Internet access is one of the few areas of security still governed by assumptions that have not been meaningfully revisited.
Once a user is authenticated and their device appears compliant, web access is often treated as safe enough. Controls relax. Scrutiny drops. That approach made sense when people worked from fixed locations, and applications lived inside the perimeter.
That world no longer exists.
Hybrid work and credential-based attacks have fundamentally changed how internet access contributes to organisational risk. Yet in many environments, web access is still treated as background infrastructure rather than as a core Zero Trust control.
Why internet access is now a Zero Trust issue
Modern environments have dissolved the traditional network boundary. Users connect from anywhere, applications live outside the corporate network, and attackers no longer need to break in when they can simply log in.
Despite this shift, many Zero Trust initiatives focus primarily on identity, applications, and data, while leaving internet access governed by inherited assumptions. Controls may appear effective, but they no longer reflect how work is actually done or how modern threats operate.
As a result, internet access has become one of the most persistent blind spots in Zero Trust strategies.
How should internet access work in a Zero Trust environment?
Zero Trust is built on a simple principle: trust is never assumed. Every request is evaluated using identity, device posture, and context.
In practice, this level of scrutiny is often applied to applications, while general web traffic is implicitly trusted once users are connected and authenticated. Internet access is treated as low-risk or “good enough” infrastructure, even though it sits outside the same controls that protect applications and data.
That gap matters because internet access now underpins how work actually gets done.
Internet access is no longer just web browsing
Internet access now underpins far more than casual browsing. Users rely on it to reach SaaS platforms, interact with AI tools, and exchange data through cloud services that sit entirely outside the traditional network boundary.
Attackers exploit this reality. Threats are increasingly delivered through legitimate-looking channels such as phishing pages hosted ontrusted domains, malicious scripts embedded in widely used platforms, or compromised SaaS applications that appear routine to both users and security controls.
When policies are enforced primarily based on network location rather than identity and context, risky activity can blend into normal usage. The result is a widening gap between how the internet is used and how access decisions are made.
Where network-based trust no longer scales
Traditional security models evolved at a time when internet traffic was considered lower risk and network location provided sufficient context for access decisions. Firewalls protected the edge, VPNs let users in, and once inside, restrictions eased.
This model breaks down when:
- Users move between networks
- Applications live in the cloud
- Attackers use valid credentials
- AI tools amplify the impact of over-permissioned access
Zero Trust exists because these conditions are now the norm. Breach is assumed. Trust is contextual, not inherited.
Frameworks such as the NIST Zero Trust Architecture clearly reflect this shift. The challenge is that many implementations stop at the application level, while internet access continues to operate under legacy assumptions.
A modern Secure Web Gateway that brings identity to internet access
Microsoft Entra Internet Access is a cloud-delivered Secure Web Gateway built on identity-centric principles rather than network-centric assumptions. It addresses a long-standing gap in Zero Trust strategies by extending identity-based decision-making to internet access itself.
Traditional Secure Web Gateways inspect traffic based on where users connect from, an approach that worked when networks were static and users sat behind a consistent perimeter. In hybrid environments, that model struggles to keep pace. Entra Internet Access instead evaluates internet traffic using user identity, device posture, and Conditional Access signals that already exist across the environment.
This shifts internet access away from inherited trust and static controls. Access decisions are informed by who is accessing what, from which device, and under which conditions, using the same identity signals organisations already rely on to protect applications.
By aligning web access with identity and adaptive policy engines, Microsoft Entra Internet Access extends Zero Trust principles beyond applications and into everyday internet usage, without adding another disconnected control to the security stack.
What changes when internet access becomes identity-led
The shift to identity-led internet access is easiest to understand when you see how identity signals, context, and policy are enforced together at the security edge.
Source: Microsoft Entra Internet Access, Microsoft Tech Community
-
Internet access becomes identity-led
Access is evaluated using user identity and Conditional Access signals rather than IP addresses or network location. This allows web traffic to be governed using the same logic already applied to applications.
-
Policies are applied through a single control plane
Because it integrates directly with Microsoft Entra ID, internet access policies sit alongside Conditional Access. SaaS applications, cloud services, and general web traffic can be governed consistently rather than through separate tooling.
-
Enforcement is consistent across locations
Traffic from office, remote, and hybrid users is inspected at the cloud edge. Policies apply the same way everywhere, without relying on backhauling traffic through a central network.
-
Zero Trust extends beyond applications
By combining identity and network context, identity-led internet access closes one of the most common gaps in modern Zero Trust designs, where applications are protected, but web traffic is implicitly trusted.
The practical shift is that internet access is governed using the same identity signals and policies already applied elsewhere in the environment.
Why identity now sits at the centre of internet access
Modern security strategies increasingly treat identity as the foundation of access control. Networks still matter, but they no longer provide sufficient context on their own.
Zero Trust and Security Service Edge architectures reflect this reality. Identity-aware decisions scale more effectively in environments where users, devices, and applications change continuously.
Extending this approach to internet access allows organisations to apply controls based on real usage and real risk, rather than inherited trust.
Rethinking what “trusted” should mean
Treating internet access as safe by default is increasingly difficult to justify.
As work patterns evolve and threats become more credential-driven, web access needs to be treated as part of the Zero Trust strategy, not as an inherited trust layer assumed to be safe by default.
Microsoft Entra Internet Access enables identity-led controlsto be applied to the web, allowing policies to follow users rather than networks. As long as internet access remains the last implicitly trusted channel, Zero Trust strategies remain incomplete.
What to do next
Internet access is often one of the last areas reviewed in a Zero Trust program.
For organisations already investing in Microsoft 365, it is worth reassessing whether existing internet access controls integrate effectively with identity, Conditional Access, and device posture, or whether they introduce unnecessary complexity and cost.
Microsoft Entra Internet Access is typically implemented as part of a broader Zero Trust and Identity Management approach rather than as a standalone control.
At The Missing Link, we help organisations design and implement Microsoft Entra Internet Access using Microsoft best practices. Our structured approach supports secure browsing, SaaS access, and consistent policy enforcement across office, remote, and hybrid environments.
If you’re reviewing how internet access fits into your Zero Trust strategy, the next step is to understand how identity-led controls can be applied in practice. Explore Microsoft Entra Internet Access.
