Zero trust network access (ZTNA) is a security model that grants access to applications and resources based on verified identity and context, never on network location. Instead of trusting anyone inside a network perimeter, ZTNA verifies every request, checking the user, the device, and the context, and grants the least access needed, for that session only. This guide defines ZTNA, explains how it works through an identity-aware proxy, contrasts it with the VPN it replaces, untangles the related terms (ZTA, SASE, SDP), and walks through real use cases, outcomes, and how to implement ZTNA in cloud-native environments with Teleport.
Zero trust network access (ZTNA) is an access model that grants connectivity to specific resources based on a continuously verified identity and device posture, rather than on a user's position inside a network. The guiding principle is "never trust, always verify": no user, device, or workload is trusted by default, even if it sits inside the corporate network.
Traditional perimeter security worked like a castle and moat. Once you were inside the network, through a VPN (virtual private network) or by being on the office LAN, you were broadly trusted and could reach far more than your job required. ZTNA discards that assumption. Identity becomes the perimeter. Access is granted to one application or resource at a time, scoped to what the verified identity is allowed to do, and re-evaluated continuously rather than granted once at the door.
ZTNA is the access-enforcement piece of a broader zero trust architecture (ZTA). Where zero trust architecture is the overall strategy and set of principles, ZTNA is the concrete technology that connects a verified user or workload to a specific resource without exposing the rest of the network. That focus on identity-based access to individual resources is what makes ZTNA the practical starting point for most teams adopting zero trust security.
It helps to place ZTNA among the terms it travels with, because they are easy to conflate:
The model rests on a few core assumptions:
First, the network is assumed to be hostile, so being "inside" it confers no trust. Second, trust is never permanent. It is evaluated per request and can be withdrawn the moment context changes. Third, access is granted at the resource level, not the network level, so authorization is always specific rather than blanket. Fourth, every access decision is logged, because you cannot enforce least privilege if you cannot see what is happening. These assumptions are the same ones that underpin Google's BeyondCorp work and the NIST zero trust guidance, and are why ZTNA scales to environments that perimeter security was never designed for: remote-first workforces, ephemeral cloud workloads, and non-human identities that authenticate thousands of times an hour.

To implement ZTNA you need a system built around an identity-aware proxy that allows only trusted devices and verified identities to reach the resources behind it. Four components do the work:
ZTNA works by placing a broker between the user and the resource so that no one connects directly to anything until their identity and context are verified. Nothing is exposed to the open network; the resource stays dark until access is explicitly granted. In a zero trust model the emphasis is on who you are, not where you are.
The core component is an identity-aware proxy (sometimes called a trust broker). Every connection request flows through it, and it enforces policy before any traffic reaches the resource. A typical ZTNA flow looks like this:

A key design choice is how trust is proven. Strong ZTNA implementations issue short-lived certificates rather than relying on standing credentials, so access automatically expires and there is no long-lived secret to steal. Modern zero trust tooling also layers in phishing-resistant authentication like WebAuthn and passwordless login, real-time auditing of everything that passes through the proxy, and role-based access controls (RBAC) for granular, per-identity authorization. Because every request passes through the proxy, every action can be logged, producing a record of who accessed what, when, and from where.
Two properties of this model deserve emphasis, because they are what separate ZTNA from a firewall rule or a network ACL. The first is continuous verification. In a perimeter model, you are authenticated once at connection time and trusted for the life of the session. In ZTNA, the policy engine keeps watching, so if the device falls out of compliance, the certificate expires, or the risk score changes, the session can be cut without waiting for the user to log out. The second is that authorization is identity-based, not address-based. The proxy does not care what IP a request comes from or which network segment it lands on. It cares who is making the request, what device they are on, and whether policy permits that identity to reach that specific resource right now. That decoupling of access from network topology is precisely what makes ZTNA work across multi-cloud and hybrid environments, where IP addresses are ephemeral and the notion of "inside the network" has stopped meaning anything. You can read more about how Teleport extends BeyondCorp and the Federal zero trust strategy.
The short version: a VPN grants broad access to a network, while ZTNA grants narrow access to a specific resource based on verified identity. That single difference drives every other contrast below.
A VPN connects a remote user to the corporate network and, once connected, that user can typically reach anything the network routing allows. If an attacker steals VPN credentials or compromises a connected device, they inherit that same broad reach and can move laterally across the network. ZTNA never places the user "on the network." It brokers access to one resource at a time, so a compromised account cannot pivot to systems it was never authorized to touch. Lateral movement, the mechanism behind most damaging breaches, is structurally limited.
The differences go beyond security posture:
None of this means VPNs disappear overnight. Many teams run ZTNA alongside a shrinking VPN footprint, moving high-value systems behind identity-based access first and retiring the broad tunnel as confidence grows. The end state, though, is clear: access defined by who you are and what you are allowed to reach, not by whether you managed to get onto the network.
| Dimension | VPN | ZTNA |
|---|---|---|
| Trust model | Network location: inside = trusted | Verified identity and context, per request |
| Access scope | Broad network access | Least-privilege access to a single resource |
| Lateral movement | Possible once connected | Structurally contained |
| Credentials | Often static, long-lived | Short-lived, certificate-based |
| Resource exposure | Network segments reachable after connect | Resources stay dark until access is granted |
| Visibility | Limited; network-level | Per-session, per-resource audit and recording |
| Fit for cloud / multi-cloud | Poor; built for a fixed perimeter | Built for cloud-native, remote-first, multi-cloud |
| Cost and scaling | Concentrators and hardware scale awkwardly | Scales with identity, not network plumbing |
For a deeper comparison, see VPN versus zero trust and our take on the evolving nature of remote access. Teams replacing legacy remote access often start with the VPN and bastion alternative use case, where ZTNA replaces both the VPN and the jump box while keeping a full audit trail for compliance.
