CYBERSECURITY A-Z
Table of Contents
What Are Zero Trust and Zero Trust Network Access?
The Evolution of Network Security: From Hardware to Software
Extending Protection to the Cloud
7 Implementation Best Practices
Understanding Universal ZTNA vs. Traditional ZTNA
What Are Zero Trust and Zero Trust Network Access?
Zero Trust (ZT) is a cybersecurity philosophy and approach focused on verifying every connection, not trusting any by default (“never trust, always verify”). As Forrester underscores, it’s not a product. Instead, it’s “a combination of things such as strong authentication (of users, devices, and apps/workloads), enforcement of least privilege, network segmentation, data classification, and more.”
Instead of automatically trusting users or devices inside a corporate network, ZT assumes that every internal and external connection could be a potential threat. In practical terms, this approach requires continuous verification of user identity, device health, and access context before granting or maintaining access to network resources.
Core principles include:
- Least privilege access: Users get only the permissions they need, and nothing more.
- Microsegmentation: Networks are divided into smaller zones to minimize lateral movement.
- Continuous monitoring: Access decisions are constantly evaluated based on context and risk.
- Identity-centric security: Identity and access management (IAM) is at the heart of this approach.
Zero Trust Network Access (ZTNA) represents the practical implementation of this approach, operationalizing it by securing application access at a granular level. While ZT defines what needs to be achieved (no implicit trust, continuous verification), ZTNA defines how to enforce those policies in real-world environments.
This page explains the importance and need for both the framework and the practical implementation of it.
The Evolution of Network Security: From Hardware to Software
Early computer networks were local and isolated. Offices, labs, and factories connected systems internally, and security was mostly physical: if someone wasn’t on-site, they weren’t on the network.
With the rise of the Internet, networks connected globally, creating new challenges. Private IP ranges couldn’t route publicly, so Network Address Translation (NAT) became the solution. NAT let multiple internal devices share a single public IP by rewriting packets on the fly. While clever, it created a false sense of security: unsolicited inbound connections failed, while machines “inside” the network were implicitly trusted.
In those days of enterprise networking, security was rooted in hardware. Firewalls, routers, and intrusion prevention systems combined with NAT created a strong perimeter around the corporate network. This made sense when users, applications, and data resided within on-premises environments. Anyone within the walls was trusted by default.
As organizations grew more connected and cloud-enabled, the perimeter began to blur. The rise of virtualization, remote work, and cloud computing moved users and workloads far beyond the physical data center. Meanwhile, employees expected seamless access from anywhere, on any device, without compromising productivity.
In turn, the old idea of securing a trusted internal network quickly broke down. Traditional, hardware-based defenses couldn’t keep up with this distributed reality.
A change was needed. Attackers who breached the perimeter could move freely inside the network. This vulnerability is known as lateral movement.
The next phase saw software-based security tools that added more flexibility and visibility. Tools such as VLANs, segmentation, and VPNs added layers of protection, but the core assumption remained: devices and users inside the network were inherently trustworthy.
Extending Protection to the Cloud
Zero Trust emerged to address the security realities of modern enterprise networks, tackling threats that traditional perimeter defenses could not.
Insider threats and credential theft exploit the implicit trust once granted to users and systems inside the network. Attackers who obtain legitimate credentials can move laterally, often undetected, accessing sensitive systems and data without triggering alarms. The ZT model limits this risk by continuously verifying identity and enforcing strict access policies for every request.
Sophisticated phishing and ransomware attacks increasingly target legitimate users rather than attempting to breach the network directly. By tricking users into revealing credentials or executing malicious code, these attacks bypass traditional perimeter defenses.
According to the IBM 2025 Cost of a Data Breach Report, the most damaging and expensive breaches often involve methods that enable lateral movement. These include stolen credentials and supply chain compromises that let attackers penetrate deep into networks. IBM’s data reveals a clear link between lateral movement tactics and higher breach expenses:
- Malicious insiders exploiting trusted access and often going undetected for long periods caused the highest average cost at $4.92 million.
- Third-party and supply chain compromises involve attackers using legitimate vendor connections to infiltrate customer environments. These resulted in average costs of $4.91 million and an average of 267 days to detect and contain.
