Comparing VPNs and ZTNA – a Simple Explainer

Perhaps you’ve heard of ZTNA as a replacement for VPNs in network security. Our analogy makes the differences between them easy to understand.

Cloud adoption has plenty of business benefits, but securing network access is not one of them. The traditional practices of perimeter-based security are no longer an optimal model. If there’s no clear perimeter, there’s no way to ensure access to data and applications – and to prevent access, when the wrong people try to get to a company’s resources. When users can be anywhere, protection must be, too.

There are two strong, competing choices for secure remote access in a distributed, cloud-centric network environment: Virtual Private Networks (VPNs) and Zero Trust Network Access (ZTNA). Let’s compare them, in the context of an IT department wanting to manage network security and authentication.

What is a VPN?

VPNs establish a secure tunnel between the user’s devices and the corporate network’s resources. They’re also simple, inexpensive, and effective at encryption. For many uses, that’s enough – which also explains VPNs’ popularity.

Once a user is inside the network, they can move around and access data and applications (unless explicitly inhibited by segmentation or access control lists). The network’s attitude is, “Trust, but verify.”

VPN’s advantage is that authenticated users are trusted with network access. However, that’s also the biggest disadvantage of using VPNs. Because, once it authenticates the user, a VPN can expose a network to risks from insiders or from anyone who gains unauthorized access.

What is ZTNA?

The motto of Zero Trust on the other hand is: "Never trust, always verify". It makes access control enforcement as granular as possible.

With the Zero Trust cybersecurity approach, every user, device, and network connection is treated as untrusted by default. Each access request must be authenticated, authorized, and continuously validated before the system grants access to resources or data.

If Zero Trust is a mindset, Zero Trust Network Access (ZTNA) is the security model built on top of it. Trust is never implied, whether inside or outside the network. Access is defined by granular policies. It uses an adaptive trust model, operating on a need-to-know, least-privilege basis.

As a result, only authenticated and authorized users, endpoints, and applications are granted access to corporate resources. Access is centrally managed and policy-based. The attack surface is dramatically reduced. All that limits the risk of unauthorized access.

Technically speaking, ZTNA is a software-based approach sold as a subscription and delivered primarily on a SaaS-based model.

It’s also generally faster than VPN because the ZTNA policy enforcement point is placed as close as possible to the protected application and its data, which eliminates latency-inducing multiple hops through network appliances. Remote users’ system interactions aren’t routed from their location to the corporate office through a VPN, and then back out through the internet to the application, and then back through the same path to the end user. Faster access means users are happier and more productive.

Comparing VPNs and ZTNA

The best way to understand the difference between a VPN and ZTNA is with an analogy. Imagine a group of students who share a college apartment.

If the apartment were secured using a VPN, each resident would get a key to the front door. The same key lets them access their room as well as the communal areas such as the bathroom, kitchen, and storage space. That means every student can see what someone else put in the fridge – not to mention eat it.

So can a plumber who comes to fix a broken tap. Each person with access to the apartment lowers the security of its contents. If one student moves out, you need to replace all the locks.

If the apartment used an access system based on ZTNA, each resident would use an access card to enter through the front door to the shared living room. The same card would let them use their individual room, bathroom, kitchen, and storage space. But other students cannot get into a roommate’s room, only their own.

If a student moves out or changes rooms, it’s fast and easy to adjust their access.

If the plumber needs to investigate a leaking bathroom faucet, their temporary card only permits access to the single bathroom with the broken faucet and only for the time slot they need to fix the problem. Furthermore, it is also possible to monitor the plumber’s actual activity remotely or to record it to audit it later.


Legacy networks with VPN access were fine when corporate data and private applications were housed within the network and protected from the outside by a firewall.

But from a data security point of view, after a user gains access, the data within your entire network is exposed. Intruders understand that. With VPN-based security, IT staff who wanted to implement better security practices had to set up and maintain firewall rules for internal servers for network segregation purposes. Managing these becomes unwieldy.

With its zero-trust philosophy, you can use ZTNA for remote access as well as for user access to applications from within a corporate environment. Users are securely connected to their applications, and both the applications and network can be hidden from prying eyes.

That’s not to say that implementing ZTNA is a no-brainer. A good ZTNA solution is independent of its identity provider (IdP) to avoid sensitive data from being compromised. It must not store user credentials. And it must only inspect traffic at the enforcement points.

In addition, you need an inventory of private applications before implementation – which is not always simple in an era of “shadow IT.” Fortunately, analysis of existing secure web gateway logs can provide a means to do this discovery.

This suggests that you need someone to guide you through a ZTNA instantiation. At Open Systems, we’re happy to help with that – and many other ways to secure your network.