X
Akamai to acquire LayerX to enforce AI usage control on any browser. Get details
Akamai
Login
Login Close
Control Center
Access the Akamai platform
Login Close
Cloud Manager
Manage your cloud resources

What Is Zero Trust Network Access (ZTNA)?

Traditional network security models, such as perimeter-based security, rely on the assumption that everything inside a network can be trusted. However, this approach is no longer sufficient to protect today’s dynamic and distributed IT ecosystems, where private applications can be hosted anywhere– from the data center to multicloud environments – and employees require secure application access from everywhere, using managed and unmanaged user devices.

Zero Trust Network Access (ZTNA) is an approach to providing secure user access to resources (such as private applications, internal systems, and Service as a software (SaaS) applications) that focuses on strict access controls and cybersecurity measures. ZTNA operates under the principle of “never trust, always verify,” which means that no user or device, whether inside or outside the network perimeter, should be automatically trusted. Instead, ZTNA verifies and authenticates every end-user and device before granting access to applications or resources, regardless of their location.

ZTNA is considered a core pillar of modern cloud security strategies and is frequently cited by Gartner as a foundational component of Secure Access Service Edge (SASE) architectures.

 

The Shift from VPNs and Perimeter Security to Zero Trust

In the past, organizations have relied on technology such as firewalls that built strong walls around its network. Access management that allows employees to use private applications is largely based on where an employee is located. If they are in the office and connected to the corporate network, then they are “trusted” and given access to applications and resources. Remote workforce employees who need secure remote access to the same applications and workloads will typically use a virtual private network (VPN) service to connect to these.

Businesses will likely apply different access permissions and access policies based on where the employee is located. If they are on-premises, they may have access to more resources. If they are remote, they may only have access to specific applications.

However, with the move to multicloud and work-from-anywhere models, enterprises have now realized that this method of managing access needs a new approach. VPN-based access expands the attack surface and can increase exposure to threats such as malware and ransomware by granting overly broad network access. As a result, organizations began shifting toward software-defined perimeter (SDP) architectures that restrict access at the application layer rather than the network layer — an approach that underpins ZTNA.

The Zero Trust security model

The concept of Zero Trust security offers far greater protection for enterprises than traditional perimeter defenses. Zero Trust security operates under an ‘assume breach’ mindset, meaning systems are designed with the expectation that attackers may already have gained access to parts of the environment. ZTNA is a critical security solution for any enterprise that wants to transition to a Zero Trust security model.

How does ZTNA work?

ZTNA is an architecture that grants secure access to applications and resources based on strong authentication, authorization, and context.

Diagram illustrating ZTNA using Akamai’s Enterprise Application Access solution.

A ZTNA architecture provides access only to the applications and workloads that employees need to do their jobs, and not the entire network. Where an application is hosted is irrelevant — on-premises, public, or private cloud — authenticated users only get granular access to applications that they have been authorized to use. And with a ZTNA architecture, the employee’s location is irrelevant — the same access policies are applied when they are working from the office on the corporate network, at home, or at their favorite coffee shop. This ensures consistent protection for remote users and hybrid workforces.

Many ZTNA solutions use a broker or proxy service — sometimes implemented as an identity-aware proxy — that evaluates user identity and contextual signals before connecting users to applications. The second component is an access connector, most typically a virtual machine, which is deployed where private applications are deployed — on-premises or in cloud environments. The access connector links to the private application and makes an outbound connection to the IAP. When a user wants to access an application, the IAP authenticates the user, validates the device, and authorizes access to the application. The user is only granted access to applications that they need to do their job role and furthermore, that access is continuously assessed. If the device posture changes, then access can be revoked in near-real time.

How does ZTNA increase security posture?

ZTNA strengthens cybersecurity posture in several important ways:

  • Applications are hidden from the public internet, reducing exposure to scanning and discovery by cybercriminals.
  • Outbound-only connections eliminate the need for exposed inbound firewall ports.
  • Replacing or reducing VPN usage shrinks the attack surface.
  • Application-level segmentation prevents attackers from moving laterally across the network.
  • Granular access policies enforce least-privilege principles, limiting user access to only what is required.
  • Continuous verification helps prevent compromised credentials from being exploited in malware or ransomware attacks.

