Why Traditional ZTNA Falls Short and What to Do About It

The Reality: Access Has Outgrown Traditional ZTNA

ZTNA was introduced to address the limitations of VPNs, primarily by shifting from network-based access to identity-aware access. That was a step forward. But for many environments, it’s not enough.

Common challenges we’re seeing:

• Separate policies for legacy apps, modern apps, and SaaS
• Inconsistent security across remote, campus, and branch users
• Heavy reliance on agents that don’t work for contractors or unmanaged devices
• Gaps in visibility for IoT and OT environments
• Performance issues when traffic is forced through centralized cloud points of presence

These aren’t edge cases; they’re the norm. Even Cisco calls this out directly: many organizations struggle with fragmented access policies, unmanaged device support, and inconsistent user experience across environments.

The Shift to Universal ZTNA

This is where the conversation is moving: from point ZTNA solutions to Universal ZTNA.

Universal ZTNA extends zero trust principles across:

• All users (employees, contractors, partners)
• All devices (managed, unmanaged, IoT/OT)
• All applications (legacy, modern, SaaS)
• All environments (on-prem, cloud, branch, remote)

The goal isn’t just secure access. It’s consistent access. That consistency matters. Without it, teams end up managing multiple policy engines, duplicating effort, and introducing risk through misconfigurations.

What “Good” Looks Like

If you’re evaluating your current approach, there are a few capabilities that separate a mature zero trust model from a fragmented one.

1. Unified Policy Across Everything

A single policy framework that applies across users, devices, and applications, without exceptions for legacy environments.

2. Identity-Driven Access Decisions

Access is based on real-time identity context, not just network location. That includes user identity, device posture, and risk signals.

3. Agentless + Agent-Based Flexibility

You need both. Employees may use managed devices, but contractors, partners, and BYOD users won’t. Your model has to support both without friction.

4. Consistent Performance

Security can’t degrade the user experience. If access slows down, users will find workarounds, and that’s where risk creeps in.

5. Support for IoT and OT

If your zero trust strategy ignores non-user devices, it’s incomplete. These environments require visibility and control without traditional agents.

Cisco outlines a similar progression in its Universal ZTNA framework, starting with identifying connectivity and policy gaps, then moving toward unified policy enforcement and identity-driven access across all environments.

Why This Matters Now

This isn’t just a security conversation, it’s an operational one. When access models are fragmented:

• IT spends more time managing tools than improving outcomes
• Security teams deal with gaps they can’t fully see
• Users experience inconsistent access depending on where they are

And perhaps most importantly, organizations struggle to adopt new technologies (especially AI) without introducing additional risk.

A unified, identity-driven access model gives you a foundation to move faster without compromising control.

Where to Start

Most teams don’t need to rip and replace what they have. They need clarity:

• Where are the gaps in coverage?
• Where are policies inconsistent?
• Where is user experience breaking down?
• What’s being overcomplicated?

That’s exactly where a structured checklist can help.

If you’re questioning whether your current ZTNA approach is enough, or where the gaps might be, this is a good place to start. Download Cisco’s Universal ZTNA Checklist to evaluate your current state and map out a more unified approach to secure access. And as always, ANM’s cybersecurity experts are here to help. Contact us to schedule your Zero Trust Workshop.