UK cyber guidance targets legacy trust in network access
Revised framework outlines how organisations can design ZTNA systems based on contextual, granular access decisions rather than network location.
The UK’s National Cyber Security Centre has issued new guidance on Zero Trust Network Access, warning that many deployments still rely on outdated assumptions about trust.
ZTNA is often introduced to modernise access to applications. However, the NCSC said many implementations still treat network location as a primary indicator of trust, meaning new tools can continue to rely on broad, network-based access rather than more granular and context-driven decisions.
The guidance explains how organisations can design and implement ZTNA to better align with zero-trust principles and modern network environments. It sets out the organisational and technical foundations required before deployment, describes key design requirements, and provides a reference architecture for accessing private applications and Software-as-a-Service.
A key focus is identifying common anti-patterns that undermine ZTNA security outcomes. The NCSC said many deployments fail not because of missing technology features, but because legacy trust assumptions are carried forward into new designs.
The guidance is aimed primarily at architects, security practitioners, and technical decision-makers responsible for designing or evolving access architectures. It is intended to support organisations exploring ZTNA as part of a broader zero trust strategy, replacing or reducing reliance on legacy ‘walled garden’ architectures, or reviewing existing deployments.
The NCSC said the guidance does not redefine zero trust, prescribe a single technical solution, or serve as a compliance checklist. Instead, ZTNA should be treated as part of a wider zero trust architecture shaped by an organisation’s users, systems, threats, and operational constraints.
Why does it matter?
The guidance highlights a common problem in cybersecurity modernisation: organisations can adopt new access technologies while still preserving older trust models. Poorly designed ZTNA deployments may leave broad access paths in place, weakening zero-trust goals and limiting resilience. NCSC’s message is that effective access control depends not only on deploying new tools, but on redesigning trust decisions around context, users, systems, risks, and operational needs.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!