/ Unified Security Guide / Chapter 1: Zero-trust Network Access (ZTNA)

Zero trust network access

As businesses continue to shift towards hybrid working models, more employees than ever before are looking to get their jobs done from anywhere with flexibility of using any device. In fact, by the end of 2023, more than 90 percent of infrastructure and operations (I&O) organizations will have the majority of their staff working remotely.

Consequently, IT departments are looking to provide a secure work experience for their in-office and remote employees—especially as corporate applications and sensitive data are accessed from remote locations and unmanaged/BYO devices.

While businesses typically deploy multiple security solutions from different vendors to protect access to SaaS, web, legacy, virtual, and desktop application access, relying on isolated or disjointed strategies can leave your attack surface vulnerable.

Some of the pitfalls of siloed or traditional security solutions include:

  • VPNs require backhauling of all traffic, thereby congesting datacenter network. This provides poor performance to end users and introduces privacy concerns, as users’ personal traffic now travels via the corporate network.
  • VPNs, application gateways, or access management solutions cannot detect any malware coming from the internet or protect against any browser-based threats.
  • These traditional solutions do not provide organizations with the flexibility to allow BYO devices, as they lack security controls to protect access from these personal or unmanaged devices.
  • The addition of cloud applications combined with applications hosted in centralized private datacenters make traditional perimeter-based security measures obsolete.
  • Limited integration or compatibility between vendors providing access solutions makes it difficult to create a risk profile of a user that is consistent across all apps, as well as take preventive actions. In addition, limited event correlation between multiple disparate systems makes it difficult to establish appropriate risk scores.

To implement a robust security strategy for your modern workforce, it’s important to consider ways in which you can reduce your attack surface—and one of the most efficient ways to do this is to consolidate your security solutions.

With a unified security strategy deployed, you can easily establish universal security standards and provide secure application access, regardless of where your end users are located. Fortunately, integrating a zero trust network access (ZTNA) architecture is a great way to centralize your security solutions.

If you’re new to the concept of ZTNA, this guide here to help you fill in the gaps. Below, we will cover why a zero trust security framework is important, how it compares to VPNs, and its benefits as workforces continue to go remote.

Importance of a ZTNA security model

With an increase in user endpoints, applications moving to cloud, and users working from home, traditional cybersecurity measures are no longer reliable as they work on assumptions of always trusting an authorized user. The assessment of risk and enforcement of security controls happens only at the time of login. There are no controls to continuously assess risk throughout the user session or monitor end user device if they have been compromised. With a zero trust security framework, however, you can easily provide secure application access across locations and devices.

Illustration of a statistic showing that 60% of enterprises will phase out most of their VPNs by 2023.

ZTNA solutions expand the traditional perimeter from the datacenter to be closer to the users and closer to the apps. This allows for continuous verification of adaptive access in real time, including user, device, and location credentials, making it the most secure cybersecurity framework for a hybrid or pure cloud environment. By 2023, 60 percent of enterprises will phase out most of their VPNs in favor of a ZTNA solution—and it’s no surprise why. A ZTNA architecture uses an outbound connection from app to establish a secure connection between the user and the app. This ensures end users only have access to the applications they need to do their jobs by constantly evaluating adaptive, real-time activity and never assuming an identity is trustworthy.

ZTNA security vs. VPNs

VPNs provide encrypted connections for IT-managed devices, which works to protect both sensitive business data and personal information. But once access to your network has been granted, assumed trust is given to users—even on unmanaged or BYO devices.

As today’s remote employees commonly use personal or unmanaged devices to connect to IT-sanctioned apps deployed on-premises or in the cloud, VPNs are unable to account for the ever-expanding attack surface, as they only help with securing the connection between users and internal corporate applications. Additionally, they create a backhauling issue that introduces performance as well as privacy concerns, as both corporate and personal user data flows through the corporate network.

Along with over-simplifying user authentication, VPNs are restricted to remote access. This means you must configure and deploy VPNs individually across locations to secure users when they are on-premises, which makes it difficult to scale your corporate network while onboarding new users. This process is time consuming for system administrators, and it can require significant resources to manage. For example, adding emergency capacity requires a forklift hardware upgrade or a lengthy licensing procurement process.

With a zero trust architecture, you can provide VPN-less access to apps and resources without connecting devices to the network, based on what your end users need access to when completing their jobs.. Not only does this ensure your network remains secure with remote users and personal devices, but it also provides a seamless user experience (UX).

What are the benefits of ZTNA security?

