The VPN Is Dead. The Breach That Proved It.
In May 2023, a threat actor used stolen VPN credentials to breach a major U.S. government contractor, moving laterally across the network for weeks before detection. The attacker didn't exploit some exotic zero-day. They logged in with a valid username and password, and the network trusted them implicitly. This is the exact failure model that zero trust network access was designed to eliminate.
If your organization still relies on a traditional perimeter — VPNs, firewalls, and the assumption that anything inside the network is safe — you're operating on an architecture designed for 1995. The threat landscape of 2023 demands something fundamentally different.
This post breaks down what zero trust network access actually looks like in practice, why the shift is accelerating, and the specific steps you can take to start implementing it — regardless of your budget or team size.
What Is Zero Trust Network Access, Exactly?
Zero trust network access (ZTNA) is a security model that eliminates implicit trust from your network. Every user, device, and application must be verified before accessing any resource — every single time. There's no "inside" or "outside" the network. There's only verified or unverified.
The core principle: never trust, always verify.
ZTNA replaces the old castle-and-moat approach where a VPN connection granted broad network access. Instead, users get access only to the specific applications they need, based on identity, device posture, location, and behavior — all evaluated continuously.
The National Institute of Standards and Technology (NIST) formalized this in Special Publication 800-207, which lays out the zero trust architecture framework. If you haven't read it, bookmark it. It's the foundational document driving federal mandates and enterprise adoption alike.
The $4.45 Million Reason to Move Beyond the Perimeter
IBM's 2023 Cost of a Data Breach Report put the global average cost of a breach at $4.45 million — the highest figure ever recorded. Organizations with mature zero trust deployments saved an average of $1.76 million per breach compared to those without.
That's not a rounding error. That's the difference between a survivable incident and an existential one for a mid-sized company.
The Verizon 2023 Data Breach Investigations Report found that 74% of all breaches involved the human element — including social engineering, credential theft, and misuse. Stolen credentials remain the top initial access vector. When you combine that with flat networks that let attackers move laterally once they're inside, you get the breach pattern we see over and over again.
Zero trust network access directly addresses this. Even if an attacker steals credentials, they face continuous verification, micro-segmented access, and no ability to roam the network freely.
Why VPNs Create the Problem ZTNA Solves
I've seen this scenario dozens of times during incident response engagements. A company has a VPN. An employee's credentials get phished. The attacker connects via VPN and suddenly has the same network access as that employee — often broad access to file shares, internal applications, and databases.
VPNs authenticate once at the gate. After that, you're trusted. That's the fundamental flaw.
The Lateral Movement Problem
Once inside a traditional network, threat actors use tools like Mimikatz, BloodHound, and Cobalt Strike to discover additional systems and escalate privileges. The 2023 MOVEit breach exploited by the Cl0p ransomware group showed how quickly attackers can pivot from initial access to mass data exfiltration when networks don't enforce segmentation and least-privilege principles.
ZTNA eliminates the concept of broad network access entirely. Users connect to specific applications through an identity-aware proxy — they never touch the network layer. The attack surface shrinks dramatically.
The Five Pillars of Zero Trust Network Access
Implementing ZTNA isn't a single product purchase. It's an architectural shift built on five interdependent pillars.
1. Identity Verification
Every access request starts with strong identity verification. This means multi-factor authentication (MFA) is non-negotiable. Passwords alone are insufficient — full stop. CISA has been saying this for years, and the data backs it up.
Use phishing-resistant MFA methods like FIDO2 security keys or passkeys. SMS-based MFA is better than nothing, but it's vulnerable to SIM-swapping attacks. If you're serious about zero trust, invest in hardware tokens or platform authenticators.
2. Device Trust
Identity alone isn't enough. The device matters too. Is the laptop patched? Is the endpoint detection software running? Is the device enrolled in your management system?
ZTNA solutions evaluate device posture before granting access. An unpatched personal laptop connecting from an unusual location should face additional scrutiny — or be denied access entirely.
3. Least-Privilege Access
Users get access only to the specific resources they need for their role. A marketing manager doesn't need access to the production database. An HR coordinator doesn't need access to source code repositories.
This sounds obvious. In practice, I've audited organizations where 60-70% of employees had access to systems they'd never once used. Every unnecessary access point is an opportunity for an attacker.
4. Micro-Segmentation
Instead of one flat network, micro-segmentation breaks your environment into granular zones. Even if an attacker compromises one segment, they can't move to another without passing through additional verification checkpoints.
Think of it as watertight compartments on a ship. A breach in one compartment doesn't sink the vessel.
5. Continuous Monitoring and Adaptive Policy
Zero trust doesn't verify once and walk away. It evaluates risk continuously throughout a session. If a user's behavior changes — accessing unusual resources, downloading abnormal volumes of data, connecting from a new country — the system can step up authentication requirements or terminate the session.
This is where security awareness and technical controls intersect. Your people and your systems need to work together. That's why pairing ZTNA with comprehensive cybersecurity awareness training is critical. Technology catches a lot — but informed users catch what technology misses.
