce lateral movement, observe suspicious communication patterns, and apply policy consistently across distributed paths. In other words, the network is no longer the outer wall. It is the connective tissue through which trust decisions are applied.

This also explains why SASE matters, and why SASE alone is not the finish line.

Forrester points to the value of SASE and related controls in enforcing secure access, improving visibility, and supporting consistent policy across distributed environments. That matters. But many organizations have discovered that adopting SASE does not automatically remove operational complexity. In practice, SASE can become another layer on top of existing controls rather than the operating model that brings them together. That is where Open Systems raises the stakes: convergence is valuable, but convergence without operational integration still leaves customers with overlapping policies, handoffs between teams, and uncertainty over who owns the outcome when something changes or fails.

From architecture to operational maturity

If that is true, then the next phase of Zero Trust maturity is not about adding more point controls. It is about making the existing control system work coherently. Forrester’s advice points in that direction: integrate network security with adjacent controls, standardize segmentation and access policies, formalize policy design across enforcement points, and treat secure networking as a strategic enabler rather than a compliance checkbox.

These are not just procurement recommendations. They are operating-model recommendations. They imply shared workflows, centralized policy logic, better visibility across environments, and the discipline to continuously adapt policy as users, applications, risks, and business requirements change.

For security leaders, that leads to a more practical set of questions. Not “Do we have Zero Trust tools?” but:

  • Can we enforce policy consistently across cloud, branch, campus, remote users, and workloads?
  • Can we see how traffic actually moves between critical environments?
  • Have we reduced fragmentation, or just accumulated more layers?
  • Do we know who owns policy coordination across access, segmentation, inspection, and response?
  • And can we run that model continuously, not just deploy it once?

These questions are especially relevant for organizations dealing with hybrid architectures, operational technology, regulatory pressure, and growing AI-related traffic, all of which expand the number of places where network-aware enforcement matters. This also reinforces a broader point: Zero Trust maturity depends not only on technology choices, but on assessment, roadmap clarity, and the ability to align security operations day to day.

The most useful takeaway from the Forrester report is not simply that network security still matters. It is that the network has evolved from infrastructure into a control fabric for Zero Trust.

That shift has consequences. It means network security must interoperate with identity, endpoint, cloud, and data controls. It means segmentation and visibility have become more –not less – important in distributed enterprises. And it means Zero Trust maturity now depends as much on operational coordination as on architectural intent.

This report is worth reading in full and we are happy to share it. It offers a strong framework for understanding why the network remains foundational to Zero Trust, even as the enterprise edge continues to evolve.

Our perspective at Open Systems is that this research also points to the next challenge: the market does not need more Zero Trust theory. It needs a stronger way to run Zero Trust end to end. The network never stopped mattering. It just changed role – and now the real question is whether organizations are prepared to operate that new reality consistently.

Information in Forrester publications is based on Forrester’s efforts to compile and analyze the best resources reasonably available to Forrester at any given time. Opinions reflect judgment at the time and are subject to change.  This report is part of a broader collection of Forrester resources, including interactive models, frameworks, tools, data, and access to analyst guidance.