ZTNA Was Built for the Perimeter's Death. Fly Direct Is Built for How People Actually Work
.jpg)
Short answer: ZTNA correctly declared the office perimeter dead and tied access to identity instead. But it still sends the remote user's traffic to a broker to enforce that access. Fly Direct finishes the job: policy lives on the device, so it follows the user onto any network, in any location, with no PoP to route through. For a workforce that works from home, the road, and everywhere in between, enforcement that travels with the machine is the model that fits.
The perimeter is gone. The choke point isn't.
Zero trust started from a true observation: people and apps left the building, so a network perimeter no longer defines trust. ZTNA acted on it by making access identity-aware and app-specific. Good.
But look at where enforcement still happens. A remote user's session goes to a cloud broker, gets checked, then continues to the app. The perimeter moved from your office to the vendor's cloud. It's still a place traffic has to visit. For a distributed workforce, that place is often far away.
The half-measure is easy to miss because ZTNA fixed the most visible problem, the trusted network, and did it well. What it left in place is subtler: a location that traffic must reach before it's allowed to proceed. You retired the office as a chokepoint and rebuilt one in someone else's data center. For a workforce defined by not being in any fixed place, that's the wrong shape.
How people actually work now
The modern workday doesn't happen on one network. A single employee might start on home wifi, move to a coworking space, tether to a phone on the train, join a call from a hotel, and finish from a relative's house on the weekend. Their device is the only constant. The network under it changes hour to hour.
Security that lives in a fixed cloud location has to reel each of those sessions back to itself. Security that lives on the device is already where the work is. That's the core mismatch: ZTNA anchors enforcement to a place, and the modern employee has no place.
Policy should travel with the user, not wait at a PoP
The cleanest way to secure someone who could be anywhere is to put the control on the thing that's always with them: their device. That's what Fly Direct does. The dope.endpoint agent enforces policy locally, so the same rules apply whether the user is on home wifi, a hotel network, a phone hotspot, or a coffee shop. There's no nearest-PoP calculation and no reroute when a region degrades.
The City of Visalia made exactly this move when employees went mobile and perimeter-based policies stopped following them off-network. Enforcement that no longer depends on being inside a firewall is described in the City of Visalia story. The broader pattern is in security for remote and distributed teams.
The practical upside is that on-network and off-network stop being different security states. In a perimeter or broker model, 'inside' and 'outside' behave differently, and the seams between them are where mistakes happen. When policy rides the device, there is no inside or outside. There's just the user, protected the same way everywhere.
Restricted geographies are the stress test
Nothing exposes a broker dependency like a user in a country where reaching that broker is slow or blocked. Backhaul-based models struggle where the network is hostile to a stopover. On-device enforcement works consistently in any country or network, including geographies where cloud-proxy and broker models fail, because the decision happens locally and traffic goes direct. If any of your people work from China or other restricted regions, this difference is not academic.
Think about what a broker model asks of a user behind a restrictive national firewall. Their traffic has to leave the country to reach a foreign PoP, get inspected, and come back, assuming the path is even allowed and fast enough to be usable. On-device enforcement asks none of that. The policy decision is already on the laptop, so the traffic can take whatever local route works. Coverage stops depending on a clear path to a distant data center.
Consistency is the real win
The subtle benefit of policy-follows-the-user is uniformity. In a broker model, a user's experience and sometimes their protection depend on which PoP they land on and whether it's healthy. On-device, every user gets the same enforcement everywhere, because the enforcement is on their machine, not in a location they happen to be near. Consistent security is easier to trust and easier to audit.
Consistency also simplifies the story you tell auditors and executives. 'Every managed device enforces the same policy regardless of location' is a clean statement. 'Users are protected depending on which regional PoP they reach and whether it's degraded' is not. The on-device model gives you the clean statement because it's actually true.
The mobility dividend for IT
There's an operational payoff too. When enforcement travels with the device, onboarding a new remote hire is just pushing the agent through MDM. There's no regional PoP to consider, no connector to place, no 'are they near enough to a data center' question. Opening an office in a new country is a non-event for the security architecture, because nothing about coverage depends on geography. The team that used to plan around PoP maps gets that time back.
The honest scope
ZTNA still has a role for reaching private apps behind your network, and for that job the broker model is doing what it was built to do. The workforce argument is about the day-to-day: the web, SaaS, and AI tools your people touch constantly from wherever they are. For that traffic, an enforcement point that travels with the device beats one they have to route back to.
Teams that made the switch describe the deployment in the Greylock Partners and Outreach Health stories. Both are distributed organizations that needed security to follow people rather than tie them to a location, and both got live fast because the model doesn't depend on regional infrastructure.
BYOD, contractors, and the unmanaged edge
The distributed workforce isn't only full-time employees on corporate laptops. It's contractors, seasonal staff, agency partners, and people who occasionally work from a personal machine. A broker model handles these awkwardly, because coverage depends on getting traffic to the PoP and often on a managed network path. On-device enforcement is cleaner wherever the device is managed: push the agent, and the same policy travels with that machine everywhere it goes.
For genuinely unmanaged devices, the honest answer is that no endpoint agent covers what you can't install on, and you'd scope those cases separately with other controls. The point is that for the managed fleet, which is where most of the risk sits, mobility stops being a special case. A contractor's managed laptop in another country is governed exactly like an employee's in the office, with no regional infrastructure to arrange first.
Frequently asked questions
How is Fly Direct different from ZTNA for remote users? Both secure remote access, but ZTNA routes the session through a cloud broker while Fly Direct enforces policy on the device and connects direct. Policy follows the user instead of waiting at a point of presence.
Does it work when the user is off the corporate network? Yes. Because enforcement is on the device, the same policy applies on any network, on or off corporate, with a cached policy set that keeps working if the control plane is briefly unreachable.
What about users in China or restricted regions? On-device enforcement works in geographies where backhaul and broker models struggle, because traffic doesn't have to reach a distant PoP to be inspected.
Do on-network and off-network users get different protection? No. On-device enforcement makes location irrelevant. There's no 'inside' or 'outside' state, so there are no seams between them to manage.
Does opening a new office require new infrastructure? No. Coverage rides the device, so a new location or a new remote hire is just an agent push through MDM. There's no regional PoP or connector to plan.
Is this a full replacement for remote-access ZTNA? For the web, SaaS, and AI plane, yes. For brokering access to private apps behind your own network, keep ZTNA and move the rest on-device.
Give policy a passport
Let enforcement travel with every device, everywhere. Book a 20-minute demo or start an instant trial with your corporate email.
Further reading: Cisco Umbrella replacement for hybrid and remote workforces and the dope.SWG product overview.


.jpg)
.jpg)
.jpg)