- Phishing attacks, which often begin with credential theft and are the most common initial vector, averaged $4.8 million per breach.[i]
The ZT model mitigates this by validating each access attempt, applying device and user risk assessments, and restricting what any authenticated user can access.
VPN limitations have become apparent as workforces grow global and hybrid. Traditional VPNs were designed to extend the network perimeter, not to provide fine-grained, real-time access control at scale. They struggle to scale for distributed workforces and cloud environments, making it difficult to enforce consistent security policies and often leading to a poor user experience. Managing VPNs across complex, sprawling networks is time-consuming and costly. Plus, because VPNs grant broad network access, any user with valid credentials can move laterally, increasing the risk of compromise. The ZT model replaces broad network trust with policy-driven access, allowing secure connectivity for employees, contractors, and partners regardless of location.
The shift to cloud computing and SaaS means critical applications and data now live outside traditional corporate boundaries. Perimeter-based approaches can no longer protect these distributed resources effectively. The ZT framework treats every application, service, and data request as potentially hostile, requiring verification before granting access and continuously monitoring behavior across clouds and on-premises systems.
Simply put, rather than trusting everything inside the network, this approach flips the model entirely. By shifting from perimeter-based control to identity- and context-based access, it treats every request as potentially untrusted. Before granting access, it verifies users, devices, and applications in real time.
First proposed in academic circles in the 1990s[ii], conceptualized by Forrester in 2010[iii], and popularized by major technology providers like Google (with its BeyondCorp model[iv]), Zero Trust has evolved from a theoretical framework into a cornerstone of cybersecurity.
Paving the Way for ZTNA
ZTNA represents the cloud evolution of this model, enforcing it at the application access level. Instead of connecting users directly to a network (as VPNs do), it authenticates and authorizes users and devices before granting secure remote access to specific applications, regardless of where they’re hosted. Delivered as a service, it enforces granular, adaptive policies across hybrid and multi-cloud environments.
Following are the framework’s four key tenets:
#1: Provides secure, granular access to private apps based on user identity and device posture. This access model goes beyond simple network-level authentication by evaluating both who the user is and the security posture of the device they are using. Access policies can be fine-tuned so that only authorized individuals on compliant devices can reach specific applications, minimizing the risk of unauthorized access. This level of granularity ensures that users are granted just enough access to perform their tasks, supporting the principle of least privilege.
#2: Keeps applications hidden from public discovery (reducing attack surfaces). Unlike traditional VPNs or exposed servers, this access model makes applications effectively invisible to the internet. Unauthorized users cannot see or scan the apps, which reduces the potential attack surface for threat actors. By hiding apps from public discovery, organizations prevent attackers from identifying targets, which is particularly important for sensitive or critical business systems.
#3: Integrates with identity providers (IdPs) and endpoint security tools. These solutions work seamlessly with modern identity and device management ecosystems. Integration with IdPs allows for single sign-on (SSO), multifactor authentication (MFA), and centralized user management. At the same time, integration with endpoint security tools ensures only devices meeting security requirements can access applications. This coordination between identity, device posture, and access policies strengthens overall security and simplifies management for IT teams.
#4: Enables secure access from anywhere, essential for remote and hybrid teams. ZTNA supports the modern workforce by enabling secure remote access to applications for employees, contractors, and partners from any location or device. Because access is verified continuously and not tied to being inside the corporate network, remote and hybrid users can connect safely without exposing critical resources to unnecessary risk. This flexibility makes it easier for organizations to adopt hybrid work models while maintaining strong security controls.
Relevant Trends
These principles are gaining traction not only among enterprises but also in the public sector, where agencies are being pushed to overhaul network architectures to improve national cyber resilience. Notable trends include:
- Growing alignment of these principles with cloud-native applications and SaaS ecosystems
- AI-driven risk assessments to enhance real-time policy enforcement
- Stronger convergence of identity, device, and network security under unified policies
- Increased demand for automation and visibility tools that support hybrid and multi-cloud environments
While the adoption of these principles is growing rapidly, the actual implementation of a comprehensive and mature program is still lagging. In 2024, Gartner found that only 63% of organizations worldwide had fully or partially implemented a zero-trust strategy.[v]
Aligned with NIST Standards
ZTNA aligns closely with the principles outlined in NIST Special Publication 800-207, which defines a Zero Trust Architecture (ZTA). NIST SP 800-207 emphasizes the continuous verification of all users, devices, and services, regardless of location, and the enforcement of least-privilege access based on dynamic policies.[vi]
ZTNA embodies these principles by ensuring that every access request to an application or resource is authenticated, authorized, and evaluated in real time, minimizing implicit trust and preventing lateral movement. By implementing this access model, organizations can operationalize NIST’s guidance, creating a consistent, policy-driven framework for secure access across on-premises, cloud, and hybrid environments.
