DownloadsContact us

ZTNA vs VPN

What are the differences between VPN and ZTNA?

The VPN (Virtual Private Network) and ZTNA (Zero Trust Network Access) are two technologies used to secure access to IT resources. The VPN, combined with the firewall, is still considered state of the art in some companies. However, ZTNA is beginning to gain a choice spot thanks to its different and more adapted approaches to current threats.

“In 2024, ANSSI has also observed the amplified exploitation of vulnerabilities affecting devices exposed on the Internet – including security devices implemented by countless entities as a means to secure remote access to the IS (e.g. firewalls or VPN gateways). Over the past year, ANSSI was notified of the compromise of thousands of edge devices across France and processed dozens of security incidents linked to the exploitation of software vulnerabilities on these devices, which represent prime targets for attackers”

French Cybersecurity Agency (ANSSI)
Cyber Threat Overview 2024

Operation

  • The VPN establishes a secure connection between a user and a private network, usually a company's network.
  • The ZTNA, on the other hand, creates logical access boundaries around specific applications rather than granting full access to the network. It applies security policies based on the user's identity and context rather than their location or network membership.

Scope

  • The VPN allows the user to securely access an organization's entire network, as if they were physically connected to the local network.
  • The ZTNA restricts access to specific applications based on the user's needs and defined security policies, without giving general access to the network. It natively brings a least privilege access policy.

Security Model

  • The VPN often relies on a "trust but verify" security model, where once the user is authenticated, they are generally allowed to access all network resources.
  • The ZTNA follows the "never trust, always verify" security model, where access is granted based on granular policies that continuously verify the user's identity, context, and compliance before allowing access to a specific application.

Visibility and Control

  • With the VPN, once a user is connected, they can potentially access all network resources, which can make it difficult to monitor and precisely control access.
  • The ZTNA offers more granular visibility and control, as it allows restricting access to specific applications based on defined security rules, enabling better risk management and reducing the attack surface.

Exposure

  • The VPN exposes a gateway on the internet which can itself be vulnerable (See Additional Resources). The VPN gateway is software or hardware and requires maintenance at the company's expense.
  • The ZTNA does not expose any company resources. The ZTNA infrastructure is exposed but is entirely managed and maintained by the provider. In the case of Chimere, this ZTNA infrastructure can be resilient to compromise.

In conclusion, ZTNA limits access to specific applications based on the user's identity and context, while the VPN creates a secure connection giving access to the entire private network of the organization.

What's next?
How can Chimere facilitate compliance with the NIS 2 Directive?

Read more

Lyon Cyber Expo 2025Meet us at Lyon on September 17 & 18