What is ZTNA?

Discover the benefits of Zero Trust Network Access (ZTNA) and how it outperforms legacy VPNs in securing the new hybrid workplace.

What is Zero Trust Network Access (ZTNA)?

Zero Trust Network Access (ZTNA) is a set of technologies designed to secure applications and remote security with granular access control policies. ZTNA was built on the principle of least privilege, or the foundation for Zero Trust. Every user and device must be fully authorized before access is granted to any corporate resource.

How Does ZTNA Work?

Zero Trust Network Access, more commonly referred to as the software-defined perimeter (SDP), treats every application as a separate entity. This identity-centric approach establishes a higher trust factor for the specific application requested.

Access is granted per user or device once verified. All IP addresses are hidden from the network to limit exposure. This added layer of security keeps the rest of the network invisible to connected devices, with the exception of the application or service in use. 

Encrypted internet connections are sent over the Transport Layer Security (TLS) protocol instead of traditional MPLS-based WAN connections in order to keep all network traffic private and prevent the transmission of data between two devices to be intercepted. 

Zero Trust Architecture Benefits

Zero Trust Network Access traces its origin back to the Zero Trust architecture, which is based on the “never trust, always verify” security principle, first coined by Forrester analyst, John Kindervag in 2010. The Zero Trust philosophy has since become the new security standard among IT professionals across all industries and sectors. 

The benefits of having a Zero Trust architecture include: 

  • Secure remote access
  • More advanced user authentication and authorization 
  • Integrate with separate identity providers (IdPs) and Identity and Access Management (IAM) solutions
  • Integrate with single sign-on (SSO) platforms to safeguard user credentials  
  • Simplified operational management 
  • Streamline regulatory compliance 
  • Increased network visibility 
  • Reduced attack surface
  • Less risk for lateral movement by segmenting the network 
  • Improved user experience (UX)

There are several types of ZTNA models. Let’s take a closer look at the differences between them and how they might fit into your existing infrastructure. 

Endpoint-initiated ZTNA

Endpoint-initiated ZTNA (Client-based) – Also referred to as client or agent-based. This model closely resembles the Cloud Security Alliance’s (CSA) software-defined perimeter (SDP) standard. Endpoint-initiated ZTNA begins from the agent on a user’s device. The ZTNA controller then checks the identity of the user and device to determine if access should be granted to an application. 

Service-initiated ZTNA

Service-Initiated ZTNA (Clientless) – Service-initiated ZTNA does not require an agent on a device. Applications that are deployed in this model can be run by a third party that will provide authentication by a cloud server before being validated by an Identity and Access Management (IAM) to securely manage cloud enterprise services.  

Both ZTNA types have their advantages and disadvantages. 

Endpoint-initiated ZTNAService-based ZTNA
ProsOffers very detailed information about the context of the connecting device (i.e. location,port,etc.)Pros
Ideal for unmanaged devices as there is no agent required for each end device 
Ideal for managed devices. They can only be used if a company has BYOD policies in place or when a remote employee logs in from outside of the office or on a mobile device.
Is based on an application’s protocol on HTTP/HTTPS. This limits the solution to web applications. And protocols such as Secure Shell (SSH) or Remote Desktop Protocol (RDP) 

ZTNA Use Cases

VPN Alternative

Legacy VPNs simply weren’t built to protect an organization’s corporate assets and hybrid workforce beyond the perimeter in a physical enterprise setting. ZTNA goes beyond the limitations of a legacy VPN in that it offers more granular security policies, and is both cloud-native and scalable. 

Unlike legacy VPNs, a Zero Trust Network Access solution helps to eliminate the backhauling of traffic through a corporate data center, which can drastically slow down performance. The end result is a much better user experience (UX) and faster connectivity. 

Secure Remote Access for Third Parties

Third parties pose a significant risk. A recent Ponemon survey found that 74% of data breaches were the result of giving too much privileged access to third parties. ZTNA enforces the principle of least privilege (PoLP) where minimum access is granted per application and per device on a need-to-know basis. 

All other applications or resources remain hidden from public view to prevent any unauthorized access. Advanced layered security verification methods such as Multi-factor Authentication (MFA) have become the standard in validating all user identities and help to maintain regulatory compliance best practices. 

