Resources > Security Terms Glossary > What is a Zero Trust Network Architecture

What Is a Zero Trust Network Architecture?

What is a zero trust network architecture?

Fundamentally, a zero trust network architecture is a security architecture built to reduce a network's attack surface and prevent lateral movement of threats based on the core tenets of the zero trust approach first outlined by John Kindervag at Forrester Research.

In the zero trust security model, the notion of the "network perimeter"—inside of which all devices and users are presumed trustworthy and given broad access permissions—is put aside. Instead, your sensitive data is secured behind least-privilege access controls, granular microsegmentation, and multifactor authentication (MFA) that give no user or device implicit trust. This far tighter access management strategy significantly lowers an organization's risk of a data breach.

Before looking at different zero trust architectures in more detail, let's summarize the background of zero trust network access (ZTNA) as a network security framework. Called software-defined perimeter (SDP) in its early iteration, ZTNA has become popular because organizations need to offer users secure access to applications and data when the users and/or what they want to access may not be inside a traditional security perimeter (something legacy firewalls can't do). With more remote workers today than ever, this has become especially critical. To enable this secure access, organizations need to make their systems, services, APIs, data, and processes accessible anywhere and at any time, from any device over the internet.

A zero trust network architecture provides the precise, contextual user access necessary for this while shielding services from hackers and malware. All in all, it offers an improved user experience, greater agility and adaptability, and simplified policy management. Cloud-based ZTNA offers even more, including massive scalability and ease of adoption.

Gartner defined ZTNA to provide a model for eliminating the excessive trust extended to employees and partners as they connect to apps and data using traditional technologies like VPNs. Within ZTNA, nothing is trusted until it proves itself trustworthy—and even then, trust validation is reassessed in real time as the context (the user’s location, device, application, etc.) changes.


Two approaches to implementing zero trust network architecture

There are two distinct architectures when delivering ZTNA: endpoint-initiated and service-initiated.

Endpoint-initiated ZTNA, where the endpoint or end user is initiating access to an application, is closest to the original SDP specification. An agent (a lightweight software application) installed on end user devices communicates with a controller, which authenticates the user's identity and provisions connectivity to a specific application the user is authorized to access. Endpoint-initiated ZTNA can be difficult or even impossible to implement on unmanaged devices (especially IoT devices) because of the need to install some form of agent or local software.

In service-initiated ZTNA, a ZTNA broker initiates connections between users and applications. In this instance, a lightweight connector sits in front of business applications located in a customer’s data center or cloud, and establishes an outbound connection from the requested application to the broker. Once the user is authenticated by the provider, the traffic will pass through the ZTNA service provider, which isolates applications from direct access via proxy. This approach doesn't require an agent on the end user’s device, making it useful for securing unmanaged (BYOD) devices as well as granting access for partners and customers. Some service-initiated ZTNA services can use browser-based access for web apps.

The two delivery models for zero trust network access

Beyond the differences between endpoint-initiated and service-initiated architectures, you can adopt ZTNA as a standalone product or as a service. Gartner recommends service-based models, but each approach has unique characteristics. Ultimately, your organization's specific needs, security strategy, and ecosystem determine the best choice.

ZTNA as a standalone product

Standalone ZTNA offerings require you to deploy and manage all elements of the product. The infrastructure sits at the edge of your environment, whether that’s in your data center or a cloud, and brokers secure connections between users and applications. Some cloud infrastructure-as-a-service providers offer ZTNA capabilities as well.


  • You're 100% responsible for deploying, managing, and maintaining ZTNA infrastructure.
  • Some vendors support both standalone and cloud-service ZTNA offerings.
  • Standalone deployment is a good fit for cloud-averse enterprises.
Conceptual Model of Endpoint-Initiated ZTNA

ZTNA as a cloud service

With ZTNA as a cloud-hosted service, you use a vendor’s cloud infrastructure for policy enforcement. You buy user licenses and deploy lightweight connectors that sit in front of your applications in all environments, and the vendor delivers the connectivity, capacity, and infrastructure. Access is established through brokered, inside-out connections between users and applications, effectively decoupling application access from network access and never exposing IPs to the internet.


  • Deployment is easier since you don't need infrastructure.
  • Management is simpler, with one admin portal for global enforcement via the cloud service.
  • Automation selects optimal traffic pathways for the fastest access to all users globally.
Conceptual Model of Endpoint-Initiated ZTNA


Some cloud-delivered services allow for a software package to be deployed on-premises. The software runs on your infrastructure but is still delivered as part of the service and managed by the vendor.

Learn more about on-premises ZTNA.

Apparent in client interaction, the as-a-service flavor is rapidly outpacing the stand-alone flavor. Gartner estimates that more than 90% of clients are implementing the as-a-service flavor.

Gartner Market Guide for Zero Trust Network Access, 8 June 2020

Gartner recommendations when deploying a zero trust network architecture 

Gartner’s 2020 Market Guide for Zero Trust Network Access outlined numerous factors you should consider when choosing a ZTNA solution for your organization. We'll summarize the most relevant ones here:

  1. Does the vendor require installation of an endpoint agent? If so, how does the agent behave in the presence of other agents? What OS and mobile devices are supported?
  2. Does the offering support only web apps, or does it also support legacy (data center) applications?
  3. Does the service delivery method meet your security and residency requirements?
  4. To what extent is partial or full cloaking, or allowing or prohibiting inbound connections, a part of the isolated app’s security requirements?
  5. What authentication standards does the trust broker support? Can it integrate with an on-premises directory or cloud-based identity services? Does it integrate with your existing identity provider?
  6. How geographically diverse are the vendor’s points of presence worldwide?
  7. After the user and device pass authentication, does the trust broker stay in the data path?
  8. Does the offering integrate with unified endpoint management providers, or can the local agent factor device health and security posture into access decisions? What UEM vendors has the ZTNA vendor partnered with?

    Video: Understanding the Gartner-recommended zero trust network architecture