TTechclick ⚡ XP 0% All lessons
Zero Trust · ZTNA · ZTNA 2.0Interactive · L1 / L2 / L3

ZTNA Explained: — Zero Trust Network Access That Finally Kills the VPN

Your VPN drops a remote user straight onto the office LAN — and one stolen password lets an attacker roam the whole flat network. ZTNA flips that: it checks identity AND device on every request, then grants access to one app, not the network, over an outbound-only tunnel so your apps are invisible to the internet. This lesson builds the mental model behind 'never trust, always verify'.

📅 2026-06-11 · ⏱ 13 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

ZTNA explained for L1/L2 engineers and Security+: why VPNs enable lateral movement, how Zero Trust Network Access grants per-app least-privilege access, ZTNA 1.0 vs 2.0, and how to roll it out inside SSE/SASE.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why the VPN died

Flat access + one stolen password = whole-LAN breach.

 2

How ZTNA works

Verify identity + device, grant one app, keep it dark.

 3

ZTNA 1.0 vs 2.0

Allow-and-forget vs continuous trust + inspection.

 4

Rolling it out

Connectors, app mapping, phasing out the VPN, SSE/SASE.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. A remote user's VPN password is phished. Once the attacker connects, what does a classic VPN let them reach?

Answered in Why the VPN died.

2. In a service-initiated ZTNA design, which way does the connector next to your app open its tunnel?

Answered in ZTNA 1.0 vs 2.0.

3. ZTNA 1.0 allows a session, then trusts it forever. What is the gap ZTNA 2.0 closes?

Answered in How ZTNA works.

Most engineers think…

Most engineers hear "Zero Trust" and picture it as just "a better VPN with MFA bolted on" — same tunnel onto the network, you just log in harder.

Wrong — and it's the misread that sinks interviews. A VPN's whole job is to put you on the network; ZTNA never puts you on the network at all. It brokers a connection to one specific application after checking identity and device posture on every request (NIST SP 800-207: never trust, always verify, least privilege, assume breach). The app sits behind an outbound-only connector, so it has no public listener for an attacker to even find. MFA is a feature; per-app least-privilege access to a dark app is the architecture.

① Why the VPN had to die — flat access is one stolen password from disaster

Picture Sneha, an L1 engineer at Infosys. A sales colleague works from home, fires up the corporate VPN, types a password (plus an OTP), and is in. Convenient. But notice what the VPN actually did: it dropped that laptop onto the office LAN. From that moment the laptop can reach the file server, the HR portal, the finance app, the lab switches — the whole flat internal network — because the VPN's job was to put the user on the network, not in front of one app.

Now phish that one password. The attacker connects over the same VPN and inherits the same broad reach. This is lateral movement: from one foothold they scan the subnet, harvest more credentials, and pivot toward the crown-jewel servers. The VPN never re-asks "should this session reach finance?" — it already said yes to the whole LAN at login. One stolen credential = the whole network.

This is not theoretical. Through 2025 attackers hammered internet-facing VPN appliances as their front door: Ivanti Connect Secure CVE-2025-0282 (unauthenticated RCE) and CVE-2025-22457, plus an actively-exploited FortiOS SSL-VPN 2FA-bypass flaw disclosed in December 2025. Once in, crews like the Akira ransomware group used the VPN foothold to move laterally with freerdp, ssh and nmap and detonate ransomware. The VPN was both the exposed door and the flat hallway behind it.

👉 So far: a VPN grants broad, flat access, so one stolen credential (or one appliance CVE) opens the whole LAN. Next: the principle that replaces that trust model.

The fix is a mindset, written down as NIST SP 800-207: Zero Trust. Its slogan is never trust, always verify, and it rests on a few tenets you must be able to recite. Access is granted per-request (every request is evaluated, not just the first). It follows least privilege (only the access the task needs, and access to one resource never auto-grants another). No network location is inherently trusted — being "inside" means nothing. And you assume breach: design as if an attacker is already in, so you shrink the blast radius rather than trusting a perimeter.

