Contact Us
ZTNA

Replace VPN with ZTNA: the safer approach for hybrid working

VPN was the right answer twenty years ago. A handful of remote workers needed access to corporate applications, and a tunnel into the corporate network gave them that. Everyone on the network was trusted because everyone on the network was supposed to be there.

That world no longer exists. Hybrid work is the norm. Personal devices connect to corporate resources. Contractors and partners need scoped access for time-bound projects. Cloud applications live outside the corporate network entirely. The "trust the tunnel" model has become a security liability instead of a security control.

ZTNA (Zero Trust Network Access) is the modern replacement: identity-driven, least-privilege, continuously verified access to specific applications, not the network as a whole. This article explains why VPN has become a risk, how ZTNA works, how Cato Universal ZTNA implements it and how to migrate without disrupting your operations. For broader context, see our SASE guide for international organisations.

Plan an assessment See a demo
Cato Networks expertise
Momentum EMEA implementation
What you will learn

What you will learn in this article

  • Why VPN has become a security risk, the concrete failure modes.
  • How ZTNA works, least privilege, continuous verification and device posture.
  • Universal ZTNA from Cato, one policy for everyone, everywhere.
  • BYOD and contractors, the forgotten attack vector that ZTNA closes.
  • ZTNA and NIS2, demonstrable access control for auditors.

This article covers the case for replacing VPN, the technical workings of ZTNA and the specific Cato implementation:

  1. Why VPN has become a security risk
  2. How ZTNA works: least privilege, continuous verification and device posture
  3. Universal ZTNA from Cato: one policy for everyone, everywhere
  4. BYOD and contractors: the forgotten attack vector
  5. ZTNA and NIS2: demonstrable access control for auditors
  6. Frequently asked questions about ZTNA versus VPN

Why VPN has become a security risk

VPN architectures rest on a simple assumption: anyone who can establish a tunnel into the corporate network is trusted to operate inside it. That assumption fails in four concrete ways in modern environments.

Lateral movement. Once an attacker compromises a VPN credential (phishing, credential stuffing, malware on the endpoint), they have network-level access. From that foothold, lateral movement to sensitive systems is largely unimpeded because the perimeter trusted them in.

Over-broad access. VPNs grant access to network segments, not to specific applications. A user who needs one application gets visibility into everything in their subnet. The minimum privilege principle is structurally absent.

Performance and scale. VPN concentrators are physical or virtual bottlenecks. As the hybrid workforce grew, organisations stacked appliances and added complexity to scale. Performance degrades, support load increases.

Audit invisibility. VPN logs typically show successful connections, not what was done within the session. An auditor asking "what applications did contractor X access yesterday?" gets imprecise answers at best.

How ZTNA works: least privilege, continuous verification and device posture

ZTNA inverts the VPN model. Instead of granting network access, ZTNA grants application access. The user authenticates, the platform evaluates context, the platform creates a scoped, time-bound, application-specific connection. Everything else stays invisible.

The technical building blocks are identity, context and posture. Identity means strong authentication, typically including MFA and integration with the corporate identity provider. Context includes location, time of day, request pattern and behaviour baseline. Posture means real-time verification of the device: OS version, patch level, endpoint protection status, certificate validity.

If any factor changes mid-session (device posture degrades, behaviour deviates from baseline, location shifts unexpectedly), the access decision is re-evaluated. Sessions that started valid can be revoked dynamically.

Expert insight

"The CISOs who get the most pushback on replacing VPN are not getting it from IT. They are getting it from the contractors and the partners who like the VPN exactly because it gives them more access than they should have. That is the political reality of ZTNA migration: you are also tightening access controls that some external parties prefer to remain loose."

Momentum EMEA, EMEA's leading Cato Networks implementation partner

Universal ZTNA from Cato: one policy for everyone, everywhere

Most ZTNA products are bolted onto an existing infrastructure: a separate gateway, a separate policy engine, a separate client. Universal ZTNA on the Cato SASE platform is different. It runs as a native capability on the same cloud-native platform that delivers SD-WAN, SSE and AI Security.

