By NHI Mgmt Group Editorial TeamPublished 2026-02-26Domain: Cyber SecuritySource: Appgate

TL;DR: Financial services firms are using Zero Trust Network Access to replace VPN-centric access with identity-driven, least-privilege controls, continuous auditability, and direct-routed connections, according to Appgate’s analysis of banking and capital markets deployments. The governance shift is clear: access models now have to satisfy both operational resilience and regulatory proof, not just connectivity.


At a glance

What this is: This is Appgate’s analysis of how financial institutions are using Zero Trust Network Access to reduce exposure, improve auditability, and modernize access control.

Why it matters: It matters because finance teams must govern privileged human, partner, and administrator access in ways that reduce lateral movement, support compliance, and avoid brittle perimeter assumptions.

👉 Read Appgate's analysis of zero trust network access in financial services


Context

Financial services access has become a governance problem, not just a connectivity problem. As cloud banking, remote work, third-party integrations, and regional expansion increase the number of pathways into critical systems, legacy VPN assumptions break down and auditability becomes harder to prove.

Zero Trust Network Access shifts access decisions to identity, device posture, and context, which is why it now intersects with IAM, PAM, and access review workflows in regulated environments. For teams managing human, third-party, and non-human access paths, the same question applies: how do you enforce least privilege without creating blind spots?


Key questions

Q: How should financial services teams implement zero trust access without slowing operations?

A: Start by limiting access to specific resources rather than network ranges, then layer identity, device posture, and contextual policy on top. The practical test is whether users still reach what they need while administrators, partners, and contractors lose broad lateral visibility. If performance suffers, redesign the routing path before expanding rollout.

Q: Why does VPN-based access create governance problems in regulated environments?

A: VPNs often convert a successful login into broad internal reach, which makes least privilege difficult to prove and lateral movement easier to perform. In regulated environments, that becomes an audit problem as well as a security problem because the organisation has to show exactly what each user could access and why.

Q: What do security teams get wrong about zero trust access in finance?

A: They often treat it as a replacement for remote connectivity rather than as an access governance control. If policies are coarse, offboarding is weak, or privileged users share the same access path as everyone else, the model still leaves exposure and weak evidence behind.

Q: Who is accountable when access decisions fail in a zero trust model?

A: Accountability sits with the teams that own identity, access policy, and privileged session governance, not only the network team. In finance, that usually means IAM, PAM, security architecture, and compliance all need a shared control owner and a shared evidence trail.


Technical breakdown

How ZTNA replaces perimeter-based access in regulated environments

Zero Trust Network Access changes the access model from network membership to explicit authorization. Instead of placing users on a trusted internal network, the system evaluates identity, device posture, and contextual policy before brokering a direct connection to a specific resource. That design reduces lateral movement because users do not inherit broad network reach once authenticated. In regulated finance environments, the architecture also creates a cleaner audit trail because each access decision is discrete and policy-based rather than implicit in VPN connectivity. The control objective is not just blocking outsiders, but narrowing every session to a bounded need.

Practical implication: map every high-value internal application to a specific access policy and remove any assumption that VPN connectivity equals authorized reach.

Identity-driven access policy and least-privilege segmentation

ZTNA works when identity and context determine what is reachable, and when that policy is granular enough to avoid broad entitlements. Role-based access control and contextual signals can separate administrators from general users, internal staff from partners, and routine users from high-risk functions. This matters in financial services because access sprawl often grows faster than the application estate, especially when legacy groups and static rules are reused across environments. Least privilege here is operational, not theoretical: each request should be evaluated against a narrow set of conditions before access is granted.

Practical implication: review group-based entitlements, replace broad network access with resource-level policies, and align access paths with role and device risk.

Auditability, logging, and operational resilience for financial access

The strongest access models in finance do more than restrict traffic. They generate evidence that access was approved, bounded, and observable throughout the session. That evidence matters for compliance, incident response, and access review, particularly where regulators expect proof rather than policy statements. Direct-routed architectures also help reduce bottlenecks and dependency on centralised network paths, which supports resilience for transaction-heavy environments. In other words, access control is only useful if it can be monitored, explained, and sustained under load.

Practical implication: require continuous access logging, route high-value sessions through auditable paths, and test whether your access architecture still performs during peak demand.


Threat narrative

Attacker objective: The attacker aims to turn one authenticated access path into broader reach across sensitive financial systems while evading detection and audit.

  1. Entry occurs through overexposed VPN or remote access infrastructure that broadens the reachable network once a user is authenticated.
  2. Escalation follows when broad network visibility lets an attacker move from a single foothold toward additional systems and administrative interfaces.
  3. Impact comes from credential abuse, lateral movement, and audit gaps that make it harder to contain the compromise or prove what was accessed.

NHI Mgmt Group analysis

Network access is becoming an identity governance problem in financial services. The article shows that regulated organisations are no longer judging access tools only on connectivity, but on whether they can prove who was allowed to reach which resource, under what conditions, and with what evidence. That is an IAM and PAM issue as much as it is a network security issue, because entitlement scope now determines exposure scope. Practitioners should treat ZTNA as part of the access governance stack, not a standalone transport layer.

