Nile adds microsegmentation and native NAC to its secure NaaS platform

Nile was founded on the idea that enterprise networking had become too complex and too difficult to consume. The company built its Nile Access Service platform on a subscription-based NaaS model, delivering wired and wireless campus infrastructure with zero-trust security and autonomous operations. It has grown to more than 150 customers across 30 countries.

Nile is now expanding its Nile Access Service with several new capabilities. The primary additions are identity-based microsegmentation built directly into the network fabric, and a native NAC replacement that eliminates standalone appliances. The microsegmentation includes a capability that isolates each device individually. Rounding out the announcement is an expanded services catalog.

The expanded offering is being positioned by the company as the second phase of its evolution.

“Nile 1.0 was to bring that radical simplicity into infrastructure on a zero-trust fabric, and now Nile 2.0 is really about scaling security, making the use cases much more tangible,” Shashi Kiran, Nile’s chief marketing officer, told Network World.

NAC without the appliance

Network access control (NAC) has been a cornerstone of enterprise network security stacks for a generation. In many cases, NAC is still being delivered via an appliance. That’s something Nile is looking to change with its new update.

Suresh Katukam, co-founder and chief product officer at Nile, told Network World the goal is to eliminate the need for a standalone NAC appliance entirely by building that functionality directly into the fabric, removing both the hardware cost and the management overhead that comes with it.

Identity is the authentication layer that feeds the NAC replacement. For users and employees, Nile pulls identity from Active Directory, including group and role membership, which maps directly to policy enforcement. Corporate devices can authenticate through RADIUS using certificates, which carry additional device metadata. For wired connections, Nile supports 802.1X but also offers a captive portal option, allowing second-factor authentication without requiring full 802.1X deployment on every port.

Microsegmentation and the ‘Segment-of-1’

Prior Nile implementations used identity-based access but only supported macrosegmentation. The new release adds fine-grained microsegmentation enforced at the identity level rather than at the IP address or VLAN level.

Katukam said the shift means policy follows the user or device regardless of physical location, switch port or connection type. “We don’t even allow you to discover on the network. We don’t allow you to communicate on the network unless the policy allows you to do it,” he said.

For IoT devices where certificate-based authentication is not available, Nile uses device fingerprinting as the policy anchor. The system can identify devices down to a specific model. The system continues learning device attributes over time to refine classification.

The “Segment-of-1” capability takes that isolation to its furthest point, containing a compromised or misbehaving device to a blast radius of one endpoint. Kiran said this applies to malware propagation but also to shadow AI, where AI agents running on employee machines have not been authorized by IT.

“Today, a lot of AI being used in corporate environments is not necessarily authorized by IT, and they don’t even have visibility in many cases, but if they do detect this, with the Segment-of-1 capabilities, it’s possible to isolate it without expanding the blast radius,” Kiran said.

Expanded services catalog

Alongside the security updates, Nile is expanding its services catalog.

The Internet Edge service allows customers to terminate internet links directly on the Nile platform with application-aware performance routing.

The Secure Guest service ensures guest traffic never reaches the corporate network. When a guest connects, Nile assigns a public IP address from its own infrastructure and routes that traffic directly to the internet.

Another update is an integrated DHCP service. DHCP has traditionally run either as dedicated appliances in data centers or embedded in network controllers, routers and access points, requiring address space to be managed separately at each site. Nile’s implementation is cloud-delivered, using a proxy model where endpoints still receive a local IP address but the request is handled through Nile’s cloud rather than local hardware. The result is a single management plane for DHCP across all global sites rather than per-site appliance management.

Nile operates the network globally for all of its customers, which means an incident detected and resolved at one site can be auto-remediated across the entire customer base before it recurs elsewhere. Kiran said that visibility gives the AI model a compounding advantage over time.

“Any one incident at one location is auto remediated before it happens anywhere else, whether it’s a network or a security incident”, he said.

What comes next

Looking forward, Nile will continue to expand its capabilities, with AI being one area of focus.

Katukam said Nile is already able to identify AI agents running on machines connected to the network. The next step is classifying those agents as enterprise or personal, with the goal of applying differentiated policy and traffic prioritization to each. Broader AI agent visibility and control is an area Nile expects to develop further as AI workloads increase across campus and branch environments.

The core foundational architecture of Nile, which aims to simplify the network, will be the key to helping to secure AI in the future.

“If you want to layer in AI, if you want to layer in security, you cannot do it with the underlying infrastructure being complicated,” Kiran said.