In May 2021, Colonial Pipeline paid a $4.4 million ransom after a single compromised VPN credential gave attackers the keys to the kingdom. One password. No multi-factor authentication. No segmentation between IT and operational technology networks. The attackers from the DarkSide group walked through a flat network like it was an open hallway. That breach didn't just shut down a pipeline — it exposed the catastrophic failure of perimeter-based security that most organizations still rely on.

This is why zero trust network access has moved from buzzword to boardroom mandate. If you're still trusting anything inside your network by default, you're running the same playbook that got Colonial Pipeline hit. I've spent years watching organizations learn this lesson the hard way, and I'm going to walk you through what ZTNA actually looks like in practice — not the vendor slide deck version, the real one.

What Is Zero Trust Network Access, Exactly?

Zero trust network access is a security model that eliminates implicit trust for any user, device, or application — regardless of whether they're inside or outside your network perimeter. Every access request is verified. Every session is authenticated. Every connection is limited to the minimum resources needed.

The concept comes from the principle that John Kindervag at Forrester Research articulated back in 2010: "never trust, always verify." But the urgency is new. The Verizon 2021 Data Breach Investigations Report found that 61% of breaches involved credential theft. When stolen credentials are the primary attack vector, trusting anyone who presents valid credentials is reckless.

ZTNA isn't a single product you buy. It's an architecture. It's a set of policies. And in my experience, it's a cultural shift that most security teams underestimate.

The Colonial Pipeline Lesson: Why Perimeters Fail

Let's go deeper on what happened with Colonial Pipeline, because it illustrates every flaw that zero trust network access is designed to fix.

The threat actor gained access through a legacy VPN account that wasn't protected by multi-factor authentication. Once inside, there was no meaningful network segmentation. The attacker could move laterally with minimal resistance. The ransomware deployment was the final act in a chain of failures that started with a single assumption: if you're on the VPN, you're trusted.

This is the perimeter model in a nutshell. You build a wall, and everything inside the wall is "safe." But in 2022, your employees work from home, from coffee shops, from personal devices. Your applications live in three different cloud providers. Your contractors have VPN access. The perimeter doesn't exist anymore.

Zero trust network access replaces that broken model with continuous verification. Instead of "you're inside the firewall, so you're fine," it asks: Who are you? What device are you on? Is that device healthy? What are you trying to access? Should you have access to it right now?

The Five Pillars of a Real ZTNA Implementation

NIST Special Publication 800-207 lays out the zero trust architecture framework that I recommend as your starting point. Here's how I break it down into actionable pillars.

1. Identity Is the New Perimeter

Every ZTNA strategy starts with identity. If you don't know exactly who is requesting access, nothing else matters. This means robust identity and access management (IAM), mandatory multi-factor authentication on everything — not just "sensitive" systems — and continuous authentication throughout sessions.

The SolarWinds attack in late 2020 showed us that even privileged accounts inside trusted software supply chains can be compromised. Threat actors used forged SAML tokens to bypass authentication entirely. Your identity layer needs to detect anomalies, not just check passwords.

2. Device Trust and Health Verification

A legitimate user on a compromised device is still a threat. ZTNA requires verifying device posture before granting access. Is the operating system patched? Is endpoint detection running? Is the device registered and managed?

I've seen organizations implement strong identity controls and then let employees access sensitive data from unmanaged personal laptops running outdated software. That's not zero trust. That's zero trust theater.

3. Microsegmentation

This is where organizations struggle the most. Microsegmentation means dividing your network into small, isolated zones so that even if an attacker gains access to one segment, they can't move laterally to others.

Think about it this way: Colonial Pipeline's attacker moved from a compromised VPN account to operational technology systems. With proper microsegmentation, that path simply wouldn't exist. The VPN account would have had access to specific applications, not the entire network.

4. Least Privilege Access

Every user, every service account, every API gets the minimum access required to do its job. Nothing more. This sounds simple, but in practice, it means auditing every access policy you have — and I guarantee you'll find service accounts with domain admin privileges that nobody remembers creating.

The FBI's IC3 2020 Internet Crime Report documented over $4.2 billion in losses from cybercrime. A significant percentage of business email compromise and credential theft attacks succeed because compromised accounts have far more access than necessary.

5. Continuous Monitoring and Analytics

Zero trust isn't a one-time configuration. It requires continuous monitoring of user behavior, network traffic, and access patterns. When an account that normally accesses a CRM during business hours suddenly starts pulling data from a file server at 3 AM, your system should flag and challenge that session automatically.