Because users never receive full network-level access, the risk of lateral movement from compromised devices is limited — significantly reducing breach impact.

What are common ZTNA use cases?

ZTNA is especially valuable for organizations implementing Zero Trust frameworks or transitioning toward a broader SASE architecture. Typical use cases of ZTNA include:

  • Providing secure access for remote users without traditional VPNs
  • Enabling secure BYOD access for contractors and third parties
  • Protecting applications hosted in multicloud or SaaS environments
  • Modernizing legacy data center access controls
  • Supporting digital transformation and cloud security initiatives

What is Akamai’s Zero Trust Network Access solution?

Enterprise Application Access Give your workforce fast, secure remote access with Zero Trust Network Access from endpoint devices — with no more slow, clunky VPNs.

Secure Internet Access Explore Secure Internet Access, a cloud-based secure web gateway.

Akamai MFA (Multi-Factor Authentication) Prevent employee account takeover and data breaches with phish-proof MFA.

Frequently Asked Questions

Zero Trust Network Access (ZTNA) is a security framework that provides identity-based, application-level access instead of granting broad network access. Unlike traditional perimeter security, ZTNA follows the principle of “never trust, always verify,” requiring continuous authentication and authorization of every user, device, and session.

 

Rather than placing trust in a network location, ZTNA creates secure micro-perimeters around individual applications. This approach limits lateral movement and reduces the impact of malware or ransomware attacks inside an IT environment.

 

While ZTNA strengthens cybersecurity posture, implementing it requires careful policy design to balance security, usability, and operational efficiency.

The principle of Zero Trust is “never trust, always verify.” First introduced by Forrester Research in 2010, the Zero Trust model eliminates implicit trust based on network location.

 

Instead of assuming users or devices inside a network are safe, Zero Trust requires continuous verification of identity, device posture, and access context before granting access to applications or data. This approach reduces the risk of unauthorized access and limits the spread of cyberattacks within modern IT environments.

 

The main challenges of Zero Trust Network Access (ZTNA) involve policy complexity, integration, and user experience. ZTNA relies on detailed access policies that define which users and devices can access specific applications.

 

If policies are too restrictive, productivity and user experience may suffer. If they are too permissive, the organization increases its attack surface. Successful ZTNA implementation requires integration with identity providers, device posture checks, and cloud or Secure Access Service Edge (SASE) architectures to ensure scalable and consistent security enforcement.

Why customers choose Akamai

Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.

Related Blog Posts

DNSSEC helps protect your domain against cache poisoning and answer forgery. It’s a crucial addition to your domain.
DNSSEC helps protect your domain against cache poisoning and answer forgery. It’s a crucial addition to your domain.
What Is DNSSEC, and How Does It Work?
Read how DNSSEC enhances security by adding cryptographic signatures to DNS records, ensuring data is securely transmitted over Internet Protocol (IP) networks.
Read more
The observed attacks sparked conversations both publicly and privately among several organizations, including Akamai.
The observed attacks sparked conversations both publicly and privately among several organizations, including Akamai.
Anatomy of a SYN-ACK Attack
Learn how the TCP SYN-ACK attack vector reflection works, why it’s uncommon, and concerns it raises for security.
Read more
Web applications and APIs will continue to proliferate, fuel innovation, and deliver the experiences that define our modern world.
Web applications and APIs will continue to proliferate, fuel innovation, and deliver the experiences that define our modern world.
Why (and How) APIs and Web Applications Are Under Siege
Read a summary of the latest SOTI report, which tackles the security risks in web applications and APIs, and the infrastructure that powers them
Read more

Related Customer Stories

Explore all Akamai Security Solutions

Start your free trial and see what a difference having the world’s largest and most trusted cloud delivery platform can make.

Take me there