Least-privilege segmentation is the named control gap this topic exposes. Legacy VPNs convert authentication into broad reach, which leaves finance teams with too much lateral movement potential and too little policy precision. The article’s case studies show why static network trust fails under cloud banking, third parties, and remote administration. Practitioners should measure whether access is truly resource-bound or just network-bound.

Continuous auditability is no longer a reporting feature, it is a control requirement. Financial institutions need access evidence that survives regulatory review, incident response, and operational change. This is where access architecture intersects with compliance, because proof of enforcement matters more than policy intent. Practitioners should be able to show an auditor not only the rule, but the decision trail behind each session.

Operational resilience and security are converging at the access layer. The article makes clear that finance teams cannot trade away latency or uptime in order to improve control, because critical transaction paths still have to function under load. That pushes architecture decisions toward direct, policy-driven connections and away from centralised choke points. Practitioners should evaluate access controls against both abuse resistance and business continuity.

Identity bridging matters here because privileged users and external parties are the highest-risk access populations. Finance programmes often separate network modernisation from identity governance, but the control failures overlap: over-permissioning, weak session evidence, and incomplete offboarding all surface at the access boundary. Teams should align ZTNA with PAM, access reviews, and third-party lifecycle controls so that policy enforcement and identity governance move together.

What this signals

Least-privilege access will increasingly be measured by evidence, not intent. Finance programmes that still rely on VPN reach or static segmentation will struggle to prove that access was minimal, contextual, and continuously enforced. The next maturity step is not just adopting ZTNA, but integrating it into IAM, PAM, and review workflows so access decisions become auditable control events.

Access architecture is now part of resilience engineering. If the access layer cannot sustain regulated workloads under peak demand, failover, or audit pressure, the organisation has only moved the bottleneck. Teams should test whether direct-routed sessions, session logging, and identity policy enforcement still hold up when business activity spikes.

Third-party and privileged access need the same governance model. The strongest signal from this topic is that finance teams can no longer separate remote user access from identity lifecycle controls. Offboarding, session evidence, and role scoping must converge, otherwise ZTNA will reduce exposure without fully fixing entitlement drift.


For practitioners

  • Replace broad VPN reach with resource-level policies Inventory the highest-risk internal systems and reissue access so each role can reach only named resources, not whole subnets. Use device posture and contextual checks to separate administrators, employees, and external partners.
  • Tie ZTNA to access review evidence Require session logs, policy decisions, and resource access records to feed periodic review workflows. That gives auditors proof that access was continuously enforced rather than assumed after login.
  • Align privileged access with network segmentation Map administrative access paths to PAM processes so elevated users do not inherit the same connectivity model as standard users. This reduces lateral movement risk and makes privileged sessions easier to isolate.
  • Test resilience under peak financial workload Validate that direct-routed access paths maintain performance during busy periods, failover events, and regulator-driven testing. If latency or dependency risk rises, the control model needs redesign before rollout expands.

Key takeaways

  • Legacy VPN models expand trust too far for modern financial services and leave lateral movement room that regulators can see.
  • Zero Trust Network Access improves control only when identity, device posture, logging, and resource-level authorization work together.
  • Finance teams should treat access modernization as an IAM, PAM, and resilience programme, not just a network upgrade.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4ZTNA maps to controlling access permissions in finance environments.
NIST SP 800-53 Rev 5AC-6Least privilege is central to the article's access model.
NIST Zero Trust (SP 800-207)The article directly discusses zero trust access architecture.
ISO/IEC 27001:2022A.5.15Policy-based access control is directly relevant to regulated finance access.

Align access policy definitions and enforcement with A.5.15 to keep privileges bounded and reviewable.


Key terms

  • Zero Trust Network Access: Zero Trust Network Access is an access model that grants users a specific connection only after identity, device, and policy checks succeed. It reduces implicit network trust by replacing broad VPN-style reach with resource-scoped access and continuous authorization signals.
  • Least Privilege Segmentation: Least privilege segmentation is the practice of limiting users to only the systems and functions they need, rather than exposing larger network zones. In regulated environments, it reduces lateral movement, narrows audit scope, and makes access enforcement easier to prove.
  • Resource-Level Authorization: Resource-level authorization means access is granted to a named application, system, or service rather than to an entire subnet or environment. It is a practical way to turn identity decisions into narrower, auditable access boundaries.
  • Access Auditability: Access auditability is the ability to show who accessed what, when, under which policy, and with what result. It matters because regulators and incident responders need evidence of enforcement, not just statements that a control exists.

What's in the full article

Appgate's full blog covers the operational detail this post intentionally leaves for the source:

  • Deployment specifics from Tarjeta Amiga and BYMA, including how each environment mapped access policies to business roles.
  • Measured operational outcomes such as reduced false positives, faster troubleshooting, and improved access review evidence.
  • The practical deployment pattern for replacing VPN-centric access without disrupting financial operations.
  • How the architecture handled remote users, administrators, and external participants in regulated environments.

👉 The full Appgate blog covers the Tarjeta Amiga and BYMA deployments, along with the measurable access-control outcomes.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, IAM, and secrets management. It gives security and identity practitioners a structured way to connect access control decisions to the wider governance model.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org