Network Micro-Segmentation

Network micro-segmentation protects against lateral movement techniques, where a threat actor has already gained an initial foothold into the organization’s network and is progressively advancing in an effort to steal valuable company assets and cause a major security breach. 

Admins can designate security zones and enforce more granular control policies to isolate workloads and prevent unauthorized access. Micro-segmentation helps keep hybrid cloud environments of multiple data centers out of reach for threat actors and improves the overall security posture of the organization.  

M&A IT Integration

Another use case for ZTNA is the securing of corporate resources and IT integration in a Merger and Acquisitions (M&A) scenario. There are many security challenges IT teams face during an M&A, particularly in the due diligence stage when access to a network and cloud resources is decided in order to work cohesively with the acquired company.

Failure to secure the corporate network during this critical period can lead to a breach as resources remain widely available to anyone.

A ZTNA controller grants specific permission sets and access defined by user roles once each user has been properly authorized through continuous identity validation. ZTNA converges multiple networks from both parties in order to streamline the M&A integration process.  

Supply Chain Management

Target experienced a major breach that exposed over 40 million credit cards and 70 million customer records just a few years back. The total damages amounted to an excess of $18.5 million in settlement fees. The breach occurred through a vulnerability in the retail giant’s third-party air conditioning firm in their supply chain. Attackers were able to access Target’s main IT system through stolen credentials.  

The Target breach proved that the weakest link in an organization’s supply chain can lead to a massive breach. ZTNA can help prevent supply chain attacks through the enforcement of tighter company security policies and by granting least privilege access to third-party contractors. 

ZTNA vs VPN: Understanding the Differences

There are several key distinctions between a legacy VPN and a cloud-native ZTNA architecture.

Less visibility into connectionsTotal network visibility
Lack of remote security measuresLeverages the principle of least privilege access (PoLP) to secure remote workers
Hardware-based and expensive. Requires manual configuration and constant maintenance  ZTNA is extremely cost-efficient. It is both cloud-native and highly scalable
Access to cloud resources and applications is given to anyone  The principle of least privilege access is enforced and granted via user roles and permissions 
Does not integrate with Identity Providers (IdPs)Integrates with major IdP and provides more advanced authentication methods (MFA)
The network remains open to potential threats Prevents lateral movement techniques with the network via micro-segmentation
Limited security for unmanaged devices Fully supports both managed and unmanaged BYOD devices from employees and 3rd parties such as contractors and vendors that require access to corporate resources. Supports 
Limited in terms of compliance ZTNA solutions comply with international standards such as SOC 2 Type 2 and ISO 27001. Ideal for performing security audits 
Slower internet connection speeds and latency issues that create a poor user experience (UX)Improved overall performance and user experience (UX) 

According to Gartner, up to 60% of enterprises will phase out VPNs in favor of a Zero Trust Network Access (ZTNA) solution by 2023. 

How to Instantly Deploy ZTNA with Perimeter 81

Go beyond the limitations of a legacy VPN and discover the Perimeter 81 ZTNA advantage. With a global backbone of over 50+ data centers and an edge presence, enterprises from all sectors can depend on Perimeter 81 for cost-effective remote network security access. 

Avoid the costly maintenance and security drawbacks of a VPN and discover why more organizations like yours have made the cloud-based transition to ZTNA. Scale your entire cloud and network security strategy in minutes with Perimeter 81’s ZTNA.


What is ZTNA?
 Zero Trust Network Access (ZTNA), also known as a software-defined perimeter (SDP), is a framework of policies that helps to secure an organization’s applications and remote workforce. 
How does ZTNA work?
Zero Trust Network Access (ZTNA) leverages the principles of Zero Trust, where trust is never implicit and given only on a “need to know” least privilege basis via granular access controls. 
What is the difference between a VPN and ZTNA?
The key difference between a VPN and ZTNA is that legacy VPNs require manual configuration and maintenance, while ZTNA is cloud-based and can be deployed instantly. 
Is ZTNA part of SASE?
ZTNA is a key component of the SASE architecture. Other components of SASE include; Cloud Access Security Broker (CASB), Firewall-as-a-Service (FWaaS), Secure Web Gateways (SWG), and network security.

Looking to secure your remote workforce?

Simplify your network security today with Perimeter 81