The practical implications matter. One policy engine means a single policy framework for office workers, remote workers, contractors, suppliers and machine identities. One client (or clientless via browser for unmanaged devices) means lower endpoint complexity. One audit trail means all access decisions, regardless of user category, land in the same data store.

For organisations that have been managing three separate access regimes (VPN for employees, separate portal for contractors, federated access for partners), Universal ZTNA collapses that into one operational model.

BYOD and contractors: the forgotten attack vector

Most VPN architectures handle managed devices reasonably well. Where they fail is BYOD and contractors: personal phones, contractor laptops, supplier engineer workstations. Either they get the same network access as managed devices (a real risk) or they get a clunky separate portal that pushes users to workarounds.

ZTNA handles this gracefully. Posture checks differentiate managed from unmanaged devices in real time; policies adjust access scope accordingly. A contractor on an unmanaged laptop can access the project file share read-only without VPN; the corporate engineer on a managed laptop gets full access plus other resources. Same policy framework, different evaluation outcomes.

This is also where NIS2's supply chain security obligation becomes concrete. ZTNA produces the evidence supervisors expect: which supplier, accessing what, when, with what device posture.

ZTNA and NIS2: demonstrable access control for auditors

NIS2 Article 21 requires access control and identity management. The supervisor expects evidence, not policies on paper. ZTNA generates that evidence as a byproduct of normal operations: every access decision logged with identity, device, context and policy reference.

For compliance reporting, this is the difference between a multi-week evidence-gathering exercise across twelve tools and a console export. We unpack the broader NIS2 compliance story in our article on NIS2 and SASE.

Migration: parallel operation, then VPN retirement

A pragmatic ZTNA migration runs VPN and ZTNA in parallel for three to six months. High-value applications move to ZTNA first; the support team monitors user experience and refines policies. Once the first set of applications is stable on ZTNA, the next set follows. VPN retirement comes when application coverage is complete.

The Cato implementation pattern reflects this: Universal ZTNA activates without immediately disabling the legacy VPN. Customers control the migration timeline based on their operational readiness, not on a vendor cutover schedule.

Further reading

In-depth guides in this cluster

SASE guide

SASE guide

Read the article →

What is SASE

What is SASE

Read the article →

Cato platform

Cato platform

Read the article →

Ready to replace your VPN with ZTNA?

Our Cato specialists are happy to assess your current VPN architecture, map your users and access patterns and produce a concrete ZTNA migration plan. In 30 minutes you get a realistic picture of the migration timeline and the first quick wins.

Plan an assessment See a demo

Or call directly: +31 20 226 1500. Momentum EMEA, Ede

Frequently asked questions

Frequently asked questions about ZTNA versus VPN

What is the core difference between ZTNA and VPN?

VPN grants network-level access (everything inside the perimeter); ZTNA grants application-level access (only the specific applications policy permits). VPN trusts the tunnel; ZTNA continuously verifies identity, device and context for every request.

Can we run VPN and ZTNA in parallel during migration?

Yes, and that is the recommended pattern. High-value applications move to ZTNA first while the rest stays on VPN. Once all applications have a ZTNA path, the VPN is retired. The parallel period is typically three to six months.

Does ZTNA work for unmanaged BYOD devices?

Yes. ZTNA posture checks differentiate managed from unmanaged devices in real time. Unmanaged devices can be granted scoped access (e.g. specific applications, read-only, clientless via browser) without compromising the security posture for managed devices.

What about contractor and supplier access?

Universal ZTNA handles contractors and suppliers in the same policy framework as employees, with separate identity context and scoped access. Revoking access when a contract ends is a console operation, not a firewall rule update.

Does ZTNA meet NIS2 access control requirements?

Yes. ZTNA generates the demonstrable access control evidence NIS2 Article 21 requires: identity-bound logs, posture-verified sessions, least-privilege enforcement. This is significantly easier to audit than VPN logs.

How does Cato Universal ZTNA differ from standalone ZTNA products?

Universal ZTNA is native to the Cato SASE platform: one policy engine, one client, one audit trail with the rest of the security stack. Standalone ZTNA products run as separate systems that integrate (with friction) into existing infrastructure.