Zero Trust Network Access (ZTNA)

Venu Shastri - June 28, 2023

What is Zero Trust Network Access?

Zero Trust network access (ZTNA) is an IT technology solution that requires all users, whether inside or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.

Sometimes referred to as a software-defined perimeter (SDP), ZTNA is an adaptive model wherein access to applications and services is granted on a least-privileged basis as dictated by the organization’s access control policies.

ZTNA is often used as an alternative to the virtual private network (VPN) model, which grants total network access to verified users. Given the shift to remote work, the use of VPN is increasingly seen as a cybersecurity risk, as organizations find it more difficult to monitor and analyze network traffic and application use across a wide variety of locations and devices.

How Does Zero Trust Network Access Work?

ZTNA separates application access from network access. This means that users must be authenticated to use each application individually as opposed to the network as a whole.

Once the user is authenticated, the ZTNA tool establishes a secure, encrypted tunnel to grant access to a resource. Like software defined perimeters (SDPs), ZTNA tools use “dark cloud” principals to shield the user’s IP address and limit the user’s visibility into other applications and services that they do not have access to.

By authenticating each user and isolating access in this way, the organization can reduce the risk of infection from a compromised device as well as prevent lateral movement in the event of a breach.

ZTNA vs VPN vs Traditional Network Access

ZTNA is a significant departure from traditional network security which follows the “trust but verify” method. In the traditional model, users and endpoints within the organization’s network perimeter were assumed to be trustworthy. This put the organization at risk from malicious internal actors and rogue credentials; it also inadvertently granted wide-reaching access to unauthorized users once inside the network.

ZTNA differs from the traditional network access model in three main ways:

1. Access control

In a ZTNA model, authentication and access is based on advanced identification techniques—and not the user’s IP address, which is what is typically used as the basis of identification in most VPN models.

By structuring network access in this manner, the organization has far more flexibility in creating customized secure access policies which can automatically reject any access requests based on user location or device type. For example, an organization can implement a policy designed to prevent an old or otherwise vulnerable device from connecting to the network; it can also ensure devices are properly patched before granting network access.

2. Application discovery

In a ZTNA framework, private applications and services are not placed on the network or internet, making them more difficult to discover or access by unauthorized users. This serves to greatly reduce the organization’s attack surface.

Instead, network access is managed by a designated trust broker who confirms the user’s access rights before granting the request.

3. Access privileges

As noted above, in a ZTNA model, access is determined on a case-by-case basis. This means that access is not granted to the user across all devices; nor is a device approved for use by any user. Rather, access requests are evaluated and granted as they are made, even for familiar or frequent users or devices.

This level of security is becoming increasingly important as organizations allow employees to use personal devices at work. In many traditional security models, access is based on the user regardless of the device being used, which can open the network to any number of threats.

Use Cases for Zero Trust Network Access

ZTNA provides several valuable use cases for organizations. The most common ZTNA use cases include:

  1. VPN alternative: ZTNA provides the same basic remote access functionalities as a VPN system, but does so with greater security, less management, and improved network speed.
  2. Multi-cloud access: A Zero Trust architecture is ideal for organizations that have a multi-cloud environment and want to have more flexibility with respect to individual cloud access, as well as cloud-based services and applications.
  3. M&A integration: ZTNA accelerates the standard M&A integration timeline by simplifying network convergence.

ZTNA Limitations

ZTNA functions as a next-gen VPN replacement in that it ensures only approved, authenticated users are granted access to an IT environment or resource. At the same time, it does not actively monitor or mitigate threats once a user has been granted access to a trusted zone.

Further, while secure access via ZTNA is a critical component of a comprehensive cybersecurity strategy, it is not effective at stopping modern cyberattacks such as ransomware or supply chain attacks. ZTNA must be combined with a secure access service edge (SASE) solution and other security tools and solutions to ensure complete protection.

In addition, ZTNA does not provide underlying identity protection capabilities, such as gathering activity data or endpoint details. In this way, the ZTNA solution cannot determine a baseline of standard user behavior, making it impossible to detect anomalies or deviations.

Finally, most ZTNA solutions require a gateway, similar to what is used by a VPN. This requires careful planning to ensure the strongest possible protection without introducing significant friction within the user experience that could prevent valid users from accessing the tools and resources they need to perform their jobs.

Learn More

Learn about the differences between Zero Trust and secure access service edge (SASE) as we answer common questions that organizations have when incorporating these into their overarching cybersecurity framework. Read: Zero Trust Vs SASE

How to Choose the Right Identity Security Approach for Your Enterprise

Given some of the limitations of existing ZTNA tools, organizations may wish to consider a broader identity protection solution to achieve stronger security and access control. Key advantages of an identity protection solution:

  1. An identity protection solution provides comprehensive protection, including: identity behavioral and risk based analysis (including human and programmatic accounts); identity store attack detection and prevention; and real-time analysis of threats against on-prem Active Directory (AD) and Entra ID (Formerly Azure AD) platforms. Protecting the AD is important as AD is the weakest link in your cyber defense.
  2. An identity protection solution considers all accounts, including regular human accounts, service accounts and privileged accounts, and assess both user risk as well as the risks associated with their endpoints. This enables identity segmentation and security automation that’s tied to context, instead of just granting users access to specific applications as may be defined in the ZTNA policies.
  3. Though ZTNA provides lateral movement protection, an identity protection solution also includes a mechanism to detect evolving adversarial tactics that leverage privilege escalation, service account misuse, interactive logins, RDP attacks, NTLM and LDAP/S based attacks.

Jumpstarting Your Journey with CrowdStrike Identity Protection

CrowdStrike Identity Protection secures your modern enterprise with its cloud-delivered solution to either find identity store weaknesses and issues, or stop attacks against your identity store in real-time, wherever they are.

The Falcon Identity Protection solution consists of two products:

  1. Falcon Identity Threat Detection: Serves as the first level of detection for AD security, providing identity risk analysis and detecting threats to the authentication system and credentials as they happen
  2. Falcon Identity Threat Protection: Enables frictionless security with real-time threat prevention and IT policy enforcement using identity, behavioral, and risk analytics that combine with nearly any MFA/SSO provider to challenge threats in real time

To learn more about how your organization can leverage CrowdStrike Identity Protection to strengthen and enhance your cybersecurity posture against the full landscape of modern threats, please download our data sheet and schedule a demo today.


Venu Shastri, a seasoned Identity and cybersecurity product marketeer, serves as Director, Product Marketing at CrowdStrike for Unified Endpoint & Identity Protection. With over a decade of experience in identity, driving product marketing and management functions at Okta and Oracle , Venu has a US patent on passwordless authentication. Prior to his identity experience, Venu had co-founded and drove product management for an enterprise social software start-up. Based out of Raleigh, NC, Venu holds an MBA from the University of Santa Clara and Executive Certification from MIT Sloan.