TL;DR: Financial services firms are using Zero Trust Network Access to replace VPN-centric access with identity-driven, least-privilege controls, continuous auditability, and direct-routed connections, according to Appgate’s analysis of banking and capital markets deployments. The governance shift is clear: access models now have to satisfy both operational resilience and regulatory proof, not just connectivity.
NHIMG editorial — based on content published by Appgate: Zero trust network access in financial services access control
Questions worth separating out
Q: How should financial services teams implement zero trust access without slowing operations?
A: Start by limiting access to specific resources rather than network ranges, then layer identity, device posture, and contextual policy on top.
Q: Why does VPN-based access create governance problems in regulated environments?
A: VPNs often convert a successful login into broad internal reach, which makes least privilege difficult to prove and lateral movement easier to perform.
Q: What do security teams get wrong about zero trust access in finance?
A: They often treat it as a replacement for remote connectivity rather than as an access governance control.
Practitioner guidance
- Replace broad VPN reach with resource-level policies Inventory the highest-risk internal systems and reissue access so each role can reach only named resources, not whole subnets.
- Tie ZTNA to access review evidence Require session logs, policy decisions, and resource access records to feed periodic review workflows.
- Align privileged access with network segmentation Map administrative access paths to PAM processes so elevated users do not inherit the same connectivity model as standard users.
What's in the full article
Appgate's full blog covers the operational detail this post intentionally leaves for the source:
- Deployment specifics from Tarjeta Amiga and BYMA, including how each environment mapped access policies to business roles.
- Measured operational outcomes such as reduced false positives, faster troubleshooting, and improved access review evidence.
- The practical deployment pattern for replacing VPN-centric access without disrupting financial operations.
- How the architecture handled remote users, administrators, and external participants in regulated environments.
👉 Read Appgate's analysis of zero trust network access in financial services →
Zero trust network access in finance: what IAM and security teams need to know?
Explore further
Network access is becoming an identity governance problem in financial services. The article shows that regulated organisations are no longer judging access tools only on connectivity, but on whether they can prove who was allowed to reach which resource, under what conditions, and with what evidence. That is an IAM and PAM issue as much as it is a network security issue, because entitlement scope now determines exposure scope. Practitioners should treat ZTNA as part of the access governance stack, not a standalone transport layer.
A question worth separating out:
Q: Who is accountable when access decisions fail in a zero trust model?
A: Accountability sits with the teams that own identity, access policy, and privileged session governance, not only the network team. In finance, that usually means IAM, PAM, security architecture, and compliance all need a shared control owner and a shared evidence trail.
👉 Read our full editorial: Zero trust network access is reshaping financial services access control