What is zero-trust network access (ZTNA)? Zero-trust network access (ZTNA) is a radically different approach to computer network security, addressing many of the fundamental flaws that make traditional systems so hard to keep safe. “Zero trust isn’t a single product or status, but a continuous process of maintaining and improving an organization’s cybersecurity posture via protective, detective, and reactive security measures,” explains David Resseguie, a senior director in the PwC US Innovation Hub. “It’s a mindset that involves a shift from trusting everything within the network perimeter to a ‘no trust without verification’ policy.”
What business problems can it address?
“Zero trust is increasingly going to become a part of your overall data security strategy,” says Resseguie. In today’s connected business environment, it’s important to think of your cybersecurity policy as operating within an ecosystem—because “it will be your organization that is held accountable for data protection and compliance across the digital supply chain, even if the issue lies with your suppliers and partners,” Resseguie warns. “Trust is not guaranteed merely on the basis of a promise made by a vendor or provider or a policy statement accepted by a user.”
At the same time, IT security is being challenged by rapidly advancing technology developments and new ways of working. In a move accelerated by the shift to hybrid work environments and the cloud, organizations are integrating more and more services via the internet, as it has become the norm to access internal resources via multiple devices outside the private network. “More access points means more vulnerabilities for critical business data, processes, and infrastructure,” Resseguie says. “The traditional approach to IT security, which uses the network perimeter as the enforcement point for security controls, like firewalls, is no longer sufficient.”
How does it create value?
By segmenting the network and applying security measures at each segment, ZTNA can help prevent a security breach from spreading across the entire network. Breaches are common—the UK Department for Science, Innovation and Technology found 69% of large businesses experienced a cybersecurity breach in a year—and expensive: one study suggests the global average cost of a data breach was more than US$4 million in 2023. And a breach’s impact goes beyond out-of-pocket costs, with brand loyalty and trust often taking hits that can restrict growth.
Applying the principles of zero trust enhances a company’s cybersecurity posture by making cyber issues more visible and facilitating compliance with data-protection requirements. It can help organizations meet regulatory requirements by providing a framework for demonstrating that they’ve taken the necessary steps to protect sensitive data. Equally, the US National Institute of Standards and Technology (NIST) published a zero-trust standard (NIST SP 800-207) in 2020, which was made mandatory for federal agencies the following year. The UK National Cyber Security Centre also began consulting with industry on its emerging standard in 2021, and other regulators are likely to follow—soon, compliance won’t be optional.
Finally, ZTNA’s focus on advanced automation and continuous monitoring of all users and devices means many of the common tools that enable remote access—like VPNs—are rendered obsolete, along with their security weaknesses. This, in turn, can reduce cybersecurity overhead costs.
Who should be paying attention?
This is an issue that can affect the entire organization, but the lead is likely to be taken by CTOs, cybersecurity and network architecture teams, and data protection and compliance officers. ZTNA is especially important in industries that handle confidential data, such as financial services, banking and capital markets, healthcare, media, transportation and logistics, pharmaceuticals and life sciences, telecommunications, government and public services, and aerospace and defense.
How can businesses prepare?
“When migrating to a zero-trust approach, start by identifying what data is sensitive and needs extra protection,” advises Resseguie. “Then, define internal zones or ‘micro-perimeters’ that allow you to segment your risk.” You’ll likely need to perform a strategic reassessment of current IT systems, including cybersecurity defenses, and define the software and hardware investments required to shift to a zero-trust model. “It might sound a bit complicated, and it can be,” Resseguie says, “but doing nothing or sticking to the status quo with cybersecurity policy is not an option. The required capital investment costs must be understood in the context of longer-term risk mitigation savings.”
Learn more
- PwC Germany: Why organizations should rethink their approach to security
- UK National Cyber Security Centre: Zero-trust architecture design principles
- US Cybersecurity & Infrastructure Security Agency: Zero-trust maturity model
- PwC Singapore: Zero-trust architecture: A paradigm shift in cybersecurity and privacy
- ISACA: The challenges and rewards of zero-trust privacy
- The PwC Enterprise Security Architecture approach can help you develop a strategic, actionable, and cost-effective zero-trust road map
Last updated on 1 May 2024
Contact us
Tom Archer
Global Technology Consulting & Alliances Leader, Transformation Platform Co-Leader, PwC United States