Figure 1 — A VPN drops you onto the flat LAN; ZTNA puts you in front of one app
A stolen VPN password reaches the whole flat LAN; a stolen ZTNA session reaches only the one app it was scoped to A two-column comparison for the same stolen credential. On the left, traditional VPN: a remote user is dropped onto a flat internal LAN, so an attacker with the password can move laterally across file, HR, finance and lab servers. On the right, ZTNA: a broker verifies identity and device and connects the user to only one application; the other apps sit behind outbound-only connectors and stay dark and unreachable, so the blast radius is a single app. Red marks the untrusted attacker and broad reach; green marks the contained, allowed app access. Same stolen credential — VPN flat LAN vs ZTNA per-app access VPN — user onboarded to the flat LAN attacker VPN tunnel → onto LANone login = whole network File server HR portal Finance app Lab switches lateral movement: every host reachable blast radius = the whole LAN ZTNA — brokered to ONE app only attacker Broker / PDPverify identity + device, per request HR portal ✓ (granted) Finance app · dark File server · dark other apps never reachable from this session blast radius = one app untrusted / attackertrusted / inspectedpolicy / decisionkey insightallowed app
Read both halves for the same stolen credential. Left (red) = VPN onboards the user to the whole LAN, so the attacker pivots host-to-host. Right (green) = ZTNA brokers access to exactly one app; the rest stay dark and unreachable.

The four Zero Trust tenets, in one tap each

Tap each card — these are straight out of NIST SP 800-207 and they are exactly what an interviewer probes when they say 'define Zero Trust'.

🔁
Never trust, always verify
tap to flip

Every request is checked on identity, device and context — the first packet and the thousandth. So: a valid login is the start of verification, not the end.

🔑
Least privilege
tap to flip

Grant only what the task needs, time-bound; access to one app never implies another. So: a stolen session can't roam.

📍
Location ≠ trust
tap to flip

Being 'inside the network' earns no trust. So: the VPN's 'you're in, you're trusted' assumption is exactly what Zero Trust deletes.

💥
Assume breach
tap to flip

Design as if the attacker is already in: segment, scope, verify continuously. So: you minimise blast radius instead of betting on a wall.

Daily-life analogy — the society gate-pass vs the master key

A VPN is handing a visitor the master key to your whole apartment society after one check at the gate — once inside, they can try every flat. ZTNA is the modern society gate-pass register: the guard verifies who you are and which flat you're visiting, escorts you to that one flat, and the other flats' doors never even appear to you. Lose the gate-pass and an intruder reaches one flat, not the building. Same visitor, very different blast radius.

Quick check · Q1 of 10

Aditya at TCS argues: "We added MFA to the VPN, so we're basically Zero Trust now." What's the flaw in that claim?

Correct: b. MFA strengthens authentication, but the VPN's architecture is unchanged: it still grants broad, flat network access, so anything that compromises the session after login (malware, a stolen token) inherits lateral reach. Zero Trust changes the architecture to per-app least-privilege access, not just the login. MFA is a useful Zero Trust ingredient, so 'not part of it' is wrong; and VPN+MFA is far short of the full definition.

Pause & Predict

Predict: if 'no network location is inherently trusted', what does that imply for traffic between two servers sitting in the SAME data centre, behind the same firewall? Type your guess.

Answer: It implies they shouldn't trust each other just because they share a subnet. Under Zero Trust, east-west (server-to-server) traffic inside the perimeter must also be verified and least-privileged — which is microsegmentation, the very next lesson. The flat 'inside = safe' assumption is what lets an attacker who lands on one internal host fan out to the rest, so Zero Trust removes implicit trust on the inside too, not just for remote users.

② How ZTNA actually works — verify, grant one app, keep it dark

So what does ZTNA do differently, mechanically? Three moves. First, before any access, it evaluates identity (who you are, via your IdP) and device posture (is this laptop healthy — disk encrypted, patched, EDR running?). Second, on success it grants access to one specific application, not the network. Third, the application sits behind a connector that only ever makes outbound connections to the broker — so the app has no inbound listening port exposed to the internet.

That last point is the quiet superpower. Because the connector dials out, your app is dark to the internet: a port scan of your public range finds nothing to attack. Compare that to a VPN concentrator or a reverse proxy, which must expose a public port — exactly the port the 2025 Ivanti and FortiOS bugs were hit on. You cannot exploit a door that never opens from the outside.

The piece in the middle is the broker. In NIST language this is the Policy Decision Point (PDP) plus policy administrator; it decides allow/deny and then tells the Policy Enforcement Point (PEP) — the agent or connector — to stitch the user to the app. That split (PDP decides, PEP enforces) is the Zero Trust control plane vs data plane, and it's prime Security+ exam vocabulary.