How Phishing Fits Into the Zero Trust Equation
Here's what I want you to understand: zero trust network access doesn't make phishing irrelevant. It makes phishing less catastrophic.
A phished credential in a zero trust environment is far less dangerous than in a traditional one. The attacker still has to pass device checks, MFA challenges, and behavioral analysis. They get access to a narrow slice of resources — not the kingdom.
But phishing remains the primary way credentials get stolen in the first place. The FBI's 2022 Internet Crime Report documented over 300,000 phishing complaints — more than any other crime type. And those are just the ones that got reported.
That's why phishing simulation and training are essential complements to any ZTNA strategy. If you're building a zero trust architecture without training your people to recognize social engineering, you're leaving a massive gap. I recommend organizations run regular phishing awareness training programs alongside technical controls.
Getting Started: A Realistic ZTNA Roadmap
You don't need a seven-figure budget to start moving toward zero trust network access. Here's a practical roadmap I've used with organizations of all sizes.
Phase 1: Know What You Have (Weeks 1-4)
You can't protect what you can't see. Start with a comprehensive inventory of users, devices, applications, and data flows. Map who accesses what, from where, and how often.
Most organizations are shocked at what they find. Shadow IT, orphaned accounts, service accounts with admin privileges that haven't been rotated in years. Clean this up first.
Phase 2: Enforce Strong Identity (Weeks 4-8)
Roll out MFA across every application that supports it. Prioritize email, VPN (if you still have one), cloud services, and any admin consoles. Enforce conditional access policies — block legacy authentication protocols that can't support MFA.
This single step eliminates a huge percentage of credential-based attacks. Microsoft reported in 2023 that MFA blocks 99.9% of automated account compromise attacks.
Phase 3: Implement Least Privilege (Weeks 8-16)
Audit access permissions ruthlessly. Revoke access that isn't actively needed. Implement role-based access control (RBAC) and review it quarterly. Set up just-in-time (JIT) access for privileged operations — admins should escalate privileges only when needed and only for a limited time.
Phase 4: Segment and Isolate (Weeks 16-24)
Begin micro-segmenting your most sensitive assets. Start with crown jewels — financial systems, customer databases, intellectual property repositories. Use network segmentation, application-layer controls, or a ZTNA broker to enforce boundaries.
Phase 5: Monitor Continuously (Ongoing)
Deploy endpoint detection and response (EDR) tools, centralize logging, and build alerting around anomalous access patterns. Integrate your identity provider with your security information and event management (SIEM) system. Look for impossible travel, credential stuffing patterns, and privilege escalation attempts.
Common ZTNA Mistakes I See Over and Over
Mistake #1: Treating ZTNA as a product, not a strategy. No single vendor gives you zero trust in a box. It's an architecture. Products support it — they don't deliver it.
Mistake #2: Ignoring the human element. Every security awareness program I've ever evaluated shows the same thing — untrained employees remain the weakest link. Technology and training work together or they don't work at all.
Mistake #3: Skipping the inventory. You can't enforce least privilege if you don't know what access exists. The boring work of asset inventory and access auditing is the foundation everything else sits on.
Mistake #4: MFA and calling it done. MFA is necessary but insufficient. It's one pillar of five. Organizations that deploy MFA and declare zero trust victory are fooling themselves.
What the Federal Government Is Telling You
Executive Order 14028, signed in May 2021, mandated zero trust architecture adoption across U.S. federal agencies. CISA's Zero Trust Maturity Model provides a detailed framework that's applicable far beyond government.
If the federal government — historically slow to adopt new security paradigms — is going all-in on zero trust, that should tell you something about the direction of the industry. The question isn't whether your organization will adopt ZTNA. It's whether you'll do it proactively or after a breach forces your hand.
Zero Trust Network Access and Ransomware Defense
Ransomware operators thrive on lateral movement. Groups like Cl0p, LockBit, and BlackCat (ALPHV) follow a predictable playbook: gain initial access, escalate privileges, move laterally, exfiltrate data, then deploy ransomware.
ZTNA disrupts this playbook at multiple points. Without broad network access, the attacker can't discover additional targets. Without the ability to escalate privileges easily, they can't deploy ransomware across the enterprise. Without unmonitored lateral movement, your security team gets alerted early.
This doesn't make you invulnerable. Nothing does. But it changes the economics for the attacker — making your organization a harder, less profitable target.
The Bottom Line on ZTNA in 2023
Zero trust network access isn't a trend or a buzzword. It's the direct response to two decades of catastrophic breaches that exploited implicit trust. Every major security framework now incorporates it. Every serious threat model assumes it.
Start with identity. Layer on device trust and least privilege. Segment your network. Monitor continuously. And train your people — because the most sophisticated zero trust architecture in the world still depends on humans making good decisions.
Your next step: assess where you stand today. Run an access audit. Deploy MFA everywhere. Start the conversation with your team about what zero trust means for your specific environment. The organizations that act now will be the ones that avoid the $4.45 million lesson.