Get started Bring yourself up to speed with our introductory content.

The basics of zero-trust network access explained

Some experts believe VPNs have struggled to adapt to an increasingly cloud-based, internet-dependent world. Enter zero-trust network access, which may be network security's future.

In organizations with remote employees, productivity depends on secure, reliable access to applications, services and data over the internet from any device at any location or time. Yet, the internet can expose IP addresses and create security risks due to implicit trust and a wealth of vulnerabilities.

Zero-trust network access (ZTNA) hides the network location -- IP address -- and uses identity-based authentication to establish trust and provide access. It appropriately adapts access to specific applications or data at a given time, location or device. ZTNA provides IT and security teams with centralized control and improved flexibility to secure highly distributed IT environments.

ZTNA is a concept or capability rather than a specific product. A number of IT, networking and security suppliers implement ZTNA in different ways. Over time, these suppliers will implement ZTNA to replace aging VPN infrastructure and as part of an overall Secure Access Service Edge (SASE) architecture.

Challenges of the old network security model

Many organizations depend on the internet for users' access to applications -- either on premises through a VPN or cloud-based, direct internet access. Internet access exposes IP addresses, which can locate users and resources and open them to attack. This visibility, combined with a model that implicitly trusts users and devices, makes the network, users and devices vulnerable.

The enormous growth in the remote workforce during 2020 has exacerbated the old security model's weaknesses. Users may work at home on unsecured consumer devices, with unsecured consumer Wi-Fi, and directly access applications through the internet. VPN technology is designed primarily for corporate-based applications -- not cloud environments -- and is difficult to scale, manage and troubleshoot.

Defining zero-trust network access

The lack of a true security perimeter means users should not and cannot trust internal connections in their networks. ZTNA products and services create identity- and context-based access, as ZTNA hides resources from discovery and provides access through authentication to a trust broker, which acts as a mediator between specific applications and authorized users.

ZTNA decouples access to resources and access to the network, as the internet is an untrusted point of access. The trust broker provides centralized control and management to IT teams, and teams can deploy the broker in data centers as software or an appliance or provide it as a managed service in a cloud environment.

Also, ZTNA unifies access to applications, thus eliminating the bifurcation of private cloud, VPN and SaaS application methods. It provides centralized control, with the scalability and flexibility to offer users appropriate access given their devices, locations and times of day.

ZTNA provides secure access for unsecured IoT devices, as organizations rapidly deploy more edge-based services. IoT devices and user devices are not visible directly from the internet, thus reducing the attack surface. ZTNA can identify anomalous behavior, such as attempted access to restricted data, downloads for unusual amounts of data or unusual time-of-day access.

software-defined perimeter vs. VPN vs. zero trust
Zero-trust network access derives from zero-trust technology. It's similar to software-defined perimeter technology and is a more modern security option than VPNs.


Over time, ZTNA will become a key principal of SASE services. SASE provides a framework for the convergence of network and security functionality at the edge.

Distributed traffic flows -- e.g., a remote user to a SaaS cloud -- and IoT-driven edge computing require a converged network security service at the edge. The concept of zero trust fits well with this distributed model, as both models have no hard security perimeter and assume any traffic flow could be malicious. Like ZTNA, the concept of SASE is clear, but the implementation is vendor-specific.

Zero-trust network access vendor examples

A variety of network and security suppliers employ the concept of zero trust. Zero-trust implementations are available with hardware, software and as-a-service models. IT teams can deploy ZTNA in a DIY method or with a managed service provider.

The lack of a security perimeter and disadvantages of aging technologies -- e.g., VPNs -- have created the need for zero-trust architectures.

Security vendors that provide zero-trust services include Check Point, Cisco, Fortinet, Illumio, McAfee, Palo Alto Networks, Sophos, VMware's Carbon Black and Zscaler.

Startups with zero-trust implementations include Ananda Networks, Elisity, Perimeter 81, Privafy, Pulse Secure and Tempered.

Here are a few examples of suppliers' zero-trust implementations:

  • Cisco's Duo service is a user-centric zero-trust security platform for a wide range of users, devices and applications. Duo's multifactor authentication verifies user or device identities before it grants access to applications.
  • Tempered uses software-defined perimeter technology to implement a zero-trust architecture. All resources use microsegmentation with allowlist access only. Tempered's Airwall service offers users secure access to critical applications and provides secure access to relatively unsecured IoT devices.
  • VMware integrated its VeloCloud SD-WAN with its Workspace One end-user client to enable zero-trust networking down to the device level.

Considerations for enterprise IT and security teams

Employees and partners need access to corporate and cloud-based applications anytime, anywhere and on any device. Relatively unsecured IoT devices must securely connect to enterprise network and cloud environments. The lack of a security perimeter and disadvantages of aging technologies -- e.g., VPNs -- have created the need for zero-trust architectures.

ZTNA provides security for applications, remote users and IoT devices. Its sound principles of verification for all access make sense for most organizations. ZTNA can replace VPN access and make supporting the large of number remote users easier and more secure. ZTNA is more of a capability than a product and will likely be implemented gradually over time as part of a migration to a SASE-based architecture.

This was last published in October 2020

Dig Deeper on Network Security