ZTNA comes in two flavours that hinge on who owns the device. Endpoint-initiated puts a lightweight agent on a managed laptop and feeds the broker rich posture signals. Service-initiated is clientless — a connector dials out from inside the network and the user reaches the app from a browser, so it fits BYOD and third parties you can't put software on. Most real deployments run both (a hybrid): agent for staff, clientless for everyone else.

Figure 2 — How a ZTNA request is verified and brokered to one dark app
A ZTNA request flow: identity verified at the IdP, device posture and policy checked at the broker, then a session stitched to one dark app over an outbound connector A five-step ZTNA access flow. Step 1 the user with an agent requests an app. Step 2 the broker redirects to the identity provider to verify identity. Step 3 the broker checks device posture and runs the policy engine to decide allow or deny. Step 4 on allow, the broker signals the connector that sits beside the application inside the private network. Step 5 the connector, which only ever dials outbound, stitches the user to that one application; the other applications stay dark with no inbound port. Orange marks the policy decision point, blue the trusted brokered path, green the allowed app. ZTNA request — verify, decide, stitch to one app User + agentremote laptop · Mumbai Identity ProviderEntra ID / Okta · who are you? Broker (PDP)policy engine + administratoridentity + posture + context Connector (PEP)outbound-only · beside appno inbound port HR app ✓ (one app) finance · dark files · dark 1· request app 2· verify identity 3· broker checks device posture + runs policy → allow/deny 4· allow → signal PEP connector dialed OUT earlier (inside-out) 5· stitch to one app user never touches the network — only this one app untrusted / attackertrusted / inspectedpolicy / decisionkey insightallowed app
Follow the numbered arrows: the agent/connector authenticates the user at the IdP (1–2), the broker checks device posture and policy (3), then stitches a session to ONE app via its outbound connector (4–5). Notice the app never exposes an inbound port.

▶ Watch one ZTNA request get verified and brokered

Karthik at Wipro, working from a café, opens the internal HR portal through ZTNA. Follow the request from his laptop to the one app it's allowed to reach. Press Play for the healthy path, then Break it to see the failure.

① Requestkarthik@wipro agent asks broker for hr.internal; no network route given yet
② Verifybroker checks IdP identity + device posture (disk-encrypted, EDR on, patched)
③ Decidepolicy engine: allow karthik → hr.internal only; finance + files stay dark
④ Stitchbroker joins user to the outbound connector beside HR; session scoped to one app
Press Play to step through the healthy path. Then press Break it.
ZTNA access policy (JSON) — allow only compliant managed devices in the HR group to reach ONE app
{
  "application": "hr.internal.wipro",
  "session_duration": "30m",
  "policies": [
    {
      "name": "hr-team-compliant-only",
      "action": "allow",
      "include": [ { "group": ["hr-team@wipro.com"] } ],
      "require": [
        { "device_posture": ["disk_encrypted", "edr_running", "os_patched"] },
        { "auth_method": "mfa" }
      ]
    }
  ],
  "default_action": "deny"
}
Expected output
POST /access/apps/hr.internal.wipro/policies  201 Created
policy "hr-team-compliant-only" attached (precedence 1)
default_action = deny  (all non-matching requests blocked)
note: app reachable only via outbound connector wpr-conn-01 (no public ingress)
🖥️ This is the screen you'll use to publish one private app behind ZTNA — Cloudflare One → Zero Trust → Access controls → Applications → Add an application → Self-hosted. Policies are deny-by-default. (Recreated for clarity — your console matches this.)
one.dash.cloudflare.com · Zero Trust · Access controls · Applications
1
Application type
Self-hosted (private)
2
Application name
HR Portal — Wipro
3
Public hostname / domain
hr.internal.wipro.example
Identity provider
Microsoft Entra ID
4
Policy · Action
Allow
Policy · Require
Group = hr-team · Device posture = compliant
Default
Deny (no matching Allow = blocked)
Add application
Common mistake — "I published the app but ZTNA gave me the WHOLE subnet"

Symptom: you onboard hr.internal but users can suddenly also ping the database and the file server next to it. Cause: you defined the app as a network range / CIDR (e.g. 10.20.0.0/16) instead of a single hostname or host — that's a VPN habit, and it re-creates flat access. Fix: scope each ZTNA app to a specific hostname or /32 (or a precise port on one host) so a session reaches exactly that app and nothing else. ZTNA's whole point is per-app, not per-subnet — if you map subnets you've built a fancier VPN.

