VPN vs ZTNA: what’s better for an organization’s security?

Perhaps the most important job of any IT systems department is ensuring the security of the organization’s network. That means keeping it safe from external threats like malware and ensuring there is no possibility of unauthorized access. That’s no easy task in a world where many companies have employees working in several different offices and from home or other remote locations. Add into that mix the fact that lots of organizations allow staff to bring their own devices to work and connect them to the network, and it becomes even more difficult. There are two tools that most organizations use to maximize security: virtual private networks (VPN) and zero-trust network access (ZTNA). But what are they? And what’s the difference between them? Which is better for an organization’s security? We’ll answer all of those questions here.

What is VPN?

Let’s start by defining what we mean by VPN and ZTNA. VPN has three tools to ensure security: encryption, authorization, and tunneling. When a device logs into an organization’s VPN using a VPN client, it has access to the organization’s network. All traffic between the device and the network is encrypted, and the device’s IP address is hidden. Traffic between the device and the network travels in a ‘tunnel’ directly between the device and the network. The principle behind VPN is that once a device has been authorized, usually with multifactor authorization involving a second device, it has access to the whole network.

What is ZTNA?

ZTNA is different from VPN in that access to the network can be restricted depending on the device and the context of its use. So, for example, a specific device could be limited to access certain servers but not others or a single content management system. Or that access could be different depending on whether the device is connected from the user’s normal location — say, their home — or another remote location. The ‘zero-trust’ aspect of ZTNA means that no device is trusted until it’s verified and, even then, is allocated the fewest privileges possible. Access to further resources requires new verification.



In some ways, ZTNA can be viewed as an evolution of VPN. Where VPN verifies a user’s identity once and then ‘trusts’ them with access to the whole network, ZTNA never trusts, even after verification, and so only grants access to a device after verification in accordance with the organization’s policies for that device and the context in which it’s connecting. In terms of security, this means that on a network using a VPN, an attacker would only need to pass the first authentication and would have access to the whole network, whereas on a network using ZTNA, even successfully verifying a device would only give the attacker access to a small part of the network. If the attacker tries to access a different part of the network, they would have to re-verify. That makes it much more difficult for an attacker and limits the damage they can do. It will also slow down an attack.


When a user logs into a VPN, the IT admin can only see that they’ve logged in, when they logged in, and when they logged out again. When they log in using ZTNA, the IT admin can see exactly what services or apps they are accessing and how long they spend using them because they need to verify each request to use an app or service. This allows the admin to look out for patterns of behavior that might indicate a misuse of company resources or a malicious attack. It also allows them to monitor inventory and see, for example, which apps are used heavily and which are not, and by whom. That can help plan licenses and future resource allocation.


Speed is another important consideration when trying to decide between ZTNA vs VPN. VPNs route data through multiple servers and then through a central point in a data center. That can cause latency and slow down access. ZTNA works differently, connecting the user directly to the application or service they request without the need to route data through a central point.

Ease of use

There are two aspects to consider with regard to the ease of use: initial deployment and the user experience. In terms of user deployment, VPN is straightforward. IT admin installs and configures a VPN client on each device and then, probably, sets up a single-sign-on system so that users can use the same username and password for everything in the network. The user then has to sign onto the VPN when they want to access the network, probably at the start of each day, and then sign off again in the evening.

ZTNA is more complicated to deploy, but not greatly so. And while it does require the user to authenticate every app or service they access, it’s not a huge inconvenience. There’s little to separate VPN and ZTNA in terms of ease of use.


As you can see, VPN and ZTNA do a very similar job, but with some crucial differences. They are both designed to protect networks from ‘end-point’ attacks where a malicious user can enter a network and steal data or cause damage. VPNs do it by authenticating access to the network, encrypting data, and sending traffic through a secure tunnel to a central point in a data center. ZTNA is more sophisticated and, once verified, provides access only to the parts of the network that the user and their current context have privileges for. They must request access to anything else and authenticate again. ZTNA also routes traffic directly from the user to the app or service. Each has their place, with the relative simplicity of VPN more suited to smaller organizations with fewer systems and resources and ZTNA suited to larger organizations.