7 Implementation Best Practices
To successfully implement ZTNA, organizations should follow a strategic, phased deployment approach that aligns security with user experience and business goals.
#1: Define Clear Access Policies
- Map out who needs access to what, and under what conditions.
- Implement least-privilege access and role-based policies.
#2: Integrate Identity and Access Management (IAM)
- Use multi-factor authentication (MFA) and single sign-on (SSO).
- Leverage federated identity for seamless user verification across platforms.
#3: Verify Device Health and Compliance
- Ensure devices meet security posture requirements before access is granted.
- Continuously monitor for compliance and revoke access when risks are detected.
#4: Segment Applications
- Replace broad network access with application-level segmentation.
- Hide private apps behind ZTNA gateways or brokers.
#5: Implement Continuous Monitoring
- Use analytics and AI-driven tools to detect anomalous behavior.
- Continuously verify trust and adapt access dynamically.
#6: Prioritize User Experience
- Minimize friction by using cloud-native ZTNA solutions that integrate smoothly with business workflows.
- Ensure consistent policies across all environments — on-prem, cloud, and hybrid.
#7: Conduct Adversarial Testing
- Forrester recommends that organizations systematically validate controls, identify vulnerabilities, and continuously improve their security posture through adversarial testing of their ZT implementation.[vii]
Understanding Universal ZTNA vs. Traditional ZTNA
ZTNA implements Zero Trust at the application access layer by authenticating users and devices before granting access to specific applications—a departure from VPNs that connect users to entire networks. As a cloud-delivered service, ZTNA applies context-aware, granular policies across hybrid and multi-cloud environments.
However, traditional ZTNA creates gaps in asset visibility and security enforcement. Universal ZTNA addresses these limitations with comprehensive coverage across all environments—IT, OT, IoT, and IoMT—regardless of user or device location.
Key distinctions of Universal ZTNA:
- Governs all asset categories: managed, unmanaged IT, OT, IoT, and IoMT
- Transforms campus networks through software-defined controls
- Maintains consistent experiences across all user locations
- Applies identity-based policies without location dependency
- Unifies Zero Trust enforcement from remote workers to campus and branch environments
- Supersedes legacy NAC with dynamic, software-driven approaches
- Adjusts access controls dynamically based on risk assessment
- Resolves visibility challenges from fragmented security architectures”
Go deeper: Learn more about Forescout’s approach to Universal ZTNA.
[i] IBM (2025). Cost of a Data Breach Report. Accessed November 6, 2025 from the following source: https://www.ibm.com/reports/data-breach
[ii] Marsh, Stephen (1994), Formalising Trust as a Computational Concept, p. 56. Accessed November 6, 2025 from the following source: https://dspace.stir.ac.uk/handle/1893/2010
[iii] Forrester. Build Security Into Your Network’s DNA: The Zero Trust Network Architecture, November 15, 2012. Accessed November 6, 2025 from the following source: https://www.forrester.com/report/Build-Security-Into-Your-Networks-DNA-The-Zero-Trust-Network-Architecture/RES57047
[iv] Google. BeyondCorp: A New Approach to Enterprise Security, 2014. Accessed November 6, 2025 from the following source: https://research.google/pubs/beyondcorp-a-new-approach-to-enterprise-security/
[v] Gartner. Gartner Survey Reveals 63% of Organizations Worldwide Have Implemented a Zero-Trust Strategy, April 22, 2024. Accessed November 6, 2025 from the following source:
[vi] NIST, NIST SP 800-207: Zero Trust Architecture, August 2020. Accessed November 6, 2025 from the following source: https://csrc.nist.gov/pubs/sp/800/207/final
[vii] Forrester. Validate Zero Trust Controls With MITRE ATT&CK, October 7, 2025. Accessed November 6, 2025 from the following source: https://www.forrester.com/report/validate-zero-trust-controls-with-mitre-att-and-ck/RES186484