Quick check · Q2 of 10

Meera at HCL asks: "With service-initiated ZTNA, how does the app stay invisible to internet attackers even though remote users reach it?"

Correct: c. In service-initiated ZTNA the connector makes an outbound (inside-out) connection to the broker; the app never opens an inbound public port, so a port scan finds nothing to attack while verified users are stitched in via the broker. A hidden-but-open port is still scannable; users never hit the app's public IP directly; and a block-everything rule would also block the legitimate users.

Pause & Predict

Predict: a contractor on their own unmanaged laptop needs browser access to one internal tool. Which ZTNA flavour fits, and what signal do you LOSE compared with a managed laptop? Type your guess.

Answer: Service-initiated (clientless) ZTNA fits — you can't install a corporate agent on a device you don't own, and a connector lets them reach just that tool from a browser. What you lose is rich device posture: without an agent you can't deeply attest disk encryption, patch level or EDR, so you lean harder on identity, MFA and tighter app scoping (and maybe browser-isolation) to compensate. That trade-off is exactly why most shops run a hybrid: agent for staff, clientless for outsiders.

③ ZTNA 1.0 vs 2.0 — 'allow and forget' is the gap attackers use

Early ZTNA products (call them ZTNA 1.0) fixed the biggest VPN sin — they stopped dumping users onto the network. But they kept a dangerous habit: allow once, then trust forever. Once a session was permitted, the allowed traffic was waved through with no further inspection, and access was often coarse — a whole app or a port range rather than a precise function. Palo Alto bluntly calls this allow and ignore.

Why does that matter? Because, as the data goes, roughly 100% of breaches occur on allowed activity. Stolen-but-valid credentials, a compromised but "approved" laptop, malware riding a permitted session — all of it looks allowed. If you stop inspecting the moment you say yes, you're blind to exactly the attacks that matter most. "Allow and forget" is the seam attackers slip through.

👉 So far: ZTNA 1.0 verifies once then trusts the session and rarely inspects it. Next: what ZTNA 2.0 adds to close that seam.

ZTNA 2.0 closes it with three changes. Continuous trust verification: after access is granted, the broker keeps watching device posture, user behaviour and app behaviour, and can revoke access in real time if something turns suspicious — trust is a dial, not a one-time gate. Continuous security inspection: all allowed traffic is inspected deeply and continuously to catch threats (even zero-days) and data leakage, not just at connection time. And true least privilege: access is granted at the app and sub-app level by identifying the application at Layer 7 (App-ID), independent of IP and port — so you can allow "read the wiki" without allowing "admin the wiki."

Figure 3 — ZTNA 1.0 trusts the session forever; ZTNA 2.0 keeps verifying and inspecting
ZTNA 1.0 allows once then trusts the session with no inspection; ZTNA 2.0 continuously verifies trust and inspects the allowed traffic, revoking access when posture or behaviour changes A two-timeline comparison. The top timeline is ZTNA 1.0: a single check at connection time, then a long allowed session with no inspection, during which malware on the allowed activity reaches the app unnoticed. The bottom timeline is ZTNA 2.0: an initial check followed by repeated continuous trust verification and continuous inspection checkpoints along the session, so when device posture drops or behaviour looks malicious, access is revoked in real time. Red marks the uninspected risk window, amber the policy checkpoints, green the inspected and allowed state. Allow-and-forget vs continuous verification + inspection ZTNA 1.0 — allow once, then trust forever (no inspection) check at login allowed session — uninspected risk window malware rides allowed session app 🔓 ZTNA 2.0 — continuous trust verification + continuous inspection re-verifyinspectre-verify posture + behaviour + traffic checked the whole time posture drops /bad behaviour accessREVOKED untrusted / attackertrusted / inspectedpolicy / decisionkey insightallowed app
Compare the two timelines. Top (red→grey) = ZTNA 1.0 checks once, then the allowed session runs uninspected — malware rides it. Bottom (blue/green) = ZTNA 2.0 re-checks trust and inspects continuously, so posture drop or bad behaviour pulls access mid-session.

ZTNA 1.0 → 2.0, the three upgrades

Tap each card. These are the exact three gaps ZTNA 2.0 was built to close — and the lines that win the interview question 'what's wrong with first-gen ZTNA?'.

🔍
Continuous inspection
tap to flip

1.0 stops inspecting once allowed; 2.0 inspects allowed traffic deeply, the whole session. So: malware on a permitted session gets caught, not waved through.

