What Is Zero Trust Network Access (ZTNA)?

Zero Trust Network Access (ZTNA) is a security model that grants users access to specific applications — never to the underlying network — after verifying identity, device health, and context for every session. No user or device is trusted by default, inside or outside the corporate perimeter.

01 — OVERVIEW

What Is Zero Trust Network Access (ZTNA)?

ZTNA is the technology that applies zero trust principles to application access. The zero trust concept is formalized in NIST Special Publication 800-207 (2020), which grants no implicit trust based solely on network location or ownership.

In practice, ZTNA replaces the old assumption — "on the network means trusted" — with continuous, per-session verification. Applications stay invisible to the public internet, and each user sees only the applications policy explicitly allows.

Gartner predicted that by 2025, 70% of new remote-access deployments would use ZTNA rather than VPN services, up from less than 10% at the end of 2021.

How does ZTNA work?

Every ZTNA product follows the same control loop:

01Request

Request

A user or device requests a specific application, not a network segment.

02Verify identity

Verify identity

A policy engine authenticates the user against an identity provider, typically with SSO and MFA.

03Check device and context

Check device and context

Device posture (OS version, disk encryption, EDR status) and context (location, time, risk signals) are evaluated.

04Broker least-privilege access

Broker least-privilege access

An enforcement point establishes an encrypted, one-to-one connection to that application only.

05Continuously re-evaluate

Continuously re-evaluate

Sessions are monitored; access is revoked when posture or risk changes mid-session.

Because connections are brokered outbound, applications expose no open inbound ports and stay dark to internet scanning.

02 — COMPARISONS

ZTNA vs VPN: What's the difference?

A VPN places the user on the network; ZTNA connects the user to an application. That single difference drives most of the security and experience gap.

Question
Access granted to
Trust model
Lateral movement
Device posture checks
Application exposure
Scaling model
VPN
Entire network segment
Trusted once connected
Possible after login
Rare, at login only
Apps reachable and scannable
Concentrator hardware
ZTNA
One application per policy
Verified continuously, per session
Blocked by design
Continuous
Apps dark to the internet
Software-defined, elastic

03 — ARCHITECTURE

The four ZTNA architectures

"ZTNA" is one label covering four architecturally distinct designs. They differ in where your traffic flows and what enforces policy.

Architecture
Reverse-proxy
SDP / tunnel-broker
Identity-centric
Mesh overlay (Mesh ZTNA)
Data path
Through a vendor cloud or self-hosted proxy
Endpoint → broker → gateway
Direct to app; gateway gates the token
Peer-to-peer between endpoints
Enforcement point
In-path proxy
Connection broker + endpoint agent
IdP at token issuance
Per-device cryptographic identity
Best fit
SaaS-heavy portfolios, fast rollout
Application-invisibility mandates
SaaS-only estates with a mature IdP
Regulated data, IT/OT, multi-cloud

Reverse-proxy designs descend from Google's BeyondCorp (2014). SDP is specified by the Cloud Security Alliance. Mesh ZTNA builds on open-source lineage—WireGuard and Slack's Nebula.

The practical test: where do your packets go? In cloud-routed designs, the vendor's infrastructure carries your data; in mesh designs, it only coordinates identity and policy.

04 — USE CASES

Common ZTNA use cases

  • Replacing remote-access VPN for hybrid workforces
  • Third-party, contractor, and BYOD access without network exposure
  • Multi-cloud and hybrid application access under one policy
  • M&A integration without merging networks
  • DevOps access to servers, APIs, and internal tools
  • Meeting regulatory expectations on least privilege and data-path sovereignty

05 — DECISIONS

How to evaluate a ZTNA solution

Four questions expose architectural differences faster than any feature sheet:

  1. Where does my traffic physically go, and who can see it?
  2. If the vendor is breached, what is the blast radius?
  3. Who controls the cryptographic identity and timeline?
  4. What about SSH, RDP, thick clients, server-to-server, and OT?

06 — FAQS

Frequently Asked Questions

1. Is ZTNA the same as Zero Trust?

No. Zero Trust is the security model defined in NIST SP 800-207. ZTNA is the technology category that applies Zero Trust principles to application access.

2. Does ZTNA replace VPN?

For remote application access, yes. Many organizations still keep site-to-site VPNs, but user access is typically replaced by ZTNA.

3. Is ZTNA part of SASE?

Yes. ZTNA is one of the core services in a SASE architecture alongside SWG, CASB, FWaaS, and SD-WAN.

4. What is the difference between agent-based and agentless ZTNA?

Agent-based ZTNA provides posture checks and supports non-web applications. Agentless ZTNA works through a browser and is mainly used for unmanaged devices.

5. Which ZTNA architecture should I choose?

Choose based on rollout speed, application visibility requirements, SaaS maturity, latency, and data sovereignty needs.