Zero Trust: More Than a Buzzword – Limits, Maturity, and Evolution Best Practices and ZTNA Architecture

A Zero Trust Network Access (ZTNA) architecture is built upon several interconnected best practices to ensure secure and granular access to resources. At the core of this model lies continuous authentication and authorization, where every access request is preceded by a dynamic verification of the user's identity—often using MFA or biometrics—and the device's security posture. This approach eliminates network visibility for the user by implementing application-level segmentation that exposes only authorized resources. This drastically reduces the attack surface and, through micro-segmentation, limits lateral movement in the event of a breach.

These rules are managed by an advanced, distributed policy engine capable of making real-time, contextual evaluations based on identity, role, device, and behavior. All traffic is routed through brokers and encrypted tunnels that inspect and secure the data exchanged between the user and the application, thereby preventing direct access to backend assets. In parallel, continuous telemetry and analytics, fed by granular logs, enable User and Entity Behavior Analytics (UEBA) and the dynamic optimization of policies. This system culminates in continuous monitoring and adaptive response: any change in the risk profile, such as a shift in device posture or anomalous behavior, triggers an immediate, automated reaction. This response can range from requiring additional verification (step-up authentication) to instantly revoking the session.

Operational Challenges: Where the Complexity Hides

Now, let's talk about the real obstacles. When you get into the details, managing federated identities across SaaS, on-premises, and OT environments starts to highlight limitations that Zero Trust theory doesn't easily solve. While security in theory relies on defining structured access rules (RBAC/ABAC), the business demands fluidity, speed, external collaboration with partners (federation), temporary permissions (privilege management), and real-time risk response. These competing needs create friction. If the rules—however secure—become too dynamic and complex to implement, they slow down work, and users will always find a shortcut. This leads to Shadow IT and productivity workarounds that ultimately undermine security.

Looking at legacy environments, the story gets more complicated: textbook microsegmentation clashes with outdated VMs, incompatible hardware, and non-standardized APIs. Gaps often emerge between declared orchestration and actual enforcement, especially in multi-cloud and hybrid architectures.

And let's not forget change management: people remain the most critical success factor. Gartner and Forrester have been saying it for years: internal resistance, ingrained habits, and silent workarounds are still the true barriers to effectively scaling a ZTNA model.

Maturity Model: Truly Measuring Progress

This is where a fundamental tool comes into play: the maturity model. Today, the most authoritative reference is CISA's Zero Trust Maturity Model (ZTMM), which aligns with the NIST SP 800-207 standard. It provides a path and a scale that allow organizations to understand the big picture, the journey ahead, and their current level on a maturity scale—Traditional, Initial, Advanced, and Optimal.

If we consider the five pillars:

1. Identity: Fine-grained management of both lifecycle and privileges.
2. Devices: Continuous posture assessment, isolation, and compliance.
3. Networks: Segmentation, east-west traffic control, and granular inspections.
4. Applications & Workloads: Contextualized access, API, and workload control.
5. Data: Classification, data-centric policies, and in-use encryption.

No company in the world excels equally across all pillars at every level of maturity. The Zero Trust roadmap is a journey, and every new audit can shift operational priorities.

Evolution and Opportunities

The path forward is clear. In the near future, we will see:

1. AI-powered adaptive policies that can update in real-time based on anomalous behaviors detected in workloads or among users, using dynamic baselines.
2. Data-driven dashboards and metrics, integrated with maturity models, that bring not only technical but also investment, audit, and risk management decisions directly to governance committees.
3. Data-centric security and confidential computing, which extend Zero Trust into data "in use," not just in networking and identity, by leveraging TEEs and advanced encryption.
4. A tighter integration between network micro-segmentation and ZTNA policies, further reducing the vulnerable surface area and the possibility of lateral movement.
5. Adaptive Security to support distributed environments, mobile users, and IoT, providing an effective response to the limitations of traditional VPNs and static segmentation.

The Zero Trust journey cannot be improvised, nor can it be bought "off the shelf." It requires constant design, measurement, and realignment using maturity models, structured frameworks, and a governance model attuned to real-world data and operational risks. Bring the discussion about Zero Trust resilience and maturity into your IT steering committees, audit meetings, and business-line conversations. Today, your roadmap can be the true engine for innovation and business continuity.

Raffaele Sarno

Head Pre-sale Manager, NEVERHACK Security Operation Department, Italy