Zero Trust Network Access (ZTNA) is suddenly becoming eye-catching in ICT. No doubt, this will enhance cybersecurity as untrusted by default. The theory is simple: going thru multiple policies (technical configuration settings) and authentication before gaining access to the designated network resources.
The controls are applied on who (access roles), when (time of day), what (network resources), where (network location) & why (what type of transaction or business reason). In a nutshell, who to access what resources from where and when with legitimate reason (why). The pitfall is the “how” … how does the existing environment fit with this access model and not-to-mention the changes in user experience. A M2M (Machine to Machine) ZTNA might be applicable use case but this will definitely take a while to transform for access involving human.
Even worst, some cybersecurity practitioners introduce this ZTNA model in the ICS environment to combat against cyber threats which are even just conceptual because the ICS environment has already been zoned and lock down. More protection measures do not necessarily guarantee higher security level but it will increase usage complexity and degrade the trust because zero trust on such cybersecurity mentality will be evolved from the business users.