📉
Continuous trust
tap to flip

1.0 trusts the session forever; 2.0 re-checks posture/behaviour and can revoke mid-session. So: trust is a dial that drops, not a one-time gate.

🎯
Sub-app least privilege
tap to flip

1.0 grants a whole app/port; 2.0 uses L7 App-ID to allow a function, not the box. So: 'read the wiki' without 'admin the wiki'.

📊
Why it matters
tap to flip

~100% of breaches ride allowed activity. So: stopping at 'allow' is being blind to the attacks that actually land.

Arjun at ICICI faces this

Arjun, an L2 analyst, sees an alert: a developer's laptop — already granted ZTNA access to an internal Git app this morning — is now exfiltrating large volumes from it at 2 a.m., long after the dev went home.

Likely cause

The session was legitimately allowed at login (valid identity, MFA), but the laptop was compromised afterward. Under a ZTNA 1.0 'allow and forget' model, the allowed session keeps flowing uninspected — exactly the 'breach on allowed activity' pattern.

Diagnosis

Arjun checks whether continuous trust verification and inspection are even on. He looks at the session's posture/behaviour signals and the data-volume anomaly the broker should be flagging in real time.

Broker console → Zero Trust → Access controls → Sessions → (this user/app) → Trust signals & inspection logs
Fix

Enable ZTNA 2.0 controls on the app: continuous trust verification (posture + behaviour re-checked) plus continuous inspection/DLP on allowed traffic, with an auto-revoke rule when behaviour deviates. Tighten the app scope to least privilege at the function level.

Verify

Re-test: simulate an off-hours bulk pull → the broker's behaviour engine flags the anomaly, revokes the session in real time, and the inspection/DLP log shows the blocked transfer instead of a silent success.

ZTNA 2.0 continuous policy (YAML) — re-verify posture + inspect allowed traffic, auto-revoke on drift
app: git.internal.icici
continuous_access:
  reevaluate_every: 60s
  device_posture:
    require: [ disk_encrypted, edr_running ]
    on_fail: revoke_session
  inspection:
    threat_prevention: true
    dlp: true            # inspect ALLOWED traffic, not just at login
  behaviour:
    anomaly: high
    on_trigger: revoke_session
least_privilege:
  app_function: read       # L7 App-ID: allow read, deny admin/push
Expected output
policy applied to git.internal.icici (ZTNA 2.0)
continuous trust verification: ENABLED (60s re-eval)
continuous inspection: threat-prevention + DLP ON for allowed traffic
sub-app least privilege: function=read (admin/push denied)
test event: off-hours bulk read -> anomaly high -> session REVOKED
Quick check · Q3 of 10

An interviewer asks Neha: "Give the single biggest reason ZTNA 1.0 still gets breached even though it doesn't put users on the network." Best answer?

Correct: b. ZTNA 1.0's 'allow and forget' is the core flaw: once a session is permitted it's trusted indefinitely and the allowed traffic isn't inspected, so stolen-credential and malware-on-allowed-session attacks slip through — and almost all breaches occur on allowed activity. Using a connector and hiding apps are strengths of ZTNA, not weaknesses; MFA being mildly annoying isn't a breach cause.

Pause & Predict

Predict: ZTNA 2.0 inspects even the ALLOWED traffic continuously. Name one threat that catches which 'verify identity once at login' would completely miss. Type your guess.

Answer: Stolen-but-valid credentials (or a session-token theft). At login the attacker passes identity cleanly — the password and MFA are real — so an identity-only, login-time check says 'allowed' and stops watching. Continuous inspection of the allowed traffic then catches the malicious behaviour that follows: data exfiltration, lateral probing, malware command-and-control, or a posture drop. The same logic catches a laptop that was healthy at login but gets infected mid-session.

④ Rolling out ZTNA — connectors, app mapping, and retiring the VPN

You won't rip the VPN out on a Friday. A real rollout is a ladder. Step 1 — place connectors. Put a connector beside each pool of apps — one (ideally two for HA) per data centre, per cloud VPC, per branch with private apps. They dial out, so you open no inbound firewall ports. Step 2 — map your apps. Inventory every private app and define each as a specific hostname or host, never a subnet (that subnet habit is what re-creates flat VPN access).

