Zero Trust Network vs. VPN
Traditionally organizations have relied on VPNs to provide access to remote workers to let them operate securely, as though they were working at their desk in the office. More and more, this is considered to be insufficient from a security perspective, and the move is towards zero-trust network access (ZTNA) solutions, even for local access at the corporate office.
No One Is Trusted

According to the Government of Canada GCWiki, Zero Trust Network is a holistic approach to network security that assumes that no one is trusted by default. This added layer of security requires strict identity verification regardless of whether a person or a device is inside or outside the network perimeter before they try to gain access to vulnerable resources.
How It Works
Since it denies access by default, even if someone can get into your network, the ZTN design will prevent or limit exfiltration of sensitive data and greatly improve your ability to defend against modern cyber threats.
The set-up is much more complex than with a normal network. The ZTN provides specific access to only those applications, data, services and systems that have been predefined as needed to do their jobs.
This means that someone needs to go through the security exercise of identifying these specific, limited authorizations.
There are two approaches:
- The first involves deploying software on each network endpoint. For each access request, if policy permits, a user or device is
allowed access via a gateway that initiates a session.
- With the second approach, a connector appliance on the network initiates connections to the ZTNA provider's cloud. If policy permits, a ZTNA controller initiates a session.
It’s Not Trivial
Forrester suggests looking at it as 3 pillars to simplify adoption:
Control People
This pillar focuses on making sure users and their devices can be trusted as they access systems, regardless of location. This pillar is the one that we tend to think of when discussing Zero Trust.
Control Applications This pillar focuses on preventing unauthorized access within application environments irrespective
Control Devices
This pillar focuses on securing access to the network and for any and all devices (including IoT) that connect to enterprise networks.
The US CISA (cyber and infrastructure security agency) suggests 5 pillars: Identity, Device, Network, Application Workload, and Data.
Moving Forward
As it’s a philosophy/strategy rather than an architecture, technology or product, implementing zero trust can be challenging and complex. Some legacy applications don’t work well with Zero trust and it’s easy to miss things.
Experts suggest conducting a pilot or single use case project that can be completed reasonably quickly and where the scope would be manageable. The most important goal is to have a successful outcome. The process will also allow you to identify those planning and implementation processes that work and those that don’t.
If you’d like to comment on this article or explore these ideas further, contact me at ellen.
This article was published in the
November 2022
edition of The TMC Advisor
- ISSN 2369-663X Volume:9 Issue:6
©2022 TMC Consulting