ZTNA vs VPN: zero trust network access in plain language

Virtual Private Network (VPN) technology gives a remote user network-layer access — the user becomes part of the corporate network and can reach anything routing-reachable. Zero Trust Network Access (ZTNA) flips the model: the user authenticates per application, never receives a network address inside corporate space, and a broker — Cloudflare Access, Zscaler Private Access, Netskope ZTNA, Twingate, Tailscale, Microsoft Entra Private Access — proxies the application traffic. ZTNA is one pillar of the broader Zero Trust architecture defined in NIST SP 800-207.

The risk delta is concrete. A ransomware payload landing on a VPN-connected laptop can scan and attack any reachable internal IP. CitrixBleed, the Ivanti Connect Secure chain, and Fortinet SSL VPN exploit campaigns through 2024 and 2025 each began with VPN gateway compromise and ended in domain-wide ransomware. With ZTNA, a compromised endpoint can reach only the specific applications the user is authorized for, and lateral movement requires fresh authentication to each app. The blast radius shrinks from a /16 network to a single application.

Migration is gradual. Start by inventorying applications — internal web apps, RDP/SSH targets, file shares, legacy thick clients. ZTNA brokers handle HTTP and HTTPS apps trivially through reverse proxy. RDP and SSH need agent-based or jump-host integration. Legacy thick clients on UDP or proprietary protocols may require keeping them on the VPN as an island while new apps move to ZTNA. Enforce device posture: only managed, healthy endpoints reach high-value apps. Microsoft Intune compliance, JAMF compliance, or CrowdStrike device trust feed posture into the ZTNA broker.

Identity is the new perimeter and SSO is the entry. Federate the ZTNA broker to your identity provider (Entra ID, Okta, Google) and require MFA — phishing-resistant for sensitive apps. Apply conditional access: location, device, time, risk score from Identity Protection. Log every access decision to your SIEM with user, app, device, and outcome. The mature deployment moves the question from "are they on the VPN" to "does this user, on this device, in this state, get this app right now" — which is what zero trust means in practice.