ZTNA
What is ZTNA?
ZTNAZTNA is a model that grants users access to specific private applications only after continuous identity, device, and context checks — never network-level access by default.
Zero Trust Network Access (ZTNA) replaces the traditional VPN tunnel into a corporate network with brokered, per-application access. A trust broker authenticates the user (typically via the corporate IdP and MFA), evaluates device posture, applies context such as geolocation and risk, and then proxies only the allowed application sessions. The user never sees the underlying network, so lateral movement is prevented even if a device is compromised. ZTNA is a core component of SSE and SASE offerings and is typically deployed alongside identity governance, EDR, and continuous-access evaluation to realize the Zero Trust principle of explicit, least-privilege access.
● Examples
- 01
A contractor reaches only the ticketing system through a ZTNA broker after MFA and device-posture checks.
- 02
Replacing a site-to-site VPN with ZTNA agents that publish only chosen internal apps.
● Frequently asked questions
What is ZTNA?
ZTNA is a model that grants users access to specific private applications only after continuous identity, device, and context checks — never network-level access by default. It belongs to the Network Security category of cybersecurity.
What does ZTNA mean?
ZTNA is a model that grants users access to specific private applications only after continuous identity, device, and context checks — never network-level access by default.
How does ZTNA work?
Zero Trust Network Access (ZTNA) replaces the traditional VPN tunnel into a corporate network with brokered, per-application access. A trust broker authenticates the user (typically via the corporate IdP and MFA), evaluates device posture, applies context such as geolocation and risk, and then proxies only the allowed application sessions. The user never sees the underlying network, so lateral movement is prevented even if a device is compromised. ZTNA is a core component of SSE and SASE offerings and is typically deployed alongside identity governance, EDR, and continuous-access evaluation to realize the Zero Trust principle of explicit, least-privilege access.
How do you defend against ZTNA?
Defences for ZTNA typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ZTNA?
Common alternative names include: Zero Trust Network Access, Software-defined perimeter (SDP).
● Related terms
- network-security№ 1086
SSE
SSE is the security half of SASE — a cloud-delivered bundle of SWG, CASB, ZTNA, and often DLP and FWaaS that protects user traffic to internet, SaaS, and private apps.
- network-security№ 969
SASE
SASE is a cloud-delivered architecture, coined by Gartner in 2019, that converges SD-WAN with security services like SWG, CASB, ZTNA, and FWaaS at the network edge.
- network-security№ 1119
SWG
A Secure Web Gateway (SWG) is a proxy — on-prem or cloud — that inspects user web traffic, enforces acceptable-use policy, and blocks malware, phishing, and data exfiltration.
- identity-access№ 510
Identity and Access Management (IAM)
A discipline and set of technologies for defining digital identities and controlling which resources each identity may access under which conditions.
- identity-access№ 708
Multi-Factor Authentication (MFA)
An authentication method that requires two or more independent factors — typically from different categories — before granting access.