ZTNA verifies the user, the device, and limits access & privilege

What is Zero Trust Network Access (ZTNA)?

Zero Trust Network Access (ZTNA) is a security service that verifies identity trust for users and devices and grants access to specific applications based on identity and context policies. ZTNA removes implicit trust to restrict network movement and reduce attack surfaces.

ZTNA is one of the ways organizations operationalize the Zero Trust principles described in NIST Special Publication 800-207, which calls for verifying every user, device, and request rather than allowing access based on network location.

Why is ZTNA needed?

Organizations need ZTNA because they face challenges with cloud migration, hybrid and remote working, and IT infrastructures built from multiple environments. They are looking for a streamlined solution to secure cloud and on-premises assets so they can serve their diverse and remote workforce.

What does ZTNA do?

Zero trust application access hides apps and services from discovery and authorizes access only to specific applications. By not allowing access to an entire network, ZTNA lowers the impact of a breach, reduces business visibility on the public internet, and minimizes security risk.

What are the benefits of zero trust network security?

Zero trust network security helps protect data, reduce risk, and build resilience by providing:

  • Adaptive, context-aware access policies
  • Continual user and device behavior monitoring
  • Fast, secure access to cloud and network applications
  • Unified management
  • Scalable, simple adoption

How does ZTNA work?

ZTNA protects data by:

  • Granting role-based, least-privileged access
  • Setting perimeters around assets and controls network flow
  • Hiding applications from the public internet

How does ZTNA protect organizations?

ZTNA protects organizations in these ways:

  • Minimal access. A trust broker authorizes all connection requests based on identity and context policies and limits access to applications on a need-to-know basis.
  • Segmentation. Perimeters around individual assets segment a network to control traffic flow and limit threat movement in a breach.
  • Invisibility. ZTNA conceals infrastructure by hiding applications from public discovery and bridging users to applications without connecting to the network.

How do I set up a zero trust network?

You can set up a zero trust network by first assessing the value and vulnerability of corporate assets. Next, define and automate multi-factor authentication (MFA) policies to allow users and devices access to the assets they need. Finally, continuously monitor and verify access. Cisco Duo provides a number of tools to implement Zero Trust.

How does ZTNA help you achieve a zero trust architecture?

Achieving a zero trust architecture takes time, but ZTNA is a good start. In zero trust security, all access requests to applications, resources, and assets default to denial until trust is established. ZTNA applies the same policy to access gateways.

Does zero trust mean no VPN?

ZTNA can replace VPNs for remote, in-person, and hybrid work environments. VPNs provide broad network protection, but zero trust network access is a comprehensive solution that empowers organizations with more granular control.

ZTNA Versus VPN

The table below compares how a traditional VPN and ZTNA differ across the dimensions that matter most for access decisions, user experience, and risk.

CapabilityVPN approachZTNA approachWhy it matters
Access scopeConnects users to a network segmentConnects users to specific applicationsReduces lateral movement
Trust modelOften trusts more after initial loginVerifies identity, device, and context for each accessLimits risk from stolen credentials or unmanaged devices
Application exposureNetwork resources may be discoverableApplications can be hidden from public discoveryReduces reconnaissance opportunities
Policy granularityNetwork-centricApplication- and context-centricSupports least-privilege access
User experienceMay backhaul traffic through a data centerCan connect users directly to approved applicationsCan improve access speed for cloud and SaaS apps
Third-party accessMay require broad routes or complex segmentationCan grant limited application-specific accessReduces contractor and partner access risk

The pattern across these dimensions is consistent. A VPN typically establishes trust once and grants broad access to a network. ZTNA continuously evaluates identity and context and grants access only to the specific applications a user is authorized to reach.

For organizations supporting hybrid work, contractors, partners, or unmanaged devices, that difference is what makes ZTNA viable as a long-term replacement for VPN-based remote access.

What are client-based and clientless ZTNA?

ZTNA can be deployed in two architectural models, client-based and clientless, depending on whether software is required on the user's device.

  • Client-based ZTNA uses a software client installed on a managed device to evaluate device posture, route traffic, and enforce security policy. It is commonly used for employees on managed endpoints, where the organization controls the device and can require the client as part of standard configuration to ensure consistent security posture.
  • Clientless ZTNA provides browser-based access to specific web applications without requiring software on the user's device. It is commonly used for contractors, partners, unmanaged devices, or limited-scope access where installing a client is impractical or unnecessary.

Many organizations use both approaches in combination, applying client-based ZTNA for managed users and clientless ZTNA for third parties and bring-your-own-device (BYOD) scenarios to maintain security across diverse access needs.

Common questions about Zero Trust Network Access

Zero Trust Network Access (ZTNA) is a security service that verifies users, devices, and context before granting access to specific applications. Rather than placing a user on a network segment after login, ZTNA grants least-privilege access to the individual applications the user is authorized to reach, and continuously re-evaluates that access as conditions change.

Legacy, hardware-based VPNs typically grant broad network-level access after a user logs in, which means a compromised account can become a path to lateral movement. ZTNA grants access to specific applications instead of a network, and continuously checks identity, device, and context for each request, so trust does not persist beyond what is currently authorized.

ZTNA reduces the attack surface by hiding applications from public discovery, limits lateral movement by replacing network-level access with application-specific access, and supports hybrid work by extending the same secure access model to employees, contractors, and partners. Together these properties enable least-privilege access in environments where users, devices, and applications are widely distributed.

ZTNA is a core component of both secure access service edge (SASE) and security service edge (SSE). Within those architectures, ZTNA is the service responsible for securing user access to private applications, while other components such as DLP prevent data leakage, or CASB that enforces Internet usage governance or SWG that filters out bad web traffic (phishing sites, for example).

Client-based ZTNA uses software on a managed device to evaluate posture and enforce policy, and is typically used for full-time [S(2.1]employees and managed endpoints. Clientless ZTNA provides browser-based access to specific web applications without requiring software on the user's device, and is typically used for contractors, partners, unmanaged devices, or limited-scope access. Many organizations use both approaches in combination.