Step 3 — write posture policies. For each app, decide who (IdP group) plus device requirements (encryption, EDR, patch level) plus auth (MFA), all deny-by-default. Step 4 — pilot and phase. Move one low-risk app and a friendly user group onto ZTNA, prove it, then peel apps off the VPN one cohort at a time. Step 5 — shrink, then retire the VPN. As apps move, the VPN's scope collapses to a small, monitored island; when the last app is mapped, you switch it off. Running both during the migration is normal and expected.

Where does this sit in the bigger stack? ZTNA is the private-app access engine inside SSE (ZTNA + SWG + CASB). Add the networking side — SD-WAN — and SSE becomes SASE. So ZTNA handles your private apps, SWG handles the open internet, CASB handles sanctioned SaaS — three lanes of one cloud edge.

On the Security+ SY0-701 blueprint, this is Domain 3 territory. Map the words: the broker = Policy Decision Point + policy administrator (the control plane), the agent/connector = Policy Enforcement Point (the data plane), and the policy engine makes the allow/deny call using adaptive identity and least privilege. Get that mapping cold and you've nailed both the exam language and the wiring you'll touch on the job.

Figure 4 — ZTNA rollout cheat-sheet — tenets, the VPN→ZTNA ladder, and where it sits in SSE/SASE
ZTNA on one card: the four tenets, the five-step VPN-to-ZTNA migration ladder, ZTNA inside SSE and SASE, and the PDP/PEP control-vs-data-plane vocabulary A six-tile cheat sheet. Tile one lists the four Zero Trust tenets. Tile two is the VPN to ZTNA migration ladder: place connectors, map apps as hosts not subnets, write deny-by-default posture policies, pilot and phase, then shrink and retire the VPN. Tile three maps ZTNA inside SSE (ZTNA plus SWG plus CASB) and SASE (SSE plus SD-WAN). Tile four is the connector rule: outbound only, two per site for high availability, no inbound port. Tile five is the per-app least-privilege rule: one hostname or host, never a subnet. Tile six is the Security+ and NIST vocabulary: broker equals PDP plus policy administrator (control plane), agent or connector equals PEP (data plane). ZTNA — your one-glance card 4 Zero Trust tenetsnever trust, always verifyleast privilege · per-requestlocation ≠ trust · assume breachNIST SP 800-207 VPN → ZTNA ladder1 place connectors (HA pairs)2 map apps as hosts, not subnets3 deny-by-default posture policies4 pilot + phase · 5 shrink, retire VPN ZTNA in SSE / SASESSE = ZTNA + SWG + CASBSASE = SSE + SD-WANZTNA = private-app access laneone cloud edge, three lanes Connector ruleoutbound-only (inside-out)two per site for HAno inbound port → app is dark Per-app least privilegemap ONE hostname / hostnever a subnet / CIDRZTNA 2.0: L7 App-ID, sub-app Security+ / NIST wordsbroker = PDP + policy adminagent/connector = PEPcontrol plane vs data plane Key insight: ZTNA grants ONE app after verifying identity + device, keeps it dark, and (2.0) keeps inspecting —so a stolen credential can't roam the LAN. That blast-radius cut is why the VPN finally retires. untrusted / attackertrusted / inspectedpolicy / decisionkey insightallowed app
Your one-card revision sheet: the four Zero Trust tenets, the five-rung migration ladder, the ZTNA-in-SSE/SASE map, and the NIST/Security+ vocabulary (PDP/PEP). Keep it open before any Zero Trust interview.
Daily-life analogy — Swiggy delivery to your door, not a key to the kitchen

Old VPN thinking is giving a delivery rider a key to the restaurant kitchen so they can grab your order themselves — now they can wander anywhere inside. ZTNA is how Swiggy actually works: the rider is verified, handed one specific order at the counter, and never sees the kitchen, the till or other customers' food. The restaurant's back door stays shut (outbound-only). Scale that to apps and you've got per-app least-privilege access with the building kept dark.

Prove you own ZTNA

Cold, in 30 seconds: (1) why a stolen VPN password beats a stolen ZTNA session — flat LAN vs one app; (2) the three ZTNA moves — verify identity + device, grant one app, outbound connector keeps it dark; (3) ZTNA 1.0 vs 2.0 — allow-and-forget vs continuous trust + inspection + sub-app least privilege; (4) where ZTNA sits — the private-app lane of SSE; SSE + SD-WAN = SASE. If you can say those without notes, you're ready for the Security+ Zero Trust objective and your first SASE rollout.

