Zero Trust Network Access (ZTNA) enforces granular, adaptive, and context-aware policies for providing secure and seamless Zero Trust access to private applications hosted across clouds and corporate data centers, from any remote location and device. That context can be a combination of user identity, user or service location, time of the day, type of service, and security posture of the device.

On assessment of user identity, device identity, and other contextual factors, ZTNA allows "least privilege" access to specific applications, and not the entire underlying network to any user with valid login keys, reducing the attack surface and preventing lateral movement of threats from compromised accounts or devices.

ZTNA builds upon the concept of "Zero Trust", that asserts that organizations shouldn't trust any entity, whether inside or outside the security perimeters, and instead must verify every user or device before granting them access to sensitive resources, ensuring data safety and integrity.

ZTNA acts as a key enabler for Secure Access Service Edge (SASE), transforming the concept of a security perimeter from static, enterprise data centers to a more dynamic, policy-based, cloud-delivered edge, to support the access requirements of the distributed workforce.

3 common ZTNA use cases

  1. Securing remote access to private applications
    As organizations move their business-critical applications across multiple cloud environments for seamless collaboration, they are specifically challenged to monitor each connecting device to secure the application access and prevent data exfiltration. ZTNAs enable adaptive, context-aware access to private applications from any location and device. Access to applications is denied by default, unless explicitly allowed. The context for application access may include user identity, device type, user location, device security posture, etc.


  2. Replacing VPN and MPLS connections
    VPN architectures are slow and counter-productive in cloud-first deployments. Securing every remote user access through software and hardware-intensive VPNs can increase the capital expenditure and bandwidth costs. Zero Trust Network Access provides fast, direct-to-cloud access to the corporate resources, reducing network complexity, cost, and latency, while significantly improving the performance to facilitate remote workforce deployments.


  3. Limiting user access
    The broad, perimeter-based security approach of traditional security solutions permit full network access to any user with valid login keys, over-exposing sensitive corporate resources to compromised accounts and insider threats. Hackers gaining access to the entire underlying network can move freely through the internal systems undetected. ZTNA implements least privileged controlled access, restricting user access to specific applications strictly on a "need to know" basis. All connections requests are verified before granting access to the internal resources.

Benefits of ZTNA

Micro-segmenting the networks

ZTNA allows organizations to create software-defined perimeters and divide the corporate network into multiple micro-segments, preventing lateral movement of threats and reducing the attack surface in case of a breach.

Making the applications invisible on internet

ZTNA creates a virtual darknet and prevents application discovery on public internet, securing organizations from internet-based data exposure, malware, and DDoS attacks.

Securing access to legacy applications

ZTNA can extend its benefits to legacy applications hosted in private data centers, facilitating secure connectivity, and offering the same level of security advantages as web applications.

Elevating the user experience

ZTNA enables secure, fast, uninterrupted, direct-to-cloud access to private applications, providing a consistent experience to remote users accessing both SaaS and private applications.

What’s the difference between VPN and ZTNA?

How does Zero Trust Network Access work?

A connector software installed in the same customer network as the private application establishes an outbound connection to the Zero Trust Network Access service (or broker) hosted on the cloud through a secure, encrypted tunnel. The service is the egress point for private traffic into the customer network and is primarily responsible for:

  • Verifying connecting users and authenticating their identity through an identity provider.
  • Validating the security posture of the user devices.
  • Provisioning access to specific applications through the secure tunnel.

Because of outbound, or "inside out", connections to the ZTNA service, organizations don't need to open any inbound firewall ports for application access, shielding them from direct exposure on the public internet, securing them from DDoS, malware, and other online attacks.  

ZTNA can cater to both managed and unmanaged devices. Managed devices follow a client-based approach where a company owned client or agent is installed on the devices. The client is responsible for fetching the device information and sharing the details with the ZTNA service. Connection is established with applications on validation of user identity and device security posture.  

Unmanaged devices follow a clientless or reverse-proxy based approach. The devices connect to the ZTNA service through browser-initiated sessions for authentication and application access. While this makes it an attractive prospect for third-party users, partners, and employees connecting through personal or BYO devices, clientless ZTNA deployments are limited to application protocols supported by the web browsers, such as RDP, SSH, VNC, and HTTP.

ZTNA Architecture

Introducing MVISION Private Access

MVISION Private Access is the industry’s first data-aware Zero Trust Network Access solution that enables granular "Zero Trust" access to private applications, from any location and device, and offers integrated data loss prevention (DLP) capabilities for securing data collaboration over ZTNA. MVISION Private Access performs continuous risk assessment of the connecting devices by deriving enhanced posture information through McAfee’s endpoint security technology and provides blazing fast, “least privileged” access to private applications through a cloud-native hyperscale service edge. Private Access converges with MVISION Unified Cloud Edge to uniquely position McAfee with the best-in-class, integrated and cloud-delivered security solution for accelerated Secure Access Service Edge (SASE) deployments.