Security term · last reviewed 2026-07-07
ZTNA
Also known as: Zero Trust Network Access
ZTNA grants a user access to a specific application rather than a whole network, after verifying identity, device, and context on each connection; it is the standard replacement for the VPN.
How it works
ZTNA (Zero Trust Network Access) gives a user access to a specific application rather than to a whole network, granting that access only after verifying identity, device posture, and context on each connection. A broker sits between the user and the app: the user authenticates, the broker checks policy, and it brokers a connection to just that one application, keeping everything else invisible. This is the concrete, product-level expression of zero-trust principles for remote access, and it is the standard replacement for the traditional VPN.
When it matters
ZTNA matters for remote and hybrid workforces that need access to internal apps without the broad, flat network trust a VPN hands out. If a VPN-connected laptop is compromised, the attacker can often reach the whole network; with ZTNA, they reach only the specific apps that user was authorized for, which shrinks the blast radius dramatically. It usually rides on strong identity and MFA.
Common misconceptions
- "ZTNA and VPN are the same." A VPN grants network-level trust; ZTNA grants per-application access and hides the rest.
- "ZTNA is all of [zero-trust](/glossary/zero-trust/)." It is the network-access piece; zero trust also spans identity, devices, data, and workloads.
- "ZTNA removes the need for MFA." No. Strong identity with MFA is a precondition, not a replacement.
Related terms