What is ZTNA?
ZTNA (Zero Trust Network Access) is a mechanism that verifies the user and device on every access and connects them only to the applications they are permitted to use, rather than relying on whether they are "inside the corporate network." It is drawing attention as an alternative to traditional VPN and is one of the core components of SASE. This article explains how it differs from VPN, how it works, its pros and cons, and the migration path.
ZTNA basics
With a traditional VPN, once you connect you are effectively "inside the corporate network" and can reach many resources within it. This was a problem: if an account were ever compromised, the damage could spread easily.
ZTNA changes this approach at its root. Based on the premise that "no one is trusted from the start (zero trust)", it works as follows.
- ✓On every access, it performs user identity verification (ID and multi-factor authentication)
- ✓It checks the device's state (whether it is company-managed, whether anti-virus is active, etc.)
- ✓If the conditions are met, it grants connection only to the necessary applications
- ✓It restricts access per application rather than to the entire network
As a result, it eliminates the "once you are in, you can see everything" state and limits how far damage can spread.
A visual picture
VPN means "once you are in, you can reach much of what is inside"; ZTNA means "verify every time and connect only to permitted applications." A diagram makes this difference easier to grasp.
Understanding ZTNA with Diagrams
For those new to the jargon, here are three diagrams that explain the idea of ZTNA.
An analogy: a pass for each room
← Scroll horizontally →VPN lets you into the whole network, whereas ZTNA verifies every time, per application, and permits only what is needed.
Before / after: VPN and ZTNA
← Scroll horizontally →VPN lets you reach all systems once inside. ZTNA verifies per application every time and connects only to the allowed ones.
Step by step: how ZTNA works
← Scroll horizontally →On every access it verifies the user and device, decides permission per application, then connects only to the allowed apps.
How it differs from traditional VPN
Benefits
- ✓You can limit the scope of damage in the event of account takeover
- ✓Access tends to be faster (no need to concentrate traffic at a site)
- ✓Users can often work without being aware of the connection step
- ✓You can record and visualize "who accessed which application"
- ✓Easier to apply fine-grained permission management for leavers, contractors, and so on
Drawbacks and points to note
- !Initial design is required. You need to organize who is permitted to which applications
- !A solid ID foundation is a prerequisite. Without consolidated IDs such as Entra ID, the benefits are hard to realize
- !Older on-premises internal systems may require extra work to support
- !Monthly costs apply (typically on a per-user basis)
Major ZTNA products and services
These are representative ZTNA (Zero Trust Network Access) products and services. They cannot be ranked uniformly; it is important to choose based on how well they fit your existing environment and the cloud services you use.
Netskope Private Access
ZTNA from Netskope, which started from CASB. Easy to combine with visibility into cloud usage.
Official site ↗Zscaler Private Access
A service from Zscaler, a leading ZTNA specialist. Extensive track record in large-scale, global deployments.
Official site ↗Cloudflare Access
Leverages a high-speed global platform. Relatively simple and easy to adopt for SMBs and mid-sized companies.
Official site ↗Microsoft Entra Private Access
Integrates with Microsoft 365 / Entra ID. A strong fit for companies already using M365.
Official site ↗Cato Networks
Integrates networking (SD-WAN) and security. Well suited to companies with multiple sites.
Official site ↗* Product names and URLs are general information as of 2026. Please check each vendor's official site for the latest details.
The path from VPN to ZTNA (a general approach)
Rather than retiring VPN all at once, a realistic approach is to migrate gradually while running both in parallel.
What adoption looks like at a mid-sized company
The following are hypothetical model cases based on inquiries we frequently receive. The actual approach and results vary depending on each customer's environment and challenges.
~500 employees, service industry
Challenge: A mix of headquarters, multiple branches, and remote work, with slow and unstable VPN connections. Disabling access for leavers and transfers is manual, raising concern about forgetting to revoke it.
Existing environment: Microsoft 365 used company-wide. Once on the VPN, users can reach many internal systems.
- 1Consolidate IDs in Entra ID and enable multi-factor authentication
- 2Manage company devices with Intune
- 3Move internal systems to per-application access with ZTNA (Entra Private Access)
- 4Gradually reduce and retire VPN
Result: Connections become faster from headquarters, branches, and home alike; access is cut off immediately by disabling the ID on departure or transfer. A record remains of who used which system.
~300 employees, professional services (licensed professions)
Challenge: Concern about leakage of customer information. As departments and sites grow, it is unclear who has accessed which files.
Existing environment: Microsoft 365 used company-wide. Customer data handled is divided by department.
- 1Set up everyone's ID in Entra ID and enable multi-factor authentication
- 2Use conditional access to permit only "company-approved devices"
- 3Use ZTNA to limit access to customer data by department
- 4Monitor access logs and review permissions periodically
Result: Only permitted people and devices access the necessary scope. Operation logs support audits.
* The above are hypothetical model cases. The actual configuration and results vary depending on your environment.
Frequently Asked Questions
- QWhat is ZTNA?
ZTNA (Zero Trust Network Access) is a mechanism that verifies the user and device on every access and connects them only to the applications they are permitted to use, rather than relying on whether they are inside the corporate network. It is drawing attention as an alternative to traditional VPN and is one of the core components of SASE. - QHow does it differ from traditional VPN?
With VPN you "enter" the corporate network, are trusted once connected, and lateral movement is easy once breached. With ZTNA you "connect" to each application individually, verified every time and permitted only as needed, so damage is harder to spread. - QHow does per-application verification work?
On every access it performs user identity verification (ID and multi-factor authentication) and checks the device's state, and grants connection only to the necessary applications if the conditions are met. It restricts access per application rather than to the entire network. - QHow do you migrate from VPN?
Rather than retiring VPN all at once, a realistic approach is to migrate gradually while running both in parallel. The path is to inventory access targets, build the ID foundation and MFA, pilot with a few applications, expand scope and reduce VPN, and transition to operations and monitoring. - QAre there drawbacks or points to note?
Initial design and a solid ID foundation are prerequisites, and without consolidated IDs such as Entra ID the benefits are hard to realize. Older on-premises systems may require extra work to support, and monthly costs apply, typically on a per-user basis.
Discuss reviewing your VPN or adopting ZTNA
From challenges such as "VPN is slow," "managing leavers' access is worrying," or "we want secure remote work," we support migration to ZTNA. You can start by having us help organize how your environment is actually used.
Contact us