ZTNA for Enterprise 5G: Why Action Must Be Taken
Zero Trust Network Access for Enterprise 5G: Why Action Must Be Taken
Zero Trust Network Access is an essential component of the ZTA framework. The access decision happens the moment a device attempts to join the network before it can send a single packet, and that gate matters most on critical networks. The question is always the same: can you verify who is asking for access, and should they get it?
For every network in your organization (wired, Wi-Fi, cloud), you have a way to answer it. Identity-based, certificate-based, or signature-based authentication, enforced through RADIUS, NAC, MDM, and the rest of the stack you’ve already deployed.
Private 5G/LTE asks the same question. Most enterprises don’t have an answer.
ZTNA Depends on Device Identity. Not Every Device Can Provide One.
Zero Trust Network Access works by binding access decisions to verified device identity. The mechanism varies, but the logic is consistent: when a device reaches the network, it presents a credential that can be validated. If it can’t, it doesn’t get in.
There are two classes of devices, and they require fundamentally different approaches.
Managed Devices: Certificate-Based Identity
Managed endpoints (laptops, smartphones, corporate tablets) can carry a certificate issued by your PKI. At connection time, the certificate is presented, validated against a known CA, and the device is granted access according to policy. The identity assertion is cryptographically strong. The enforcement is clean.
This works because the device has an OS capable of managing certificates and an agent capable of participating in the authentication exchange. Deploy a cert to the SIM or device, integrate with your NAC, and ZTNA works exactly as designed.
Unmanaged Devices: Signature-Based Identity
The devices that make private 5G networks operationally valuable: PLCs, sensors, safety controllers, AGVs, industrial routers, medical equipment. These cannot carry a certificate. For these devices, identity has to be constructed, not presented. That means building a signature from the device’s unique identifiers and observable characteristics: radio behavior, IMEI, connection patterns, attributes that are stable, specific to that device, and cannot be transferred by swapping a SIM.
This signature becomes the identity assertion. At connection time, the device’s observed characteristics are matched against its known signature. If they align, access is granted.
“I Have a SIM Card. Why Isn’t That Enough?”
You Trust the SIM, Not the Device
SIM authentication is a good start, but you’re trusting the SIM, not the device. SIMs get moved, especially with eSIMs and at-scale rollouts. They get reassigned when devices are swapped out. They end up in unauthorized hardware through operational error or deliberate action.
The Device on Your Network Isn’t Always the Device You Provisioned
A significant portion of OT and IoT devices don’t connect to private 5G directly. They connect through a dongle or a cellular router, a gateway device that holds the SIM and manages the cellular session on behalf of the endpoints behind it.
From the mobile core’s perspective, there is one device on the network: the router. From an operational perspective, there could be five endpoints sitting behind it. None of them are visible to your network security stack, none have been individually authorized, and any of them could be swapped out without the cellular connection being affected at all.
Your ZTNA policy was applied to the gateway. The assets you actually care about are behind it, outside the access control boundary entirely.
Your Existing ZTNA Solution Just Doesn’t Cover This
Most enterprises deploying private 5G already have a mature Zero Trust access control stack. Cisco ISE for wired and wireless. An MDM platform for managed endpoints. A ZTNA solution for remote access. These tools work. They cover every network in the organization.
Private cellular is the exception. Because of how cellular networks are architected, the private cellular network sits between your security products and the actual connection decision maker: the cellular core. As a result, the tools you’ve invested in (MDMs, ISE, and other ZTNA solutions) are simply ineffective here.
The result is a network that operates entirely outside the access control framework the organization has built, not as an oversight, but as a structural gap the existing tooling was never designed to close.
The Right Way to Solve It
The solution follows directly from the problem. ZTNA for private cellular requires enforcing access decisions at the cellular connection layer, validating the device (and, where applicable, its certificate) before it is ever permitted to send data.
Enforce at the connection layer, not post-connection. The right enforcement point in private cellular is the authentication handshake with the mobile core, before the device is granted a bearer and before it can send traffic. Post-connection controls have their place, but they are compensating for a gap that should be closed upstream. Access decisions belong at the moment of access. Consider creating a staging area or DMZ to validate the device before it enters the network.
Use the right identity model for the device class. Managed devices with certificates get certificate-based validation, the same strong identity assertion that works everywhere else in your Zero Trust architecture. Unmanaged devices get signature-based validation: SIM identity combined with a device fingerprint built from unique identifiers and observable characteristics. Both paths produce a verified identity assertion. Both enforce access policy before the device reaches the network.
Extend the existing stack, don’t build a parallel one. The enterprise already has a Zero Trust architecture. The objective is to bring private cellular inside it, not to create a separate security silo for the cellular domain. That means surfacing cellular connection events and policy decisions into the same SIEM and SOAR workflows the security team already operates, aligning cellular access policy with the same segmentation principles governing the rest of the network, and giving the security team the same visibility and control over private cellular devices that they have over everything else.
OneLayer operates as that bridge. It integrates with the mobile core to intercept and validate every connection request, applying certificate-based validation for managed devices and signature-based fingerprinting for unmanaged ones, and surfaces every decision into the enterprise security stack. The private cellular network stops being an exception to Zero Trust and becomes a fully governed part of it.
Your MDM covers managed endpoints. Your ISE covers 802.1X-capable devices. Your private 5G network connects everything else. Until the cellular connection layer is part of your Zero Trust architecture, it operates outside the framework you’ve built.
That gap is closable. The enforcement point exists. The identity model is clear. Integrating with your existing stack is how it gets done.