Understanding ZTNA’s Relationship to Zero Trust and SASE


Zero Trust Network Access (ZTNA) and Zero Trust (ZT) are related security models that are often wrongly conflated. In this article, we explore the definitions of ZTNA and ZT, showing how they overlap and enable each other—while also underscoring essential differences between the two. ZTNA is about securing IT environments at the network level, making it a core element of broader ZT and Secure Access Service Edge (SASE) security models. As such, it’s a practical component, becoming more critical in securing today’s distributed environments.

What is ZTNA?

ZTNA is a solution for securing remote access to an organization’s networks, data, and applications based on the principle of Zero Trust. Using ZT principles, a ZTNA solution takes a “deny all by default” approach to any network access request. No person or device is trusted when access is requested. Only after the ZTNA solution has authenticated the user based on a range of criteria will the user/device be granted limited access privileges.

ZTNA: How it works

The connection occurs through a secure, encrypted tunnel. This approach provides additional security by blocking the user from seeing the IP addresses of applications and services they are not entitled to see. In this way, ZTNA is similar to a Software-Defined Perimeter (SDP), which hides data, apps, and services from everyone without proper privileges. ZTNA then continues to re-verify the user throughout the session.

ZTNA versus VPN: Why companies are moving away from VPN

ZTNA performs a comparable role to the virtual private network (VPN), but with some notable differences. Most VPNs use a “trust by default” policy, the opposite of ZTNA’s “deny by default” stance. Also, VPNs tend to grant flat access—once they give permission, the user can access everything on the network. The problem with this approach is that it enables a malicious user to move laterally across the network and potentially attack all of an organization’s digital assets. For this reason, many corporations are moving away from VPN in favor of ZTNA.

ZTNA advantages

ZTNA offers several advantages over other solutions. It’s more granular and context-aware than a VPN, with tighter control over access. It reduces the chance of lateral movement. ZTNA is also better than a VPN for managing access to digital assets outside an organization’s core network. This scenario is becoming common today, which also explains the rising popularity of ZTNA.

ZTNA vs. ZT: Differences and how the two get mixed up

ZTNA is an implementation of ZT, a broad, foundational cybersecurity model IT teams can apply to various real-life scenarios. ZT is a concept and security model—not a defined solution. The fundamental law of ZT is always to deny access by default. Users who want to access a database are inherently prohibited without verification of identity. The request is similarly rejected by default if a user wants to store a file. A ZT-based system grants access and usage privileges in the smallest possible increments and the privileges are repeatedly rechecked as the usage session proceeds. ZT can work at any level of granularity.

ZTNA and ZT get mixed up for several reasons. First, they are connected ideas. You cannot have ZTNA without ZT. However, it’s possible to have ZT without ZTNA. Also, ZTNA is a practical solution that is now on the market in various forms. It’s easy to think, “I’m doing ZT if I buy a ZTNA solution.” However, you’d only be partly correct. You can implement ZTNA and still grant unfettered flat access to all sorts of digital assets for users who have cleared the ZTNA access rules or policies.

ZTNA as a critical component of SASE

ZTNA is one of five core elements of SASE, according to Gartner’s early definition of the model. It is essential for SASE because it addresses one of the primary purposes of SASE—securing distributed digital assets for remote users.

ZTNA helps with this by controlling access policies between users and digital assets, regardless of where they are located. It can handle any user and any device, and from any location. It also offers dynamic security, adapting to users who are on the move.

ZTNA as a smart path to ZT

Some view ZTNA as a crucial first step toward implementing ZT. One reason concerns the administrative challenges inherent in the ZT model. ZT is easy to understand in theory. In practice, it can be unwieldy to implement. Consider this: Let’s say you have 1,000 users and 10 applications. If you want to grant individual privileges to users based on their right to access a resource, that means setting up personal trust profiles comprising up to 10,000 variations.

The only way to deal with this operational challenge is to manage access policies by user role and network sub-segment. Users with finance roles can access digital finance assets on the finance sub-segment, and so forth. ZTNA enables this process with relative ease compared to setting up individual trust profiles. It makes the concept of ZT easier to operationalize.


ZTNA and ZT overlap, but they are two distinctly different animals. ZTNA is an incarnation of the ZT security model and an essential requirement for SASE models and solutions, because it helps turn these conceptual ideals into more practical realities. While the concept of ZT has been around for more than 20 years, operationalizing individual access policies by user role can be challenging without the help of ZTNA technologies and SASE solutions. This symbiosis helps explain why some view ZTNA as a critical first step toward implementing ZT.

To learn more about Comcast Business global secure networking solutions, including solutions that meet the key tenets of the SASE model, please visit: https://business.comcast.com/enterprise/products-services/secure-network-solutions

Dive into related security models while learning the key differences.

Locked Content

Click on the button below to get access

Unlock Now

Or sign in to access all content on Comcast Business Community

Learn how Comcast Business can help
keep you ready for what's next.