/ What Is Universal ZTNA?

What Is Universal ZTNA?

Universal zero trust network access (UZTNA) is the use of ZTNA for on-premises and remote users, with no distinction made as to the user’s location. With universal ZTNA users are granted secure access based on the principle of least privilege whether they’re working in the office, at home, or on the road. UZTNA can serve as a conduit for digital transformation, giving organizations the best possible framework for zero trust initiatives.

Top Reasons to Consider Universal ZTNA

Now more than ever, organizations are discovering the benefits a universal ZTNA model can provide. Here are some of the biggest reasons why companies are making the switch:

  • No need for legacy appliances: UZTNA allows organizations to rid themselves of legacy remote access appliances, such as VPNs, and leverage a 100% software-based access control solution. 
  • Seamless user experiences: With UZTNA, user traffic isn’t backhauled through the data center. Instead, users get fast, direct access to the desired application. 
  • Consistent security: UZTNA ensures that the same zero trust security policies are applied to employees whether they’re working in or out of the office.
  • Effortless scale: A cloud UZTNA service makes scaling capacity easy. An organization just leverages additional licenses.
  • Fast deployment: Unlike other solutions that can take weeks to months to deploy, UZTNA can be deployed from anywhere in a matter of days.

ZTNA vs. Universal ZTNA

In today’s IT and security vernacular, many vendors claim to offer “zero trust network access,” but this typically ends up being a rigid, on-premises network security deployment with legacy network microsegmentation. While this technology may be able to protect in-office users based on a handful of loosely integrated zero trust network access controls, a proper universal ZTNA solution is more akin to a security fabric, delivering zero trust security to all users wherever they’re working. 

This is because a universal ZTNA solution is born in the cloud, typically built on a secure access service edge (SASE) or security service edge (SSE) framework. With universal ZTNA, users are granted access based on the principle of least privilege wherever they work; whether it be in an office, at home, in a coffee shop, or anywhere else with an internet connection.

Secure connectivity to networks, SaaS, and applications from any location is simply not attainable with an on-premises, non-universal framework. Moreover, if a solution claims to deliver zero trust security through on-premises appliances such as firewalls, then it’s not really a zero trust solution, and it’s certainly not a universal ZTNA solution. This is because many of these legacy technologies will grant access based solely on authentication rather than context, device posture, and/or location. 

What’s more, many of these technologies use a passthrough architecture, which allows traffic into the network before it’s inspected—this inherently goes against zero trust principles. Universal ZTNA grants secure network, SaaS, and application access, regardless of where users work from without granting implicit trust, and this unique capability comes from a ZTNA that’s cloud native.


Universal ZTNA vs. VPN

Among the most popular legacy security solutions in use today, VPNs are meant to simplify access management by allowing end users to securely access a network, and therefore corporate resources, by way of a designated tunnel, usually through single sign-on (SSO).

For many years, VPNs worked well for users who needed to work remotely for a day or two. However, as the world saw more and more long-term remote workers—leading, eventually, to work-from-anywhere—a lack of scalability alongside high costs and maintenance requirements made VPNs ineffective. What’s more, rapid adoption of the public cloud meant that it not only became more difficult to apply security policies to these remote workers, but also hurt the user experience.

The main problem with VPNs, however, is the attack surface they create. Any user or entity with the right SSO credentials can log on to a VPN and move laterally throughout the network, giving them access to all the network, endpoints, and data the VPN was meant to protect.

Universal ZTNA secures user access by granting it on the principle of least privilege. Rather than trusting on the basis of correct credentials, zero trust only grants authentication only under the correct context—that is, when the user, identity, device, and location all match up.

Furthermore, universal ZTNA provides granular access to resources rather than network access. Users are connected directly and securely to the applications and data they need, removing the possibility of lateral movement by malicious users. Plus, because user connections are direct, experiences are vastly improved when leveraging a UZTNA framework.


Universal ZTNA: Implementing Zero Trust Principles

Universal ZTNA is about more than user identity, segmentation, and secure access. It's a strategy upon which to build a cybersecurity ecosystem. At its core are three tenets:

  1. Terminate every connection: Technologies like firewalls use a “passthrough” approach, inspecting files as they are delivered. If a malicious file is detected, alerts are often too late. An effective UZTNA solution terminates every connection to allow an inline proxy architecture to inspect all traffic, including encrypted traffic, in real time—before it reaches its destination—to prevent ransomware, malware, and more.
  2. Protect data using granular context-based policies: Zero trust policies verify access requests and rights based on context, including user identity, device, location, type of content, and the application being requested. Policies are adaptive, so user access privileges are continually reassessed as context changes.
  3. Reduce risk by eliminating the attack surface: With UZTNA, users connect directly to the apps and resources they need, never to networks. Direct user-to-app and app-to-app connections eliminate the risk of lateral movement and prevent compromised devices from infecting other resources. Plus, users and apps are invisible to the internet, so they can’t be discovered or attacked.

Universal ZTNA with Zscaler

We’re proud to offer Zscaler Private Access™, the world’s most deployed ZTNA platform, built on the unique Zscaler zero trust architecture (ZTA). Cloud-based ZPA applies the principles of least privilege to give users secure, direct connections to private applications while eliminating unauthorized access and lateral movement. As a cloud native service, ZPA can be deployed in hours to replace legacy VPNs and remote access tools with a holistic zero trust platform.

Secure private access solution diagram

Zscaler Private Access delivers:

  • Peerless security, beyond legacy VPNs and firewalls: Users connect directly to apps, not the network, minimizing the attack surface and eliminating lateral movement.
  • The end of private app compromise: First-of-its-kind app protection, with inline traffic inspection and threat prevention, integrated deception, and threat isolation minimizes the risk of compromised users.
  • Superior productivity for today's hybrid workforce: Lightning-fast secure access to private apps extends seamlessly across remote users, HQ, branch offices, and third-party partners.
  • Unified, universal ZTNA for users, workloads, and devices: Employees and partners can securely connect to private apps, services, and OT/IoT devices with the most comprehensive ZTNA platform.

Suggested Resources

What Is Zero Trust?
Read the article
What Is Zero Trust Network Access (ZTNA)?
Read the article
What Is the Zero Trust Exchange?
Read the article
Discover the Power of the Zscaler Zero Trust Exchange
Explore our platform
01 / 02
Frequently Asked Questions