IDSync — identity software buyer platform
Run Stack Finder

Network Security

Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) replaces the implicit trust of a VPN with per-application, identity- and context-aware access — users authenticate to a broker that brokers connections to specific apps based on identity, device posture, and policy, hiding the apps from the public internet.

Last reviewed 5/30/2026

Key points

  • ZTNA replaces VPNs for remote access. No 'on the network' implies trust — every access is brokered.
  • Apps are not exposed to the internet directly; a connector dials out to the ZTNA broker.
  • Decisions evaluate: identity (from the IdP), device posture (from MDM/EDR), context (location, risk), application sensitivity.
  • Leading tools: Cloudflare Access, Zscaler ZPA, Netskope ZTNA, Palo Alto Prisma Access, Tailscale, Twingate, Banyan / SonicWall, Google BeyondCorp Enterprise.
  • ZTNA is one pillar of SASE (Secure Access Service Edge) alongside SWG, CASB, FWaaS.

What is ZTNA?

Zero Trust Network Access (ZTNA) is the architectural replacement for the corporate VPN. Instead of dropping a remote user onto the corporate network (where they can see everything by default), ZTNA brokers each individual connection from a user to a specific application, after checking identity, device posture, and policy on every request.

The apps themselves are not exposed to the internet — a lightweight connector inside the network or VPC dials outbound to the ZTNA service, and the service stitches the user's request to the right backend over a brokered tunnel.

How it works

  1. User opens an app (a hostname like finance.acme.internal).
  2. Their device's ZTNA client (or the broker via a reverse proxy) intercepts the request.
  3. The broker checks: is this user authenticated via the IdP? Is the device compliant? Is the context acceptable per policy?
  4. If yes, the broker opens a tunnel to the app's connector and proxies the request.
  5. The user reaches only that app — not the rest of the network.

ZTNA vs VPN

| | VPN | ZTNA | | --- | --- | --- | | Trust model | "On the network" → trusted | Identity + context per request | | Lateral movement | Easy after VPN auth | Blocked by default | | App exposure | Network exposed; apps may be reachable broadly | Apps hidden from internet | | Auth | Often password + soft MFA | IdP + conditional access + device posture | | Performance | Bottleneck at concentrator | Globally distributed POPs |

When buyers care

  • VPN replacement projects (most CIOs have one ongoing).
  • M&A — granting acquired-company employees access without merging networks.
  • Contractor / partner access without giving them domain accounts.
  • Hybrid work — performance and security improvements over hairpinned VPNs.
  • Compliance — ZTNA aligns naturally with CISA's Zero Trust Maturity Model and NIST 800-207.

Editorial note

ZTNA is mature enough that there's no good reason to roll out a new VPN in 2026. The decision is between an identity-vendor-bundled ZTNA (Cloudflare, Microsoft Entra Private Access, Google BeyondCorp), a SASE platform (Zscaler, Netskope, Palo Alto, Cisco), and a developer-friendly tool (Tailscale, Twingate). The IdP integration depth and device-posture signal sources tend to be the deciding factors.

Standards & references