ZTNA
Zero Trust Network Access
Zero Trust Network Access is the foundational shift from perimeter-based security to identity-based, per-application access control. Traditional VPNs place authenticated users onto a flat network segment where lateral movement is trivially easy for any attacker who compromises a single credential. ZTNA inverts that model: every connection request is individually brokered, every session is continuously validated, and applications are never exposed to the public internet. The user sees the app; they never see the network.
The concept draws from Google's BeyondCorp white papers and the NIST 800-207 zero trust architecture standard. In practice, ZTNA replaces VPN concentrators, jump hosts, and legacy remote-access solutions with a cloud-delivered broker that mediates access based on identity, device posture, location signals, and behavioral analytics. For organizations migrating to SASE, ZTNA is almost always the first component deployed because the user experience improvement over VPN creates immediate, visible buy-in from end users and executives alike.
What makes ZTNA transformative is the concept of the dark cloud: applications protected by ZTNA have no inbound ports open to the internet. The ZTNA connector initiates an outbound-only tunnel from inside the data center or cloud VPC to the ZTNA broker. Users connect to the broker, never directly to the app. This means port scans, DDoS attacks, and vulnerability exploitation against the application surface are rendered moot because there is literally nothing to scan. This architectural pattern is the single strongest defense against ransomware initial access.
What it does
Zero Trust Network Access brokers individual, authenticated connections between a user and a specific application, based on the user's verified identity and the device's real-time security posture. Unlike VPN, which grants network-level access to an entire subnet, ZTNA creates a one-to-one micro-tunnel from the user's endpoint to a single application endpoint. The user never touches the underlying network, cannot discover adjacent systems, and cannot pivot laterally even if their session is compromised. Applications are made invisible to the internet through outbound-only connector tunnels, meaning there are no inbound ports, no DNS records to enumerate, and no attack surface to probe. This is the dark cloud model that fundamentally changes the attacker's economics.
How it works
The ZTNA agent on the endpoint authenticates the user against your identity provider (Okta, Azure AD, Ping) using SAML or OIDC, then collects device posture telemetry including OS version, patch level, disk encryption status, EDR agent presence, and firewall state. This posture data is sent to the ZTNA broker, which evaluates it against administrator-defined policies. If both identity and posture pass, the broker establishes an encrypted micro-tunnel to the specific application via the outbound-only connector sitting inside your network. In ZTNA 2.0 architectures, this is not a one-time gate: the broker continuously monitors posture and behavior throughout the session, re-evaluating trust every few seconds. A posture change mid-session, such as the user disabling their EDR agent or connecting to an untrusted Wi-Fi network, triggers immediate session termination or step-up authentication. Post-connect traffic inspection in ZTNA 2.0 also applies threat prevention and DLP scanning to traffic flowing through the micro-tunnel, closing the gap where ZTNA 1.0 was blind to data exfiltration after the initial connection was authorized.
Why it matters
Traditional VPNs are the number one initial access vector for ransomware in enterprise environments. A single compromised credential grants an attacker full Layer 3 network access, enabling them to scan, enumerate, and laterally move to high-value targets like domain controllers, file servers, and database systems. ZTNA eliminates this entire attack pattern. Each user can only reach the specific applications they are authorized for, and those applications are invisible to anyone without a valid, posture-checked session. The operational benefits are equally significant: ZTNA eliminates VPN concentrator capacity planning, removes split-tunnel vs. full-tunnel debates, and delivers sub-second connection times compared to the multi-second handshakes of IPsec VPN. For M&A scenarios, ZTNA lets you grant acquired-company employees access to specific applications within days rather than the months required for network integration and VPN provisioning.
Watch out
The critical distinction is between ZTNA 1.0 and ZTNA 2.0. ZTNA 1.0 implementations perform a single posture and identity check at connection time, then create an allow-all tunnel to the application for the duration of the session. This means a device that becomes compromised after connection, or a user who begins exfiltrating data through the authorized tunnel, will not be detected or stopped. ZTNA 2.0 adds continuous trust verification, re-checking posture and behavior every few seconds, and applies inline threat prevention and DLP to traffic flowing through the tunnel. When evaluating vendors, ask explicitly: do you perform post-connect inspection? How frequently do you re-evaluate device posture? Can you detect and block data exfiltration through an authorized ZTNA tunnel? The answers will immediately separate mature implementations from marketing-driven ZTNA labels on legacy VPN products.
Vendor comparison — ZTNA
Unified ZTNA with clientless browser access and Cisco Secure Client for full tunnel. Supports VPN fallback for legacy applications that cannot work with ZTNA proxying — a pragmatic differentiator. Per-app micro-tunnels with continuous posture checks via ISE integration.
FortiSASE ZTNA uses FortiClient ZTNA application connectors with device posture verification through FortiClient EMS. Supports TCP-based application access with per-app micro-tunnels. Less mature than Cisco or Palo Alto ZTNA implementations — lacks clientless browser-based access for unmanaged devices and does not yet support UDP-based applications natively.
ZTNA 2.0 with continuous trust verification goes beyond initial authentication. Maintains ongoing posture assessment, behavioral analysis, and continuous security inspection throughout the session. Supports both agent-based (GlobalProtect) and agentless (clientless VPN portal) access. App connectors enable ZTNA for private applications without exposing them to the internet.
Cloud-native ZTNA with identity-aware access policies, lightweight application connectors for private app access, and support for both agent-based and agentless (browser-based) access modes. Integration with Azure AD, Okta, and other IdPs for seamless SSO. Per-application micro-segmentation with continuous session monitoring. The Perimeter 81 heritage gives this component genuine cloud-native maturity.
ZTNA is one of six core SSE components. See how they fit together and compare vendors.