ZTNA vs. VPN: Why enterprises must rethink remote access

In today’s rapidly evolving digital landscape, securing an organisation’s network has become more critical than ever. While traditional methods such as Virtual Private Networks (VPNs) have been the go-to solutions for remote access to corporate resources, security architects have been facing scalability challenges with these solutions.

With cyberthreats becoming increasingly sophisticated and the demand for seamless, secure connectivity growing, it is time to consider a more robust alternative: Zero Trust Network Access (ZTNA). Implementing ZTNA over traditional VPNs offers significant security, usability, and operational advantages, especially in today’s cloud-centric, remote work environments.

By replacing traditional VPNs with ZTNA, security leaders can enhance their organisation’s security, improve the user experience, and support the dynamic needs of an enterprise workforce.

However, there is a popular misconception among organisations that implementing ZTNA means they are deploying zero trust and do not need to take any further action. ZTNA is not zero trust; it is one component of a zero-trust architecture. According to Gartner, ZTNA refers to products and services that create an identity- and context-based logical access boundary that encompasses an enterprise user and an internally hosted application or set of applications.

ZTNA creates a logical access boundary around the applications, hiding them from discovery and restricting access to a set of named entities. The policy enforcement point verifies the identity, context, and policy adherence of the specified participants before granting access, thereby minimising lateral movement across the network.

Improved Scalability, Distributed Control

Unlike traditional network-based tunnelling methods such as VPNs, the ZTNA architecture uses Policy Enforcement Points (PEPs) that sit closer to applications, regardless of where those applications are hosted. This distributed design helps reduce latency, improve traffic efficiency, and enhance scalability. Because the number of PEPs can be dynamically adjusted based on network requirements, ZTNA is particularly well-suited to modern distributed environments spanning both on-premises and cloud infrastructures.

Within a ZTNA framework, PEPs perform several essential functions. They control access by ensuring that only verified users can reach preapproved applications and resources. They also enforce organisational security policies in real time, maintaining compliance and consistency across multiple environments.

Continuous monitoring is another vital function, enabling the detection of abnormal user activity or potential threats as they occur. In addition, PEPs integrate seamlessly with identity and access management systems, ensuring that user authentication and policy retrieval are handled securely and efficiently. Together, these capabilities make PEPs the backbone of a scalable, secure, and adaptive ZTNA deployment.

Working in conjunction with the PEP is a policy decision point (PDP). The PDP evaluates access requests against security policies. It determines whether a user or device should be granted access to a specific application or resource based on the policies in place.

It also considers various contextual factors, such as user identity, device health, location, time of access and other attributes, to make informed decisions. This provides a centralised point for managing and enforcing access policies, ensuring consistency and compliance across the organisation.

The role of the PEP is to act as a gatekeeper, allowing or blocking connections based on the risk scoring provided by the PDP. The algorithms and logic used to make policy decisions are stored in the policy engine.

To address scalability challenges, a resilient PDP architecture must handle a large number of requests. Therefore, a distributed architecture is implemented.

ZTNA can overcome the scalability challenges posed by VPNs by establishing one-to-one connections to specific applications rather than relying on broad tunnelling.

Limiting Exposure Through Least Privilege

ZTNA is based on the zero-trust principle: “never trust, always verify.” This means that, regardless of the source of the connection, a consistent set of policy controls will be applied. This, when combined with least privilege, ensures that users are granted access to only the resources on that network they absolutely need. Once granted access, they have the minimum privileges applied when interacting with those resources.

If an attacker compromises a user’s identity, their ability to move laterally is severely constrained, as they will have access only to the resources approved for that identity. ZTNA grants access on a per-application basis, unlike traditional VPNs that provide broad network access, making network reconnaissance by attackers much more difficult.

However, it is critical that additional security controls, such as the principle of least privilege, are used to supplement ZTNA to prevent an attacker from reaching critical data if that is the attacker’s strategic objective.

Achieving Deeper Visibility and Control

Traditional VPNs provide limited insight into user activity. Once traffic exits the VPN server and enters the internal network, the VPN no longer tracks or logs actions, leaving administrators blind to what users do beyond the initial connection. In contrast, PDP in a ZTNA framework continuously logs all access requests, policy evaluations, and security decisions. This comprehensive visibility strengthens oversight and accountability across the network.

Many organisations struggle with incomplete user-to-application mapping in their existing deployments. During the initial phase of ZTNA implementation, logging becomes a crucial tool for identifying which users are accessing specific applications and resources. These insights form the foundation for building precise policy controls that restrict access based on verified identities and contextual parameters.

The expansion of logging capabilities, however, introduces a need for secure data storage. Log data, while essential for compliance and auditing, must be safeguarded to prevent misuse or tampering. When managed properly, these detailed records provide organisations with the enhanced visibility and control that traditional VPNs cannot offer.

The author is a Senior Director Analyst at Gartner.