How Social Engineering Undermines Zero Trust

Here's something the ZTNA vendor pitches rarely mention: the most sophisticated zero trust architecture in the world can be undermined by a well-crafted phishing email.

If an attacker convinces your employee to approve a fraudulent MFA push notification — and this happened repeatedly in real attacks throughout 2021 — they've bypassed your identity verification. If a social engineering attack tricks someone into installing remote access software, your device trust controls may see a "healthy" managed device being operated by a threat actor.

This is why cybersecurity awareness training isn't separate from your zero trust strategy — it's foundational to it. Your people are part of your security architecture. If they can't recognize a phishing attempt, your technical controls are fighting with one hand tied behind their back.

In my experience, organizations that combine ZTNA implementation with regular phishing awareness training and simulations see dramatically better outcomes. Phishing simulation programs train employees to recognize credential theft attempts before they succeed — closing the human gap that technology alone can't cover.

Common ZTNA Mistakes I See Over and Over

Treating It as a Product Purchase

A vendor will sell you a "zero trust solution." But zero trust network access is an architecture, not an appliance. If you buy a ZTNA gateway and don't change your access policies, your segmentation strategy, or your identity management, you've just added a new box to the rack.

Ignoring Legacy Systems

Most organizations have legacy applications that don't support modern authentication protocols. You can't just pretend they don't exist. You need a plan to either modernize them, wrap them in a secure access proxy, or isolate them with strict microsegmentation.

Skipping the Human Layer

I said it above, but it bears repeating. The CISA Shields Up campaign launched this month emphasizes that security awareness is a critical defense layer alongside technical controls. Zero trust architecture without security awareness training is incomplete.

Going Too Fast

Zero trust is a journey. Trying to implement everything at once will break things and frustrate users. Start with your highest-risk systems and most sensitive data. Get identity and MFA right first. Then layer in microsegmentation and device trust incrementally.

A Realistic ZTNA Roadmap for 2022

Here's the phased approach I recommend to organizations just starting their zero trust network access journey.

Phase 1 (Months 1-3): Identity Foundation

  • Deploy multi-factor authentication across all user accounts — no exceptions
  • Audit all service accounts and eliminate unnecessary privileges
  • Implement conditional access policies based on user role and risk level
  • Begin regular phishing simulations to establish a baseline for employee resilience

Phase 2 (Months 4-6): Device Trust and Visibility

  • Inventory every device that accesses your network
  • Require device health checks (patch level, endpoint protection, encryption) before granting access
  • Block unmanaged devices from accessing sensitive resources
  • Deploy network monitoring to establish behavioral baselines

Phase 3 (Months 7-12): Segmentation and Least Privilege

  • Map all application dependencies and data flows
  • Implement microsegmentation starting with critical assets
  • Reduce access permissions to the minimum required for each role
  • Integrate security analytics for continuous monitoring and anomaly detection

This isn't theoretical. I've seen organizations follow this approach and meaningfully reduce their attack surface within a year. The key is discipline and consistency.

Does Zero Trust Stop Ransomware?

Zero trust network access doesn't make you immune to ransomware, but it dramatically limits the blast radius. When the threat actor behind the Kaseya VSA attack in July 2021 exploited a vulnerability in managed service provider software, organizations with flat networks saw ransomware spread everywhere. Organizations with segmented architectures and least-privilege access contained the damage to isolated systems.

Ransomware needs lateral movement to be catastrophic. ZTNA is specifically designed to prevent lateral movement. That's not a guarantee — no security control is — but it's the difference between losing one system and losing everything.

The Executive Order That Changed the Timeline

In May 2021, President Biden signed Executive Order 14028, which mandated that federal agencies adopt zero trust architecture. The Office of Management and Budget followed up with a federal zero trust strategy memorandum published this month that sets a fiscal year 2024 deadline for implementation.

If you're in the federal supply chain or do business with government agencies, this isn't optional. But even if you're not, the executive order signals where the entire industry is heading. Cyber insurance providers are already asking about zero trust controls on applications. Regulators are paying attention.

Where to Start Today

If you take one thing from this post, let it be this: zero trust network access is not about buying technology. It's about changing assumptions. Stop assuming internal traffic is safe. Stop assuming authenticated users are legitimate. Stop assuming your perimeter exists.

Start with multi-factor authentication. Audit your access privileges. Train your people to recognize social engineering and credential theft attempts. Build from there.

Your organization doesn't need to implement everything at once. But it does need to start. Because the next Colonial Pipeline-scale incident won't wait for your roadmap to be perfect.