VPNs vs Zero Trust Network Access

24 August 2022

Virtual Private Networks (VPN) changed the game of network access by enabling remote workers to connect to corporate networks and applications from their homes when they were first introduced… more than 30 years ago. And like many technological advances in the 1990s, VPNs have become a legacy relic that fails to meet the needs of a cloud-and-mobile-first corporate world.

Securing and authenticating traffic intended for business applications and data has since moved on. Zero trust security approaches were created to strike a balance between security, user experience and remote access and resulted in a solution that was arguably superior to traditional network security architecture. You can’t hack a corporate network if a corporate network doesn’t exist!

Zero Trust Network Access (ZTNA) is a specific secure access solution that implements the principles of zero trust security to deliver direct access to applications and data, eliminating the need for traditional VPNs. Below are four crucial differences between ZTNA and legacy VPNs.

Four Differences between ZTNA & VPNs

Risk vs effort

Traditional VPNs function by authenticating users before providing them with access to a network. This authentication will usually only take place once and when successful, provides unfettered access to a network for as long as the user is logged in to the VPN. This creates a remote access policy that is low effort, as there is limited ongoing configuration once a VPN has been established, but introduces a significant amount of risk. Once a VPN connection has been compromised, the entire network can also be considered compromised.

Instead of providing ‘trusted’ network access to users, Zero Trust Network Access continuously validates every access request and only provides access to specific applications based on validation policies and user profiles. This means that even after an access request has been granted, the user will only have access to applications that are relevant to their role and cannot move laterally throughout the network, significantly reducing risk. Larger organisations will need to create key profiles for departments and roles and manage access policies to ensure users have access permissions that balance risk with security.

So the question here is how much risk are you willing to accept when it comes to remote network access?

User experience

Legacy VPNs have to haul traffic through a corporate data centre for validation before allowing it to reach its destination, which can introduce significant latency for remote users and can even impact wider internet performance for everyone else. VPNs have been around for so long that many employees are simply willing to tolerate the negative impact this has on their user experience.

ZTNA cuts straight to the chase by connecting users directly to applications and resources once validated. This results in faster and more stable connectivity for remote users and reduces the strain on the corporate WAN. Additional tools such as Zscaler Digital Experience (ZDX) can further enhance this by empowering your IT to get ahead of any faults that impact user experience and proactively discover areas of improvement.

Device flexibility

Whilst legacy VPNs need to be installed and configured on specific devices to function, Zero Trust Network Access is clientless. This means ZTNA eliminates the need to install software on devices, enabling greater flexibility on how you provide secure access to remote users and external partners. Should your policies allow it, your users can opt to use their own devices or you can make it significantly easier for external partners to connect with necessary applications and data.

Cloud support

Traditional VPNs are typically designed to provide secure remote access to a network and have limited support for any Cloud resources located outside of that perimeter. Zero Trust Network Access, on the other hand, validates access requests regardless of where applications are hosted, and can direct traffic to on-prem or Cloud environments without unnecessarily tromboning traffic to the part of the network where the VPN would have been hosted.


The comparison between delivering secure remote access via Zero Trust Network Access or a traditional VPN boils down to risk - what’s the risk of using legacy technology to provide access to your network? What’s the risk of not extending your security perimeter to include users that are outside of your corporate network?

Organisations that still rely on legacy systems or a corporate network will likely find it difficult to transition to a true zero trust security model for the next few years at least. But ZTNA enables organisations to start their journey towards more secure infrastructure by introducing the ‘trust no-one, verify everyone’ approach to users seeking secure remote access. If you’re ready to start your zero trust journey, do not hesitate to reach out.