How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
Support FAQ
Zero Trust Network Access, or ZTNA, is a way to give users access to specific private applications after identity and policy checks succeed. The user is not placed onto a broad trusted network. Instead, each application request is evaluated, allowed, denied, or constrained based on who is asking, what device they are using, which application they need, and what risk is present.
ZTNA is often introduced as an alternative to traditional VPN access. A VPN commonly gives a user a route into a network segment. That route may expose more systems than the user needs, especially if internal networks were built with broad trust assumptions. ZTNA aims to narrow that access so a user can reach the payroll application, support portal, code system, or admin console they are authorized to use, but not every adjacent service.
A typical ZTNA flow starts with authentication through an identity provider. The access service then evaluates policy. Common inputs include group membership, user role, device posture, MFA status, location, application sensitivity, network context, time of day, and current risk signals. If the request is allowed, the user is connected to the application through a broker, reverse proxy, connector, or tunnel. If the request is denied, the application is not reachable through that path.
The important distinction is application-level authorization. In a broad network model, reaching the network may be enough to discover or attempt connections to many internal systems. In a ZTNA model, the access layer should know which application is being requested and which users or devices are allowed to reach it.
Some ZTNA deployments are client-based, using an endpoint agent to route private application traffic. Others are clientless for browser-accessible applications. Many organizations use both. Clientless access can be easier for contractors or unmanaged devices, while client-based access may be needed for non-web protocols, developer tools, or legacy applications.
Remote work, cloud hosting, partner access, and hybrid infrastructure have weakened the old idea that a corporate network perimeter is the main trust boundary. Users may be outside the office. Applications may be outside the data center. Contractors may need limited access for a short period. Administrators may need access to sensitive systems from managed devices only.
ZTNA helps by reducing reach. If a credential is stolen, the attacker should not automatically inherit broad network access. If a device is unmanaged, the organization may still allow limited browser access to a low-risk application while denying access to sensitive tools. If a user changes role, application access can be updated through identity groups rather than by changing network routes alone.
ZTNA also improves visibility. Access events can be tied to users, devices, applications, and policy decisions. That is more useful for investigation than simply knowing that a VPN session was connected.
VPNs are not automatically insecure, and ZTNA is not automatically secure. The difference is the default shape of trust. A well-managed VPN can include MFA, device checks, network segmentation, and logging. A poorly managed ZTNA deployment can still have overbroad groups, weak identity, bypass paths, and unclear ownership.
The practical comparison is this:
Many organizations run both during migration. The risk is leaving both paths open indefinitely. If the old VPN still reaches the same applications broadly, the ZTNA layer may improve user experience or logging but not meaningfully reduce blast radius.
Start with an application inventory. Teams need to know which private applications exist, who uses them, which protocols they require, how authentication works, what source IP assumptions exist, and which owners can approve access. Without that inventory, ZTNA policy will reflect guesses rather than business need.
Next, map users and devices. Group membership should be understandable and maintained. Shared accounts are a problem because they obscure who accessed what. Device posture should be realistic: requiring managed devices for all access may be appropriate for administrators but too strict for some partner workflows. Browser-based access, isolation, or read-only restrictions may be better for certain unmanaged-device cases.
Logging should capture the user, device, application, decision, policy version, session details, and denial reason. Denied access without clear reason creates support load. Allowed access without policy evidence weakens audit and incident response.
The most common failure is assuming that moving behind a ZTNA product completes a Zero Trust program. ZTNA is only one control. It depends on strong identity, accurate application inventory, device management, least privilege, segmentation, and ongoing review.
Another failure is defining applications too broadly. A policy that grants a large user group access to a whole internal domain, subnet, or wildcard application can recreate VPN-like exposure. ZTNA works best when the protected resource is specific enough to match a real business function.
Legacy applications can create difficult edge cases. Some rely on fixed source IPs, direct database connections, old authentication methods, file shares, or protocols that do not proxy cleanly. Those applications may need modernization, compensating controls, or segmented VPN access while migration work continues.
Emergency access also needs design. Administrators may need a break-glass path during identity-provider outages, endpoint failures, or incidents. That path should be logged, time-limited, and reviewed, not left as a permanent bypass.
Useful measures include the number of applications protected, users migrated from broad VPN routes, remaining bypass paths, denied access reasons, device posture failures, support tickets, stale access groups, privileged access events, and incident findings. Coverage alone is not enough. A program should also show reduced broad network exposure and fewer permanent exceptions.
Review access regularly with application owners. Remove users who no longer need access, expire contractor permissions, test denial paths, and confirm that direct firewall openings or old VPN routes have been retired. When new private applications are launched, require an owner, access policy, logging plan, and support path before production use.
ZTNA is valuable because it makes private access more explicit. Users get the applications they need. Applications are less visible to users who do not need them. Security and operations teams receive clearer evidence about access decisions. The result is not trustlessness in a literal sense, but controlled trust that is limited, observable, and easier to change when risk changes.
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
An overview of Account Takeover Attacks
A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.
AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Misuse explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
© PEAKHOUR.IO PTY LTD 2025 ABN 76 619 930 826 All rights reserved.