Start by defining the resources that should be app-scoped, then tie access to identity, device posture, and session context. Keep broad network reach out of the design. ZTNA works best when IAM, PAM, and device governance are already coordinated, because the access layer can only enforce the policy you have actually modelled.
Why This Matters for Security Teams
Identity centric ZTNA is not just a network redesign. In hybrid environments, the real issue is deciding who or what can reach which app, under which conditions, without exposing broad network routes. NIST’s NIST SP 800-207 Zero Trust Architecture treats access as a continuous policy decision, which is why ZTNA succeeds only when identity, device posture, and session context are already well modelled.
Security teams often get trapped by inheritance from VPN thinking: if the user or workload is authenticated once, the network should be trusted. That breaks down in hybrid estates where apps sit across cloud, on-prem, and partner-managed environments, and where identities include service accounts, API keys, and automation. NHIMG’s Ultimate Guide to NHIs notes that NHIs outnumber human identities by 25x to 50x, which is why the access layer must account for machine access as a first-class problem. In practice, many security teams encounter lateral movement and app exposure only after a legacy network path has already been abused, rather than through intentional ZTNA design.
How It Works in Practice
Implementing identity centric ZTNA starts by scoping access at the application boundary, not the subnet boundary. Each protected resource should have an explicit policy that evaluates identity, device posture, location, risk signals, and session attributes at request time. Current guidance suggests treating broad network reach as a design failure, because once the network is reachable, authorization is often too coarse to be useful.
For human users, ZTNA usually sits alongside IAM and PAM so that privileged actions are elevated only when needed. For workloads, the primitive is workload identity, not a reusable password or long-lived token. The Guide to SPIFFE and SPIRE is useful here because it shows how cryptographic identity can identify the workload itself, while policy engines such as OPA or Cedar evaluate whether that workload should access a specific app now.
- Use short-lived credentials and revoke them as soon as the task ends.
- Bind access to verified identity plus device or workload posture, not to IP ranges alone.
- Segment privileged workflows so ZTNA only exposes the specific app or API in scope.
- Log every decision with enough context to explain why access was granted or denied.
NHIMG’s Top 10 NHI Issues highlights how over-privilege and poor visibility keep showing up together, so ZTNA should be paired with entitlement cleanup and secret rotation rather than deployed as a standalone proxy layer. These controls tend to break down when legacy apps depend on flat network trust, because the application cannot enforce identity-aware policy without substantial refactoring.
Common Variations and Edge Cases
Tighter access policy often increases operational overhead, requiring organisations to balance security gain against application compatibility and support burden. That tradeoff is most visible in hybrid environments where some apps support modern federation while others still rely on static headers, allowlists, or embedded credentials.
There is no universal standard for this yet, but current practice is to differentiate between user ZTNA, workload ZTNA, and partner access. User sessions can lean on MFA, device compliance, and step-up checks. Workload sessions should rely on short-lived workload identity, ideally with automated issuance and revocation. Partner or third-party access usually needs the strictest segmentation because trust is hardest to verify and easiest to overextend.
One common mistake is treating ZTNA as a replacement for IAM or PAM. It is not. ZTNA enforces access decisions at the edge of the app, but it depends on upstream identity hygiene, secret governance, and least privilege. Another edge case appears in environments with high latency or intermittently connected sites: policy evaluation must still happen consistently, or teams will quietly create exceptions that recreate VPN-like trust. For a fuller breakdown of how NHI exposure undermines these designs, see 52 NHI Breaches Analysis and the Ultimate Guide to NHIs — Standards.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity centric ZTNA depends on verified access control decisions. |
| NIST Zero Trust (SP 800-207) | Zero trust is the core model for app-scoped access in hybrid estates. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | Workload and service identity governance is central to hybrid ZTNA. |
Shift from network trust to continuous, context-based authorization at the application boundary.
Related resources from NHI Mgmt Group
- How should security teams use identity security posture scores in hybrid environments?
- How should security teams implement identity governance in SaaS-heavy environments?
- How should security teams defend against password spraying in hybrid identity environments?
- How should security teams implement ephemeral credentials in hybrid environments?