Next: Microsegmentation — stop lateral movement insideRelated: SSE vs SASE
Quick check · Q4 of 10

Sneha is planning ICICI's VPN-to-ZTNA migration. Which ordering and choice is the SAFE rollout?

Correct: c. The safe ladder is connectors → per-app (host-level, deny-by-default) mapping → pilot → phased cutover → retire the VPN once the last app moves; running both during migration is expected. Deleting the VPN first strands users; mapping apps as subnets re-creates flat VPN access; and exposing public IPs throws away ZTNA's dark-app property and reintroduces the exact attack surface you're trying to remove.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Zero Trust docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

According to NIST SP 800-207, on what basis is access to an individual resource granted in a Zero Trust architecture?

Correct: d. NIST SP 800-207's core tenet is per-request (per-session) access evaluated on identity, device posture and context, granting least privilege — and access to one resource never implies access to another. Trusting a session forever is exactly the ZTNA 1.0 gap; network location and IP range are the implicit-trust assumptions Zero Trust rejects.
Q6 · Apply

Priya at Flipkart must give a third-party auditor (on the auditor's own unmanaged laptop) browser access to one internal dashboard — and nothing else. Which ZTNA model fits, and why?

Correct: a. Service-initiated ZTNA is clientless — perfect for an unmanaged third-party device: a connector inside Flipkart's network makes the app reachable from a browser, scoped to that one dashboard. You can't force a corporate agent onto an auditor's own laptop (rules out endpoint-initiated here); a VPN grants far too much; and publishing the app to the internet is the exposure ZTNA exists to remove.
Q7 · Apply

Rahul wants to confirm an attacker who steals a ZTNA session token for the HR app can't also reach the finance app. Which property guarantees this?

Correct: b. ZTNA grants access to a specific application, not the network, so a session authorised for HR carries no implicit authorisation to finance (a separate policy and broker decision). Split-tunnel is a VPN concept and still puts you on a network; MFA speed and the connector's port don't bound which apps a session can reach.
Q8 · Analyze

A team migrates to ZTNA 1.0. A user logs in clean, but an hour later malware on their laptop rides the already-allowed session to the app. Why did ZTNA 1.0 miss it, and what closes the gap?

Correct: c. ZTNA 1.0 is 'allow and forget': once the session is permitted it's trusted indefinitely with no ongoing inspection, so malware on allowed activity slips through — and most breaches occur on allowed activity. ZTNA 2.0 keeps inspecting the allowed traffic and re-checks trust continuously, revoking access when posture or behaviour shifts. A stronger login (MFA) still wouldn't inspect post-allow traffic; the connector direction and IP aren't the cause.
Q9 · Analyze

On the CISA Zero Trust Maturity Model, a shop still relies on a flat VPN that drops users onto the LAN with broad access and manual rules. For the Networks pillar, which stage best describes them, and what's the next move?

Correct: a. Broad VPN access with manual rules is the Traditional baseline of the Networks pillar; maturing means replacing flat access with per-app, micro-segmented, increasingly automated access (Initial, then Advanced, toward Optimal's dynamic just-in-time access). Optimal and Advanced overstate where a flat-VPN shop is; 'Initial = fully automated' misreads the stage order (Traditional → Initial → Advanced → Optimal).
Q10 · Evaluate

Two pitches for replacing the VPN: (A) "Keep the VPN but add MFA and call it Zero Trust." (B) "Deploy ZTNA: per-app least-privilege access, identity + device checked per request, apps dark behind outbound connectors, continuous inspection, phased VPN cutover." Which is the stronger Zero Trust answer and why?

Correct: b. B addresses the real problem: the VPN's flat-network access and exposed inbound appliance. ZTNA grants one app at a time, keeps apps dark behind outbound connectors, and verifies identity + device continuously, so a stolen credential can't roam laterally and there's no inbound port to exploit. A only hardens the login while leaving the flat-access blast radius and exposed appliance intact — MFA alone isn't Zero Trust, and 'cheaper' isn't a security argument.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line, why does a stolen VPN password expose far more than a stolen ZTNA session? Then compare to the expert version.

