NCSC issues guidance on building ZTNA around zero trust principles
The UK’s National Cyber Security Centre has published new guidance aimed at organisations using Zero Trust Network Access (ZTNA) as part of broader zero trust strategies. The advice focuses on how to...
The UK’s National Cyber Security Centre has published new guidance aimed at organisations using Zero Trust Network Access (ZTNA) as part of broader zero trust strategies. The advice focuses on how to design access systems so they do not simply recreate older, network-based trust models with newer tools.
ZTNA is often adopted to modernise how users reach internal applications and cloud services. But the NCSC says some deployments still rely too heavily on location-based trust, which can leave broad access paths in place even when the technology appears more advanced. The new guidance is intended to help teams avoid that pitfall.
What the guidance covers
The publication explains how ZTNA fits within zero trust architecture and how it differs from traditional “walled garden” approaches. It also sets out the foundations organisations should have in place before deployment, along with design requirements that should shape an implementation.
- a reference architecture for accessing private applications and software-as-a-service platforms
- examples of common anti-patterns that weaken ZTNA deployments
- advice on how to align technical decisions with organisational needs and risk
The NCSC emphasises that the material is not a checklist or compliance framework. Instead, it is meant to support architectural decisions that reflect an organisation’s users, systems, threat exposure and operational constraints.
Who should use it
The guidance is aimed mainly at architects, security practitioners and technical decision-makers responsible for access architecture. It may be useful for organisations introducing ZTNA for the first time, reducing reliance on legacy network perimeters, or reviewing existing deployments to see whether they deliver the expected security benefits.
The agency recommends reading the introductory sections first, then moving on to the prerequisites and design requirements. It says the final section on common mistakes is especially important, because many deployments fail not due to missing features, but because old assumptions about trust are carried over into new systems.
According to the NCSC, ZTNA should be treated as one part of a wider zero trust approach rather than as a standalone security fix.
