The concept of zero trust network access first emerged in response to traditional security approaches to networks. Companies adopted the castle and moat mindset, whereby all threat actors were located outside the network perimeter, while every user and program inside could be trusted.

This approach may have had its merits when companies issued and vetted their own computers. However, the rise of remote work, cloud computing, and BYOD (bring your own device) policies has eroded the perimeter.

Attackers increasingly target cloud platforms to steal user credentials and data. This raises challenges for organizations that need to provide workers with access to sensitive network applications and files. In the past, initiatives like BYOD followed the old Russian proverb of “trust but verify,” but this is insufficient if the device itself is compromised.

ZTNA abandons the notion of trusting users and devices based on apparent location or one-time use of credentials. Zero trust platforms treat every user, device, and application as potentially hostile, so nothing is automatically trusted.

To run with the castle and moat analogy, ZTNA may well have a drawbridge at the perimeter but it also has guards on every floor and every room to continually check for unauthorized people and devices.

The most important thing to understand about ZTNA is that it’s a strategy based on a set of guiding principles rather than a one-sizefits-all security solution. In saying this, we aren’t singling out any particular software vendor, but in our experience, the marketing material for various zero trust platforms tends to state that their solution is the last word in ZTNA.

This is why we’re not focusing on a specific platform, as there is no single set of zero trust features, beyond the fact that it focuses on threats on both sides of the software perimeter. Indeed, the zero trust security model is sometimes called perimeterless security.