What is ZTNA (Zero Trust Network Access)?
ZTNA (Zero Trust Network Access) is a security model that verifies every user and device before granting access to a specific application, and never trusts anyone just for being 'inside the network'. It follows the 'never trust, always verify' principle: access is granted per application, not to the whole network, and it can be revoked at any moment.
How ZTNA works
Instead of opening the whole network after a login, ZTNA treats every access request as untrusted until it is proven. Verification happens every time, not just at the door.
It verifies the identity
Confirms who the user is with strong authentication, almost always a second verification (MFA). A password alone is not enough.
It verifies the device
Checks that the device is in a safe state: up to date, with active protection. A compromised device does not pass.
It grants only the right application
Gives access to that specific system, not the whole network. The rest of the infrastructure stays invisible to the user.
It reassesses all the time
Trust is not permanent: if the behavior, location or risk changes, access is reassessed or cut on the spot.
Source: N-able Cyber Encyclopedia and NIST SP 800-207 (Zero Trust Architecture).
ZTNA and VPN: the difference that matters
- Access: the whole network or just the app A VPN works like a castle drawbridge: whoever gets in roams inside. ZTNA is like a hotel keycard that opens only your room: access to one application at a time.
- Trust: once or always A VPN trusts after the initial login. ZTNA reverifies at every access, because a session can be hijacked.
- If an account is stolen On a VPN, the intruder with the credential walks the network. With ZTNA, they are stuck at a single resource: the rest is invisible, which limits lateral movement.
- Remote work The VPN was built for a few occasional connections. ZTNA was born for distributed teams and the cloud, with no bottleneck and no exposed network.
Why the VPN alone became a risk
The VPN was built for another era: a few people connecting occasionally to a trusted office network. It grants broad access after a single login, so a stolen credential, the number one way in (22%, Verizon DBIR 2025), lets the intruder roam and move laterally. With remote work and the cloud, that broad trust became the risk. ZTNA flips it: never trust the network, verify every request, grant access only to the specific app. That is why Gartner projected that by 2025 at least 70% of new remote-access deployments would use ZTNA instead of VPN, up from less than 10% in 2021. It does not erase the breach (average cost $ 4.44 million, IBM 2025), but it contains it: the attacker gets a locked room, not the whole building.
How to adopt ZTNA in practice
ZTNA is more a shift in mindset than swapping one tool. In practice, what sustains a good zero-trust model is:
- Start with strong identityZero trust starts with MFA. Without a second verification, there is no 'never trust, always verify'.
- Access by application, not by networkGive each person only what they need to reach. The rest should be invisible, not just blocked.
- Check the device's healthA legitimate login from an infected device is still a door. Check the device posture before granting access.
- Least privilege, alwaysThe minimum access needed, for the time needed. Spare privilege is idle risk.
- Treat it as a journey, not a switchMigrating from the VPN is gradual: start with the most critical applications and remote access, then expand.
In practice
The question that reveals the VPN's risk: if an employee's credential leaked today, would the attacker reach the whole network or a single system?
How Zamak handles ZTNA
Zamak Technologies designs access by the zero-trust principle: identity verified, device checked and access granted per application, so a stolen credential does not open the whole network. A good starting point is the cybersecurity diagnostic, which shows where access is still too broad. It is part of Cybersecurity in the Zamak Method.