UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ConfiguratorGet in Touch
VPN vs zero trust network access (ZTNA): what changed, and what to do — networkVPN vs zero trust network access (ZTNA): what changed, and what to do — reach
Security

VPN vs zero trust network access (ZTNA): what changed, and what to do

Priya Nandakumar · Network Solutions Lead9 min read

For twenty years, giving staff remote access meant one thing: a VPN. It still works, millions of businesses still rely on it, and there is nothing inherently broken about the idea of an encrypted tunnel. What has changed is the threat - and the realisation that the VPN's core assumption, 'once you are in, you are trusted', is exactly what attackers exploit. Zero trust network access is the answer to that flaw. Here is the difference, in business terms.

VPN vs ZTNA compared
Traditional VPNZTNAWhat it meansGrants access toThe networkOne appSmaller blast radiusTrust modelOnce at loginEvery timeContinuousChecks deviceRarelyYesHealth-awareNetwork visibleYesHiddenLess to attackIf login stolenRoam widelyOne app onlyContained

How a VPN works, and its one big assumption

A VPN - virtual private network - builds an encrypted tunnel from a remote device back to your office network, so a laptop at home behaves as if it were plugged in at the office. If you want the basics first, our plain-English guide to business VPNs covers them.

The catch is what happens after connection. A traditional VPN drops the user onto the network and, by default, trusts them broadly - they can often reach far more than the one app they actually needed. The model is 'authenticate once at the door, then roam the building'. That was fine when threats were outside the walls. It is dangerous now, because a single phished password or one compromised laptop hands an attacker that same broad, trusted access.

What zero trust network access does differently

ZTNA flips the assumption. Instead of 'connect to the network, then you are trusted', it is 'never trust by default, verify every time, and grant access only to the specific application you are entitled to - nothing more'. The guiding idea behind it is covered in zero trust, simply explained.

In practice, a user is connected to one application at a time, after their identity and often the health of their device are checked - and they never see the wider network at all. The other apps, servers and shares are invisible to them, which means invisible to an attacker who steals their login too. Access is continuously evaluated, not granted once and forgotten.

  • VPN: connects you to the network, then largely trusts you to roam it.
  • ZTNA: connects you to one named application, after verifying who and what you are, every time.
  • VPN exposes the network's existence; ZTNA hides everything you are not explicitly allowed to use.

Why this matters for an ordinary UK business

The shift is not academic - it maps directly onto how breaches actually happen. Most start with stolen credentials or a compromised device. With a VPN, that foothold often means lateral movement: the attacker spreads sideways across a flat, trusted network towards your servers and data.

With ZTNA, the same stolen login reaches only the single app that user was permitted, and even that is gated by device checks and continuous verification. The blast radius shrinks from 'the whole network' to 'one application'. For a firm that has rolled out multi-factor authentication and is thinking seriously about securing remote and hybrid workers, ZTNA is the logical next layer.

VPN or ZTNA for this access?
How sensitive is the app and how many remote users?
Low-risk, few users
Hardened VPN is fine
Sensitive systems
Move to ZTNA
Identity sorted
ZTNA - per-app, verify

The honest trade-offs

ZTNA is not automatically better for everyone on day one, and pretending otherwise leads to disappointment. A VPN you already own and understand is cheap, familiar and good enough for low-risk, occasional access by a handful of trusted staff.

ZTNA usually means a new service to adopt and configure, often delivered from the cloud, and it leans heavily on having your identity and device management in order first - it is far less useful if you do not know who your users are or what state their devices are in. It also shines brightest where you have many remote users, sensitive systems, or compliance pressure. The pay-off is real, but it is a project, not a switch you flip.

What to actually do

You do not have to rip out your VPN this quarter. The sensible path for most UK businesses is staged: tighten the VPN you have now, then move application by application to zero trust where the risk justifies it.

Start by switching on MFA for VPN access and narrowing what each user can reach once connected. Then identify the handful of sensitive apps that most deserve per-app, verify-every-time access, and pilot ZTNA there. Our VPN-to-ZTNA migration guide walks through the technical move, ZTNA usually arrives bundled with cloud-delivered security in the platforms we compare in our SASE platform guide, and our zero trust service can help you sequence it without breaking how people work.

Key takeaways
  • A VPN connects you to the network and then largely trusts you; ZTNA connects you to one app after verifying you every time.
  • The VPN's 'trusted once inside' model is what lets a stolen password or compromised laptop spread across your network.
  • ZTNA shrinks the damage of a breach from 'the whole network' to 'one application', and hides everything else.
  • ZTNA depends on having identity and device management in order first - it is a project, not a quick switch.
  • Do not rush: harden your existing VPN with MFA, then move sensitive apps to zero trust where the risk justifies it.
Frequently asked

FAQs — VPN vs zero trust network access (ZTNA)

Understanding the difference

Does ZTNA replace a VPN completely?

It can, eventually, but most businesses move gradually rather than all at once. ZTNA covers the same remote-access need while removing the VPN's broad network trust. A common path is to keep the VPN for low-risk access while shifting your sensitive applications to ZTNA first, then retiring the VPN once everything has moved.

Is ZTNA just a VPN with extra steps?

No - the difference is fundamental. A VPN puts you on the network and trusts you to roam; ZTNA connects you only to a specific application after verifying your identity and device, and keeps the rest of the network invisible. The result is a far smaller blast radius if a login or device is ever compromised.

Adopting it

Do we need ZTNA if we already have MFA on our VPN?

MFA on your VPN is a strong and necessary step, but it still grants broad network access once you are in. ZTNA adds per-application control and continuous verification on top, so a compromised session reaches one app rather than everything. They complement each other; ZTNA is the next layer, not a replacement for MFA.

What do we need in place before adopting ZTNA?

Chiefly, sorted identity and device management - knowing who your users are, ideally with single sign-on and MFA, and having some control over the devices connecting. ZTNA makes its decisions based on identity and device health, so the more reliable those are, the better it works. Getting that foundation right first is most of the battle.

Related

Continue reading

More in Security

Got a question this article didn't answer?

One conversation with an engineer who's done this before. No sales script.

Talk to Servnet →