Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is a security model that operates under the principle of "never trust by default" for users and devices, performing continuous verification on every access request and controlling connections to network resources with least-privilege principles.

The Decisive Difference from Traditional Models

Traditional network security was grounded in the concept of "perimeter defense." Under the assumption that anything inside the corporate network could be trusted, the mainstream approach was to protect the boundary between internal and external environments using VPNs and firewalls. However, as cloud services proliferated, remote work became the norm, and the use of uncontrolled tools such as Shadow AI increased, the premise that "inside the perimeter is safe" ceased to hold.

ZTNA fundamentally overturns this assumption. Regardless of whether a request originates inside or outside the network, every access request is treated as "unverified," and continuous authentication and authorization are carried out by combining the following elements:

• Identity verification: Confirming that users are who they claim to be through multi-factor authentication and similar methods
• Device posture assessment: Checking the connecting device's OS version, patch status, and security software operational state
• Contextual analysis: Risk evaluation that factors in the access location, time of day, and historical behavioral patterns
• Least-privilege enforcement: Granting access only to required resources and preventing lateral movement across the entire network

Technical Mechanisms

ZTNA implementations primarily exist in two architectures: "agent-based" and "service-based." In the agent-based approach, client software is installed on the device and an access broker mediates the connection to resources. The service-based approach, by contrast, requires no agent and controls access using a reverse proxy.

In both architectures, access policy evaluation is performed in real time. A key distinction from traditional VPNs is the ability to immediately terminate a connection or demand re-authentication if the risk score changes during an active session. For encryption, strong standards such as AES-256 are commonly used in combination, ensuring the security of communication channels.

For authentication, integration with federated authentication leveraging OIDC Tokens has become common practice, enabling flexible access control in conjunction with existing identity providers.

Intersection with Security Development

While ZTNA is often discussed in the context of infrastructure security, it also plays an important role in DevSecOps practices. Managing access to development, staging, and production environments under zero trust principles minimizes damage from insider threats and credential leaks. Moreover, as novel threats targeting AI systems—such as Prompt Injection attacks—continue to grow, the application of ZTNA concepts to access control for AI agents and API endpoints is becoming increasingly widespread.

From an AI governance perspective, ZTNA—which enables fine-grained recording and control of who accessed which AI resources and when—functions as a foundation for compliance. Particularly when addressing regulations such as the EU AI Act and PDPA (Thailand's Personal Data Protection Act), where completeness of access logs and proof of least-privilege are required, adopting ZTNA offers direct and tangible benefits.

Considerations for Implementation

ZTNA is not a silver bullet. During the initial deployment phase, integration costs arise from aligning with existing network configurations and authentication infrastructure. Additionally, overly strict policy settings risk impairing operational efficiency, making a gradual, HITL (Human-in-the-Loop)-oriented approach to policy tuning the more practical path. It is also important not to forget that addressing known vulnerabilities—such as those defined by OWASP—remains necessary at a separate layer, independent of ZTNA.

Zero trust is not something that is "complete once you buy a product." It is a continuous process of transforming the organization's very culture around access management.