Nearly half of organizations suffered a cyber incident involving a third party within the last year. Yet businesses cannot simply cut ties with external contractors and managed service providers. The expertise gap is real, particularly when it comes to IoT devices that require specialized knowledge most internal IT teams simply do not possess.
This to me creates a fascinating paradox. Companies need external help to manage increasingly complex networks filled with IoT sensors, industrial control systems, and operational technology. But every external device that connects to the network represents a potential breach point. Traditional solutions like VPNs offer the illusion of security while creating new vulnerabilities.
The hotel elevator analogy from Bruce Johnson at Ericsson captures this perfectly. When you give a maintenance worker VPN access to fix an HVAC system on the fifth floor, nothing prevents them from stopping at the third floor and wandering the halls. Worse yet, someone with malicious intent might slip into that elevator unnoticed.
The Reality of Unmanaged Devices
Working across different markets and teams, I have observed how this challenge manifests differently depending on regional infrastructure. In many African countries, where cellular networks often provide primary internet connectivity, third-party contractors frequently arrive with their own mobile devices and hotspots. I have seen this countless of times here in Kenya, being the contractor, and also on the receiving end. Companies have little visibility into these devices’ security posture.
The traditional approach treats network access as binary. You are either inside the network or outside it. Once inside via VPN, lateral movement becomes possible. An attacker who compromises a contractor’s laptop can potentially access systems far beyond their intended scope.
Zero Trust Network Access (ZTNA) in its clientless form flips this model entirely. Instead of granting network access and hoping users behave appropriately, it denies all access by default. Specific resources become available only through policy-defined pathways. Think of it as teleporting the maintenance worker directly into the fifth-floor room where the HVAC system needs repair, with no ability to access other floors.
Beyond Just Contractors
The applications extend well beyond third-party access. Many organizations, particularly in emerging markets, cannot afford to provide managed laptops to every employee. Bring-your-own-device (BYOD) policies become economic necessities rather than convenient choices. In countries like India or Brazil, where smartphone penetration far exceeds laptop ownership, employees often use personal devices for work tasks.
Clientless ZTNA addresses this by creating isolated cloud containers where users interact with company applications. Even if malware exists on the personal device, it cannot infect company systems through this air-gapped approach. The user experience remains smooth while security increases dramatically.
The IoT Explosion Factor
The scale of IoT deployments continues growing exponentially across industries. Smart agriculture sensors monitor soil conditions across vast farmlands in Kenya. Industrial sensors track production metrics in Vietnamese factories. Medical devices collect patient data in Colombian hospitals. Managing these devices requires specialized knowledge that most IT teams lack.
Outsourcing this management to experts makes business sense. However, traditional remote access methods create security gaps. Clientless ZTNA provides a pathway where enterprises can leverage IoT benefits while maintaining security. Contractors access specific devices through isolated portals without gaining broader network access.
This approach becomes particularly valuable as 4G and 5G networks enable more IoT devices to connect directly to wireless WANs. The attack surface expands, but clientless ZTNA contains the risk by eliminating lateral movement possibilities.
Implementation Considerations
The transition requires careful planning. Network administrators must define granular access policies for different user types and resources. This means understanding exactly what each contractor, employee, or partner needs to access and crafting policies accordingly.
The technology also demands a shift in thinking. Instead of managing network perimeters, security teams focus on protecting individual applications and resources. This requires deeper visibility into user behavior and application dependencies.
Cost considerations matter too. While clientless ZTNA solutions require upfront investment, they can reduce the total cost of device management. Organizations no longer need to provide and maintain devices for every contractor or temporary worker.
The Path Forward
Traditional perimeter-based security models break down when the perimeter itself becomes fluid and undefined. Remote work, cloud adoption, and IoT expansion have already dissolved the neat boundaries that VPNs were designed to protect.
Clientless ZTNA represents more than just a technical upgrade. It’s a fundamental shift toward assuming breach rather than preventing it. Instead of building higher walls, it focuses on limiting damage when walls inevitably get breached.
For security practitioners, this means rethinking access control from the ground up. The question changes from “How do we keep bad actors out?” to adding “How do we limit what anyone can do once they get in?” This mindset shift proves particularly valuable in today’s threat landscape where sophisticated attacks often succeed despite strong perimeter defenses.
The hotel elevator problem will only get worse as networks become more complex and distributed. Organizations that embrace clientless ZTNA principles today position themselves better for tomorrow’s security challenges.