Transitioning from a traditional VPN framework to a zero trust architecture provides your business and your employees with many benefits, including:

Better end-user experience

With an ever-increasing hybrid workforce accessing apps that are hosted in the cloud or delivered as SaaS, the traffic does not require backhauling and allows for security controls to be enforced in line with applications.

Continuous verification and validation

ZTNA ensures that users are continuously verified and validated in real time, rather than receiving a one-time validation at the time of login that allows for unchecked anomalies during the user session. This continuous assessment can be related to anomalies in user behavior like unusual location of access, unusual number of downloads, or concurrent logins from different locations.

Adaptive access

Adaptive access is the foundation of a zero trust network architecture. Rather than placing assumed trust in users, ZTNA establishes the principle of least privilege (PoLP) and defaults to the lowest level of access for all users. This ensures all applications and resources provide adaptive access based on identity, time, and continuous device posture assessments.

Reduced attack surface

With more remote employees, cloud-based applications and resources, and unprotected personal devices than ever before, your attack surface is constantly expanding. Unlike VPNs, a zero trust architecture ensures your attack surface is actively protected from threats, breaches, or vulnerabilities. This is especially important with the average cost of a data breach sitting at $4.24 million.

How to establish ZTNA security

Establishing ZTNA requires a holistic approach rather than implementing one single tool or service. At its core, a zero trust architecture incorporates a comprehensive framework of products and strategies that are built upon the core principles of ZTNA, such as adaptive access and continuous real-time user authentication.

Integrate a zero trust architecture with one solution

Illustration of the statistic that 78% of organizations use more than 50 different cybersecurity tools.

Citrix makes incorporating a unified ZTNA security solution simple and intuitive, even if you already have security investments or third-party products in place. With Citrix Workspace and Citrix Secure Private Access, you gain access to end-to-end attack surface protection without implementing countless cybersecurity solutions or overhauling your current infrastructure—including identity platforms, security information and event management (SIEM) software, security operation center (SOC), or web proxies. Considering 78 percent of organizations use more than 50 different cybersecurity tools, this can equate to massive time and cost savings.

ZTNA with Citrix Secure Private Access

Citrix Secure Private Access goes beyond MFA and SSO service to deliver adaptive access to sanctioned intranet web apps and external SaaS apps. As a cloud-delivered, VPN-less access management solution, you can provide protection from browser-based threats and implement granular application security controls for all your end users and their devices. Benefits of this platform include:

  • VPN-less access: Because Citrix Secure Private Access is built upon a VPN-less platform, you can easily ensure adaptive access and PoLP is established for every user no matter what device they are using.
  • Single sign-on: Provide secure access and a unified UX for corporate applications with seamless SSO policies.
  • Cloud app control: Implement granular application security controls—such as restricting copying, pasting, printing, downloads, or enabling watermarking—to protect sensitive business data and personal data from unauthorized usage or breaches.
  • App protection policies: Protect user sessions and sensitive information from being hijacked by keyloggers or screen capturing malware.
  • Integrated remote browser isolation: Using  Citrix Remote Browser Isolation (formerly Citrix Secure Browser), you can allow users utilizing personal devices to access sanctioned application securely while safeguarding corporate information against browser-based threats.
  • Citrix Analytics for Security integration: Provide continuous monitoring and assessment of all user sessions by integrating Citrix Analytics for Security. This tool automates security policies such as re-authentication or session recording when anomalies are detected.

Secure your modern workforce with ZTNA

If your business is shifting to a hybrid work environment and utilizing more cloud-based applications than ever before, traditional cybersecurity tools like VPNs will leave your attack surface exposed. With a unified, single-vendor, VPN-less security strategy from Citrix, you can establish secure remote access with a zero trust architecture—ensuring your sensitive data or information is protected no matter where an end user is located or what device they are using.


What is zero trust network access?

A zero trust network access (ZTNA) solution establishes a digital identity-based perimeter that continuously verifies user and device credentials in real time. ZTNA also enforces the principle of least privilege (PoLP) and defaults to the lowest level of access for all users.

How do you implement a zero trust network?

Implementing a zero trust network requires a holistic approach rather than implementing one single tool or service. At its core, a zero trust architecture incorporates a comprehensive framework of products and strategies that are built upon the core principles of ZTNA security, such as adaptive access management and continuous real-time user authentication.

What is adaptive access?

Adaptive access is the foundation of a zero trust network architecture (ZTNA). Rather than placing assumed trust in users, ZTNA establishes the principle of least privilege (PoLP) and defaults to the lowest level of access for all users.

How does an adaptive access system work?

An adaptive access system works by granting access to authorized users using patterns based on identity, time, and device posture. This allows you to provide comprehensive access management security while giving users the ability to use any device.