Expert version: Because a VPN drops the user onto the whole flat network, so the stolen credential inherits broad lateral reach across every host on that LAN; a ZTNA session only ever granted access to one specific app after verifying identity and device, so the blast radius is that single app — and continuous trust checks can pull even that the moment posture or behaviour looks wrong.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Zero Trust
Security model with no implicit trust by network location: verify identity, device and context on every request (NIST SP 800-207).
ZTNA
Zero Trust Network Access — brokers per-app access after verifying identity + device, instead of putting a user on the network like a VPN.
Lateral movement
An attacker hopping from a first foothold to other hosts across a flat network; the damage a VPN's broad access enables.
Least privilege
Granting only the access needed for the task, time-bound; access to one resource never implies access to another.
Assume breach
Design as if attackers are already inside: minimise blast radius, segment access, verify continuously rather than trusting a perimeter.
Connector
A lightweight component beside the app that makes an outbound-only connection to the ZTNA broker, so the app has no inbound public port.
Broker / trust broker
The ZTNA control point that evaluates policy and stitches a verified user to one app; in NIST terms the Policy Decision Point.
Device posture
The health of the connecting device — disk encryption, patch level, EDR running, OS version — checked before and during access.
Service-initiated ZTNA
Clientless model: a connector dials out from inside the network; no agent on the user. Good for BYOD, contractors, third parties.
Endpoint-initiated ZTNA
Agent-based model: software on a managed device gives rich posture signals. Good for corporate laptops.
PDP / PEP
Policy Decision Point (decides allow/deny) and Policy Enforcement Point (enforces it at the connection); the control vs data plane of Zero Trust.
SSE / SASE
SSE = cloud security bundle (ZTNA + SWG + CASB). SASE = SSE + SD-WAN networking, converged at one cloud edge.

📚 Sources

  1. NIST SP 800-207 — Zero Trust Architecture (the seven tenets: per-request access, least privilege, no implicit trust by location, dynamic policy, continuous monitoring; control/data plane, PDP/PEP, policy engine + administrator). csrc.nist.gov/pubs/sp/800/207/final · nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
  2. Palo Alto Networks — "What is ZTNA 2.0" + ZTNA 2.0 launch (allow-and-ignore gap of ZTNA 1.0; ZTNA 2.0 = least-privilege via App-ID at L7 to sub-app level, continuous trust verification, continuous security inspection of allowed traffic; '100% of breaches occur on allowed activity'). paloaltonetworks.com/cyberpedia/what-is-zero-trust-network-access-2-0 · paloaltonetworks.com/sase/ztna
  3. CISA Zero Trust Maturity Model v2.0 — five pillars (Identity, Devices, Networks, Applications & Workloads, Data) across four stages (Traditional, Initial, Advanced, Optimal); the Networks pillar is where VPN-style broad access matures toward per-app micro-segmented access. cisa.gov/zero-trust-maturity-model · cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf
  4. Cloudflare One docs — "Add a self-hosted application" + Access policies (Zero Trust → Access controls → Applications → Add an application → Self-hosted; deny-by-default; policies under Access controls → Policies). Real console path used for the recreated screenshot. developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/ · developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/
  5. Mandiant / Google Cloud + CISA + The Hacker News — active exploitation of VPN appliances feeding lateral movement: Ivanti Connect Secure CVE-2025-0282 (unauth RCE, zero-day from Dec 2024) and CVE-2025-22457 (UNC5221), and FortiOS SSL VPN 2FA-bypass exploitation (Dec 2025); attackers used VPN footholds to pivot with freerdp/ssh/nmap and deploy ransomware (e.g. Akira). cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day · cisa.gov/news-events/cybersecurity-advisories/aa24-060b
  6. CompTIA Security+ SY0-701 exam objectives — Domain 3 Security Architecture: Zero Trust control plane vs data plane, Policy Decision Point / Policy Enforcement Point, policy engine + policy administrator, implicit trust zones, adaptive identity, least privilege. comptia.org/certifications/security · comptia.org/landing/security-plus/exam-objectives
  7. TechTarget + Gartner Market Guide for ZTNA (described) — service-initiated (clientless, connector dials out, good for BYOD/third parties) vs endpoint-initiated (agent, rich posture, managed devices); outbound-only connections make apps a 'darknet'. Gartner recommends hybrid support. techtarget.com/searchnetworking/feature/Choosing-ZTNA-vendors-amid-zero-trust-confusion

What's next?

ZTNA contains user-to-app access, but what about attackers and workloads already inside your data centre talking east-west? Next we segment the inside itself — so a foothold on one server can't fan out to the rest.

Next · Microsegmentation: Stopping Lateral Movement Inside the Network → Practice on exam.techclick.in →