ZTNA fits anywhere access should depend on identity rather than network location. The most common use cases include:
Security is the headline benefit and it pairs well with modern cloud infrastructure access:
Identity-based authentication. ZTNA bases trust on verified identity rather than an outdated password or shared secret. Modern secure enclaves, Windows Hello, or Face ID prove a user's or device's identity biometrically for Device Trust.
Hidden infrastructure. Systems and applications stay invisible to the public without being connected to a corporate network, freeing the network while keeping applications dark.
Control and granularity. A centralized proxy makes users, devices, and resources easy to manage, while attribute-based access controls or role-based access controls enforce the principle of least privilege.
App segmentation. Secure boundaries are drawn around individual applications or groups of applications and managed by policy, rather than around networks.
ZTNA is not without trade-offs:
When evaluating a ZTNA platform, weigh a few factors:
The difference between ZTNA and ZTAA is in the third word: network versus application. Per Gartner, ZTNA creates an identity and context-based logical access boundary around an application or set of applications, focused on identity-aware access to the network and its resources. ZTAA narrows the focus to protecting the applications themselves, notably web apps. In practice the terms are used together, since ZTAA takes place within a ZTNA setup and applies zero trust security to the applications inside it.
Teleport Zero Trust Access implements ZTNA by establishing a unified identity layer in front of your infrastructure, so access is granted on cryptographic identity and least privilege rather than network location. It is built for cloud-native infrastructure rather than retrofitted from a data-center appliance, and it extends the model to all four identity types: humans, machines, workloads, and AI agents.
At the core of Teleport is the Teleport cluster, with three parts that map onto the ZTNA model:
A user authenticates to the cluster using an identity provider of their choice (OIDC, SAML, or GitHub SSO) or local WebAuthn, both passwordless rather than secret-based. Once identity is verified, the user can reach only the resources their Teleport role allows, and just-in-time access requests can grant temporary privileged access to specific resources or roles.
Deployment is deliberately straightforward. Teleport ships as a single binary with an open-source core (20,000+ GitHub stars) and a managed cloud option, so teams can stand up identity-based access quickly rather than assembling a stack of appliances. As one data point, Turo deployed Teleport and connected it to MySQL in under two hours. Consolidating ZTNA, infrastructure access, and audit into one platform also reduces tool sprawl and lowers both license cost and operational overhead.
Zero trust network access replaces the broad, location-based trust of a VPN with narrow, identity-based access to individual resources, verified continuously. The payoff is a smaller attack surface, contained breaches, and stronger, more auditable compliance, which perimeter tools struggle to deliver in cloud-native and multi-cloud environments.
The practical move is to make identity the perimeter and least privilege the default, then prove it with audit and session recording. Teleport Zero Trust Access implements ZTNA with an identity-aware proxy, short-lived certificates, and zero standing privileges across humans, machines, workloads, and AI agents, while Teleport Identity Security gives you the visibility to back it up.
What is ZTNA?
Zero trust network access (ZTNA) is a security model that grants access to specific applications and resources based on verified identity and context rather than network location. It follows never trust, always verify, authenticating and authorizing every request and granting least-privilege access for that session only.
How is ZTNA different from a VPN?
A VPN grants broad access to a network once a user connects, while ZTNA grants narrow access to a single resource based on continuously verified identity. With a VPN, a compromised account can move laterally across the network. With ZTNA, access is contained to the specific resource the identity is authorized to use, and resources stay invisible until access is granted.
What is the difference between ZTNA and ZTA?
Zero trust architecture (ZTA) is the overall strategy and set of principles for zero trust, defined in standards like NIST SP 800-207. ZTNA is one enforcement technology within that architecture, the part that brokers identity-based access to resources. ZTA is the blueprint, and ZTNA is a tool that implements it.
Is ZTNA part of SASE?
Yes. Secure access service edge (SASE) is a cloud-delivered framework that bundles networking and security functions, and ZTNA is one of its core components. ZTNA can be delivered as part of SASE or on its own.
What is the difference between ZTNA and ZTAA?
ZTNA secures identity-based access to the network and its resources, while zero trust application access (ZTAA) applies the same principles specifically to applications, notably web apps. ZTAA effectively takes place within a ZTNA setup.
What is a software-defined perimeter (SDP)?
A software-defined perimeter is closely related to ZTNA. It creates a logical, identity-based perimeter instead of a network-defined one, cloaking applications and systems from anyone outside it. ZTNA is the modern, productized evolution of the SDP concept.
What are the two main types of ZTNA?
Endpoint-initiated ZTNA relies on an agent installed on the user's device, while service-initiated ZTNA requires no agent on the device, which can be more appealing for BYOD organizations.
How do you implement ZTNA?
Place an identity-aware proxy in front of your resources, authenticate every user and workload with strong, ideally certificate-based credentials, evaluate device and context, and grant least-privilege access per resource with continuous verification. Teleport Zero Trust Access implements this with short-lived certificates, a proxy, and per-session audit.
How does Device Trust work in ZTNA?
Device Trust is verified through a device challenge tied to a private key in the device's secure enclave, giving the device a verifiable identity that can be checked continuously. Maintaining a list of trusted devices also lets you quickly offboard an employee or restrict a device.
What is just-in-time, least-privilege access?
Least-privilege access gives a user only the access needed for their daily tasks and nothing more, while just-in-time access grants any additional privilege temporarily and on demand rather than permanently. Teleport delivers this with short-lived certificates that expire automatically.