world tour:
Join us for a live look at how Menlo’s Secure Enterprise Browser puts you ahead of attackers
Icon Rounded Closed - BRIX Templates

What is Zero Trust Network Access (ZTNA)?

Organizations implement Zero Trust Network Access as a way to provide secure access for users to applications, data, and services based on a defined set of access control policies. ZTNA differs from virtual private networks (VPNs) by providing access exclusively to specific applications, whereas VPNs grant access to the entire network, and therefore all applications.

Modern enterprises need to make sure distributed entities (users, devices, remote offices, and SaaS platforms) are able to securely connect to applications. While this market is increasingly converging toward a Security Service Edge (SSE) agent-based architecture for the majority of deployments, according to Gartner, it is also seeing increased demand for agentless-based deployments in the case of unmanaged devices and/or third-party access.

A successful ZTNA approach should meet the broad security requirements for managed devices, maximize attack surface reduction, and provide a path to unify highly dynamic, adaptive access control policies in support of your organization’s adoption of zero trust principles.


Unlike VPN connections, ZTNA operates on a zero trust model in which access is granted only to authorized applications required for a particular person or role to do their job, wherever that application might reside. In this way, connecting to the network doesn’t provide the ability to scan or search across the whole network, and allows distributed applications to be accessed through a single connector. According to Gartner, organizations looking to replace their existing VPNs can benefit from significant risk reduction for their enterprise by leveraging ZTNA alternatives. Many of these ZTNA benefits include:

  • Provision of contextual, risk-based and least-privilege access to applications.
  • Ability to move applications off the public internet to reduce an organization’s attack surface.
  • Improved end-user experience for native access to applications.
  • Agility to support direct access to applications hosted in public and hybrid clouds.
  • Scalability in comparison with legacy, hardware-based remote access VPN approaches.
  • Support for growing SaaS applications, cloud services and data ill-suited for traditional tunnel access approaches.
  • Placement of security controls closer to where users and applications connect, regardless of location.

How does ZTNA work?

ZTNA solutions are used to connect end users only to authorized applications, wherever the user and application happen to reside. According to Gartner, ZTNA has evolved from being primarily a VPN replacement into a key component of a standardized zero trust architecture for remote and branch users.

For a ZTNA solution to be effective, it must validate the identity of the user and assess the security posture of the device being used, ensuring it aligns with the defined policy before granting access to the application. Once authorized, a secure connection is made between the user’s device and the application.

menlo global cloud diagram

This approach ensures that users are only able to access applications based on a particular user’s identity and unable to view or access any other application for which they lack authorization for. Furthermore, it helps prevent lateral attacks in the event an attacker were to gain access, they would be unable to spread laterally throughout the organization.

How can Browser Security protect your organization? Find out.

Understanding the limitations of traditional ZTNA solutions

While ZTNA solutions might seem ideal for providing highly scalable, direct connections between your applications and remote users, most ZTNA tools are designed to establish a secure connection and then step out of the way, allowing users to freely interact with their applications. The challenge with this approach is that it leaves security teams without visibility into user’s traffic, making them blind to potential data transfers that might take place between users and applications. This exposes them to potentially missing incidents involving sensitive data storage, access, or potential upload of malicious content.

This inability to monitor such inconspicuous behaviors, such as compromised user credentials, used data exfiltration, or other nefarious activities, poses a significant threat for security teams. Consequently, it is imperative for organizations to implement a ZTNA solution that not only provides access and visibility, but also enforces security after establishing a secure connection. This proactive approach ultimately prevents potential security incidents and achieves a true zero trust connection.

Enabling the new hybrid workforce

In today’s multi-cloud environment, applications can be distributed across multiple cloud platforms, as well as on-premise infrastructure. Modern organizations require their digital assets to be accessible from anywhere, on any device, to help meet the needs of their growing hybrid workforce. Next-gen ZTNA solutions should integrate seamlessly with your existing security investments to expand the protection and visibility needed. They should provide security teams with bidirectional visibility into all communications, allowing them to protect users from attacks originating from an application and implement data loss protection (DLP) policies where needed.

Next-gen ZTNA redefines trust, operating on the principle that nothing should be inherently trusted. Unlike traditional solutions that primarily concentrate on just securing access, next-gen ZTNA solutions like Menlo Security’s Secure Application Access incorporate enhanced security measures needed to safeguard today’s users, data, and applications against the growing menace posed by ever-evolving threats, and highly sophisticated threat actors. Secure Application Access meets the extensive security requirements for managed devices by leveraging our elastic isolation core to create a rendered image of the application on the endpoint device directly in the user’s browser, rather than interacting with the application itself. This ensures the safest path to accessing browser-based enterprise private and SaaS applications using dynamic access control policies and enabling granular filters in support of an enterprise’s adoption of zero trust principles while maintaining a seamless user experience.

Learn more about Zero Trust Access

Make zero trust access easy