What is ZTNA?
Zero Trust Network Access
An access model that grants users connectivity to specific applications, not networks, based on identity and device posture, verified continuously per session.
ZTNA replaces traditional VPN by eliminating the concept of a trusted network. Instead of granting broad layer-3 access to a subnet after authentication, ZTNA brokers connections to individual applications. The user authenticates against an identity provider, the agent or browser reports device posture, and the ZTNA broker evaluates the request against policy. If permitted, a micro-tunnel is established directly to the application, with the application itself remaining invisible to unauthorized users.
There are two primary deployment models. Agent-based ZTNA installs software on the endpoint, enabling pre-authentication posture checks such as OS patch level, disk encryption status, and running EDR. Agentless ZTNA uses a reverse proxy or browser-based portal, which is useful for unmanaged devices and third-party contractors but offers less visibility into endpoint health.
The most significant advantage over VPN is the elimination of lateral movement risk. A compromised user session cannot pivot to other resources because the network itself is never exposed. The most common pitfall is assuming ZTNA replaces VPN overnight. Legacy thick-client applications, non-HTTP protocols, and multicast traffic often require a phased migration with VPN fallback during the transition.
A security model that eliminates implicit trust based on network location, requiring continuous verification of identity, device posture, and context for every access request.
A cloud-delivered architecture that converges SD-WAN and security services (SWG, CASB, ZTNA, FWaaS) into a single, globally distributed platform.
The security half of SASE, delivering SWG, CASB, ZTNA, and DLP as cloud-delivered services without the SD-WAN networking component.
A security framework that dynamically creates one-to-one network connections between users and resources, making application infrastructure invisible to unauthorized users.
The real-time assessment of an endpoint's security health, including OS version, patch level, disk encryption, EDR status, and compliance state, used as an input to access control decisions.
The technique by which attackers move from an initially compromised system to other systems within a network, escalating privileges and expanding access to reach high-value targets.
One email per publish. Unsubscribe anytime.