Home » Blog » Zero Trust Network Access vs. VPN for Branch and Edge Networking
When comparing zero trust network access vs. VPN, they both have benefits for security, speed, and scalability

Organizations are starting to recognize the benefits of edge computing, which moves data processing resources closer to the sources of data generation and away from the central data center. In addition, businesses are becoming more geographically dispersed, with branch offices, manufacturing facilities, and other remote sites around the world.

While larger remote sites are typically connected to the enterprise network via WAN or SD-WAN, this may not be feasible for smaller branches with fewer staff. Traditionally, VPNs (virtual private networks) are used to create a private connection for remote systems and users. However, a new technology called Zero Trust Network Access improves upon VPNs by providing faster and more secure remote connections.

What is a VPN?

A VPN, or virtual private network, is a service that creates an encrypted connection between a device and a network. In this particular use case, VPNs are used to extend the enterprise network to branch and edge locations. Often, organizations use VPNs as an alternative to installing expensive WAN solutions in very small remote sites. They’re also used to connect sites that are unreachable by traditional network infrastructure, such as offshore oil rigs.

Though VPN traffic is encrypted, there are still security risks. Many VPNs still use single-factor authentication, meaning all you need is a username and password to connect. If a remote user’s account information is stolen, a hacker could easily gain access because they don’t need to provide a second form of identity verification.

In addition, VPNs grant complete access to the enterprise network, trusting remote users and devices just like they were in the main office. That means a malicious actor could use a compromised account or stolen laptop to move laterally around your enterprise network, stealing whatever data they can find.

What is Zero Trust Network Access (ZTNA)?

Zero trust network access, or ZTNA, is another product or service that connects remote users and devices to enterprise network resources. However, instead of creating a tunnel to the enterprise network itself, ZTNA directly connects users to the applications and services they need. Users then need to re-verify their identity and re-establish trust before they access another application.

ZTNA follows the “dark cloud” concept, which prevents remote users from seeing or interacting with any of the data, systems, or applications they aren’t explicitly authenticated to. Microsegmentation is used to create perimeters around each resource with granular, context-based access control policies.

For example, if a branch office employee uses ZTNA to access the shipping system, they can’t see or touch the payroll application unless they authenticate to that specific resource. If the account is behaving suspiciously (logging in at unusual times, accessing resources it doesn’t typically need, etc.) then the account is locked until trust can be re-established. The dark cloud principle prevents malicious actors from discovering valuable resources and moving laterally on the enterprise network.

Comparing zero trust network access vs. VPN for branch and edge networking


Zero trust network access is more secure than VPNs because it follows the zero trust security model of “never trust, always verify.” Branch and edge accounts are assumed to be untrustworthy until they prove otherwise through repeated identity verification and trustworthy behavior. Remote accounts never have full access to the enterprise network and can only see and interact with the specific resources they’re presently authenticated to.


While newer VPNs may allow integrations with third-party MFA (multi-factor authentication) providers like Okta, many organizations are still using single-factor authentication for VPN clients. That makes it much easier for a hacker to use a single set of stolen credentials to gain unrestricted access to the enterprise network. In addition, if a branch employee leaves their VPN session active and their laptop is stolen (for example, because it was in an unsecured building that’s open to the public), the thief can use that session to jump around the network without ever needing to re-verify or re-authenticate.


VPN connections are notoriously slow. All VPN traffic needs to be backhauled through a centralized concentrator, which creates massive bottlenecks and network latency. ZTNA, on the other hand, connects branch and edge devices directly to the resources they need. If that resource lives on the web or in the cloud, the traffic bypasses the enterprise network entirely, reducing the load and improving performance for everyone.


Finally, VPNs are meant to be deployed to individual users on a case-by-case basis. Scaling up is difficult and expensive because you need to purchase licenses and install software for each machine that connects. Also, the more VPN connections, the greater the impact on network performance, and the more VPN concentrator solutions you’ll need to deploy to distribute the load. Gartner predicts that by 2025, 75% of enterprise-generated data will be processed at the edge, so individual VPN solutions won’t be able to keep up.

ZTNA is often delivered on the “as-a-service” model, which means it’s hosted in the cloud and doesn’t require any customer premises equipment (CPE). Licenses are scaled up or down at the click of a button, and there’s no software to install on remote machines. This makes ZTNA the ideal choice for enterprises hoping to expand their global reach or scale up their edge computing capabilities.

Deploying ZTNA for branch and edge networks

Zero trust network access is available as a standalone service, but you can also find it among the cloud-oriented security stack in a Security Service Edge (SSE) solution. SSE combines ZTNA with security technology such as Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), and Firewall-as-a-Service (FWaaS). This suite of cloud security features delivers comprehensive protection for branch and edge networks while reducing the need for remote traffic to pass through the central data center.

Learn more about branch and edge networking:

Need more help on branch and edge networking?

Need more help comparing zero trust network access vs. VPN for branch and edge use cases?

Contact ZPE Systems