Is ZTNA a product or an architecture?

An architecture; products implement it. NIST SP 800-207 defines the principles; Cloudflare, Zscaler, etc. are implementations. Avoid vendor lock-in by understanding the principles first; products fit into a coherent design.

Can ZTNA handle SSH and RDP?

Yes — every major ZTNA product offers either browser-based (clientless) SSH/RDP via HTML5 console or native-client tunnelling. Browser-based gives strongest audit (recordable sessions), native-client gives best UX. Choose by use case.

Is VPN going away entirely?

No. Site-to-site VPN (M6) remains the standard for cloud-to-cloud and branch-to-HQ networking. What is going away is VPN for end-user remote access — that is what ZTNA replaces.

Can I run multiple ZTNA products simultaneously?

Yes — many enterprises run Cloudflare Access for web, Tailscale for engineering remote access, and a mainstream ZTNA for the broad employee user base. Operationally tractable as long as the identity provider is unified. Avoid running multiple ZTNA agents on the same endpoint where avoidable.

ZTNA vs VPN — Why Zero Trust Network Access Is Replacing the Corporate VPN

Read as

Last updated: May 1, 2026

Traditional VPN puts users on the corporate network — once authenticated, broad reachability. ZTNA does the opposite — explicit per-application authorisation, no network-level access, continuous verification. ZTNA is the modern remote-access pattern; VPN remains for site-to-site. This module covers the architecture, the policy model, the major products (Cloudflare Access, Tailscale, Twingate, Zscaler ZPA, Netskope, Microsoft Entra Private Access), and the migration path from VPN.

Traditional VPN gave users full network reach; the implicit assumption was that the corporate network is a “trust zone”. That assumption was wrong by 2010 and indefensible by 2020. ZTNA inverts the model: identity-aware proxy in front of every application, explicit authorisation per-request, no broad network access ever granted. This module is the working introduction to ZTNA, comparison with VPN, and the migration path — relevant in 2026 to almost every Indian enterprise rolling out hybrid work.

The two trust models — and why VPN's broke

VPN modelauthenticate once, get network access, applications enforce their own auth. The implicit trust: “if you are on the corporate network, you are an employee with reasonable intentions”. Worked acceptably when “the network” was a single office building with controlled physical access. Broke when remote work, contractors, BYOD, and supply-chain compromise meant any device on the VPN might be a hostile beachhead. Lateral movement became trivial — once on the VPN, you could ping every internal host.

ZTNA modelno network-level access at all; instead, an identity-aware proxy fronts each application; every request is authorised based on user identity + device posture + request context; only authorised connections pass through.

Resulta compromised endpoint sees only the apps that user is allowed to use, and only when the device passes posture checks. Lateral movement is meaningfully harder.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants

Zero Trust Network Access vs Traditional VPN — The Replacement Pattern That Is Now Default

The two trust models — and why VPN's broke

Custom team training + practitioner advisory

Other modules in this track

Networking Fundamentals — OSI, TCP/IP, and Why Layers Actually Matter

Packet Analysis with Wireshark — From “Open the PCAP” to Diagnosing Real Incidents

Network Protocols Deep Dive — ARP, DHCP, ICMP, DNS, HTTP and the Trust They Assume