Resources > Security Terms Glossary > What Is a Zero Trust Architecture

What Is Zero Trust Architecture?

Zero Trust Architecture Definition

Zero trust architecture is a security architecture built to reduce a network's attack surface, prevent lateral movement of threats, and lower the risk of a data breach based on the core tenets of the zero trust approach, by which implicit trust is never granted to any user or device.

The zero trust security model puts aside the traditional "network perimeter"—inside of which all devices and users are trusted and given broad permissions—in favor of least-privilege access controls, granular microsegmentation, and multifactor authentication (MFA).

Zero Trust Architecture and Zero Trust Network Access

Before we examine different zero trust architectures in more detail, let's distinguish between these two interrelated terms:

  • A zero trust architecture (ZTA) is a design that supports zero trust principles, such as airtight access management, strict device and user authentication, and strong segmentation. It’s distinct from, and in many ways designed to replace, a “castle and moat” architecture, which trusts anything inside by default.
  • Zero trust network access (ZTNA) is a zero trust use case that offers users secure access to applications and data when the users, apps, or data may not be inside a traditional security perimeter, which has become increasingly common in the age of the cloud and hybrid work.

To put the two together, zero trust architecture provides the foundation organizations need to deliver ZTNA and make their systems, services, APIs, data, and processes accessible from anywhere, at any time, and from any device.

Benefits of Zero Trust Architecture

A zero trust architecture provides the precise, contextual user access you need to run at the speed of modern business while protecting your users and data from malware and other cyberattacks. As the bedrock of ZTNA, an effective zero trust architecture helps you:

  • Grant safe, fast access to data and applications for remote workers, including employees and partners, wherever they are, improving the user experience
  • Provide reliable remote access as well as manage and enforce security policy more easily and consistently than with legacy technology like VPNs
  • Protect sensitive data and apps on-premises or in a cloud environment, in transit or at rest, with tight security controls, including encryption, authentication, and more
  • Stop insider threats by no longer granting default, implicit trust to any user or device inside your network perimeter
  • Restrict lateral movement with granular access policies down to the resource level, reducing the likelihood of a breach
  • Detect, respond to, and recover from successful breaches more quickly and effectively to mitigate their impact
  • Gain deeper visibility into the what, when, how, and where of users’ and entities’ activities with detailed monitoring and logging of sessions and actions taken
  • Assess your risk in real time with detailed authentication logs, device and resource health checks, user and entity behavior analytics, and more

(Adapted in part from “Implementing a Zero Trust Architecture,” a NIST Special Publication)

How Does Zero Trust Architecture Work?

Before we go on, let’s back up and summarize how a traditional network architecture works.

Legacy wide area networks (WANs) were built using a hub-and-spoke design, connecting remote offices to applications in a data center. To access applications on the trusted network, a user only needs to be inside its perimeter, which is secured with perimeter firewalls, hence the term “castle and moat.”

Today’s workers are everywhere, and applications have moved to SaaS and public clouds, but legacy architectures still require users to be on the corporate network—locally or via VPN—to access apps, even in the cloud. Meanwhile, using public clouds expands your attack surface and risk, and backhauling all traffic through perimeter firewalls creates a network security bottleneck that slows you down at best and provides inadequate protection at worst.

That’s why modern organizations need a zero trust architecture. Watch our short video for a simple rundown.

Zero trust architecture delivers ZTNA, providing user-to-app segmentation that secures access in a fundamentally different way from network segmentation and other traditional models. Next, let’s look at how ZTNA is implemented and delivered.

Two Approaches to Implementing Zero Trust Network Access

Providers of zero trust solutions can help you deliver ZTNA in two distinct ways.

Endpoint-initiated ZTNA

Here, an endpoint or end user initiates access to an application. A lightweight agent installed on an endpoint communicates with a controller, which authenticates the user's identity and provisions connectivity to a specific application the user is authorized to access. The need to install an agent or other local software on mobile devices and unmanaged BYOD/IoT devices can make endpoint-initiated ZTNA difficult or even impossible to implement.

Service-initiated ZTNA

Here, a broker initiates connections between users and applications. A connector residing in your data center or cloud establishes connections from your business apps to the broker. After user authentication, the traffic passes through the ZTNA service and directly to the user's endpoint. This doesn't require an endpoint agent, making it useful for securing unmanaged devices and granting access for partners and customers. Some service-initiated ZTNA can use browser-based access for web apps.

Two Delivery Models for Zero Trust Network Access

Beyond your implementation model, you can adopt ZTNA as a standalone product or as a service. Each approach has unique characteristics, and your organization's specific needs, security strategy, and ecosystem ultimately determine the best choice.

ZTNA as a Standalone Product

Standalone ZTNA offerings require you to deploy and manage all elements of the product. The infrastructure sits at the edge of your environment, whether that’s in your data center or a cloud, and brokers secure connections between users and applications. Some cloud infrastructure as a service providers offer ZTNA capabilities as well.


  • Your organization is 100% responsible for deploying, managing, and maintaining ZTNA infrastructure
  • Some vendors support both standalone and cloud-service ZTNA offerings
  • Standalone deployment is a good fit for cloud-averse enterprises
Conceptual Model of Endpoint-Initiated ZTNA

ZTNA as a Cloud Service

With ZTNA as a cloud-hosted service, you use a vendor’s infrastructure for security policy enforcement. You buy user licenses and deploy lightweight connectors that sit in front of your applications in all environments, and the vendor delivers the connectivity, capacity, and infrastructure. Access is established through brokered connections between users and applications, effectively decoupling application access from network access and never exposing IPs to the internet.


  • Deployment is easier since you don't need infrastructure
  • Management is simpler, with one admin portal for global enforcement
  • Automation selects optimal traffic pathways for the fastest access to all users globally
Conceptual Model of Endpoint-Initiated ZTNA


Some cloud-delivered services allow for a software package to be deployed on-premises. The software runs on your infrastructure but is still delivered as part of the service and managed by the vendor.

Learn more about on-premises ZTNA.

Video: Understanding Zero Trust Architecture

Zscaler Zero Trust Network Access

We’re proud to offer Zscaler Private Access™, the world’s most deployed ZTNA platform, built on the unique Zscaler zero trust architecture. ZPA applies the principles of least privilege to give users secure, direct connections to private applications while eliminating unauthorized access and lateral movement. As a cloud native service, ZPA can be deployed in hours to replace legacy VPNs and remote access tools with a holistic zero trust platform.

Zscaler Private Access delivers:

Peerless security, beyond legacy VPNs and firewalls
Users connect directly to apps, not the network, minimizing the attack surface and eliminating lateral movement.

The end of private app compromise
First-of-its-kind app protection, with inline prevention, deception, and threat isolation, minimizes the risk of compromised users.

Superior productivity for today's hybrid workforce
Lightning-fast access to private apps extends seamlessly across remote users, HQ, branch offices, and third-party partners.

Unified ZTNA for users, workloads, and devices
Employees and partners can securely connect to private apps, services, and OT/IoT devices with the most comprehensive ZTNA platform.

Ready to find out more, or see Zscaler Private Access in action? Request a custom demo now.


Learn more about ZTNA

Check out these additional resources: