![Zero Trust Network Access logo]()
Zero Trust Network Access
Zero Trust Network Access (ZTNA) is a security framework and product category that grants access to private applications and resources based on identity, device posture, and context, rather than network location. ZTNA replaces the implicit trust of legacy VPNs with explicit per-request verification, creating one-to-one encrypted tunnels between authenticated users and the specific applications they are authorized to use. This topic collects the leading ZTNA vendors, the standards bodies that govern the underlying primitives, and the data schemas used to describe access policies, identities, devices, and resources.
6 APIs
8 Features
Access ControlCloud SecurityCybersecurityIdentity ManagementNetwork AccessNetwork SecuritySecurityVPN ReplacementZero TrustZTNA
Cloudflare Zero Trust (formerly Cloudflare for Teams / Cloudflare Access) provides ZTNA, secure web gateway, browser isolation, CASB, and DLP through a single global edge platfo...
Zscaler Private Access is a cloud-native ZTNA service that connects authenticated users to private applications without exposing them to the internet or placing them on the corp...
Netskope Private Access provides ZTNA as part of the Netskope SASE platform, brokering authenticated access to private applications across cloud and on-premises. The Netskope RE...
Palo Alto Networks Prisma Access offers cloud-delivered ZTNA, SWG, and FWaaS as part of the Prisma SASE platform. The Prisma Access REST API exposes operations on remote network...
Tailscale is a WireGuard-based mesh-VPN ZTNA platform that exposes a REST API for managing devices, ACL policies, tailnet keys, DNS, and audit logs. It implements identity-based...
Twingate is a software-defined ZTNA platform that exposes a GraphQL Admin API for managing remote networks, resources, groups, users, service accounts, and connectors.
Identity-Centric Access
Access decisions are based on user and workload identity rather than network location.
Application-Level Tunnels
One-to-one encrypted connections between authenticated users and specific applications.
Device Posture Checks
Continuous evaluation of device health, OS patch level, EDR status, and certificate state.
Context-Aware Policy
Policies factor in time, location, risk score, and behavior in addition to identity.
Application Cloaking
Private applications are dark to the public internet and not advertised by IP or DNS.
SSO and MFA Integration
Native integration with SAML, OIDC, and modern MFA providers.
Microsegmentation
Lateral movement is prevented by issuing scoped, per-application access.
Continuous Authorization
Sessions are reauthenticated and reauthorized as conditions change.
VPN Replacement
Replacing legacy site-to-site and remote-access VPNs with identity-aware brokered access.
Third-Party Contractor Access
Granting time-bounded, application-scoped access to vendors and contractors.
M&A Network Integration
Enabling acquired companies to reach internal applications without merging networks.
BYOD Access
Allowing personal and unmanaged devices to access selected applications under posture rules.
Privileged Access
Brokering jump-host and bastion access to sensitive infrastructure.
Multi-Cloud Application Access
Providing consistent ZTNA across applications hosted in AWS, Azure, GCP, and on-premises.
Okta
Enterprise identity provider used by virtually all ZTNA platforms.
Microsoft Entra ID
Cloud identity platform integrated as IdP for ZTNA brokers.
CrowdStrike Falcon
EDR signals fed into ZTNA device-posture rules.
SentinelOne
EDR signals fed into ZTNA device-posture rules.
Jamf
macOS / iOS MDM signals integrated into device posture for ZTNA.
Intune
Microsoft Endpoint Manager signals integrated into device posture for ZTNA.
Splunk
SIEM destination for ZTNA access and audit logs.
ServiceNow
ITSM workflow integration for granting and revoking ZTNA access.
aid: zero-trust-network-access
name: Zero Trust Network Access
description: >-
Zero Trust Network Access (ZTNA) is a security framework and product
category that grants access to private applications and resources based on
identity, device posture, and context, rather than network location. ZTNA
replaces the implicit trust of legacy VPNs with explicit per-request
verification, creating one-to-one encrypted tunnels between authenticated
users and the specific applications they are authorized to use. This topic
collects the leading ZTNA vendors, the standards bodies that govern the
underlying primitives, and the data schemas used to describe access
policies, identities, devices, and resources.
type: Index
url: https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/
tags:
- Access Control
- Cloud Security
- Cybersecurity
- Identity Management
- Network Access
- Network Security
- Security
- VPN Replacement
- Zero Trust
- ZTNA
created: '2025'
modified: '2026-05-03'
specificationVersion: '0.19'
apis:
- aid: zero-trust-network-access:cloudflare-zero-trust
name: Cloudflare Zero Trust API
description: >-
Cloudflare Zero Trust (formerly Cloudflare for Teams / Cloudflare
Access) provides ZTNA, secure web gateway, browser isolation, CASB,
and DLP through a single global edge platform. The Cloudflare API
exposes endpoints for managing Access applications, policies, identity
providers, device posture, tunnels, and gateway rules.
humanURL: https://developers.cloudflare.com/cloudflare-one/
tags:
- Cloudflare
- SASE
- ZTNA
properties:
- type: Documentation
url: https://developers.cloudflare.com/cloudflare-one/
- type: APIReference
url: https://developers.cloudflare.com/api/
- type: Authentication
url: https://developers.cloudflare.com/fundamentals/api/get-started/keys/
- aid: zero-trust-network-access:zscaler-zpa
name: Zscaler Private Access (ZPA) API
description: >-
Zscaler Private Access is a cloud-native ZTNA service that connects
authenticated users to private applications without exposing them to
the internet or placing them on the corporate network. The ZPA Public
API supports application segments, server groups, policies, posture
profiles, and connector groups.
humanURL: https://help.zscaler.com/zpa/api-reference
tags:
- SASE
- Zscaler
- ZTNA
properties:
- type: Documentation
url: https://help.zscaler.com/zpa
- type: APIReference
url: https://help.zscaler.com/zpa/api-reference
- aid: zero-trust-network-access:netskope-private-access
name: Netskope Private Access API
description: >-
Netskope Private Access provides ZTNA as part of the Netskope SASE
platform, brokering authenticated access to private applications across
cloud and on-premises. The Netskope REST API surfaces operations on
private apps, publishers, policies, and risk events.
humanURL: https://docs.netskope.com/en/netskope-help/admin-console/rest-api/
tags:
- Netskope
- SASE
- ZTNA
properties:
- type: Documentation
url: https://docs.netskope.com/en/netskope-help/admin-console/rest-api/
- aid: zero-trust-network-access:palo-alto-prisma-access
name: Palo Alto Prisma Access (Prisma SASE) API
description: >-
Palo Alto Networks Prisma Access offers cloud-delivered ZTNA, SWG, and
FWaaS as part of the Prisma SASE platform. The Prisma Access REST API
exposes operations on remote networks, mobile users, security policies,
and decryption rules.
humanURL: https://docs.paloaltonetworks.com/prisma/prisma-access
tags:
- Palo Alto
- SASE
- ZTNA
properties:
- type: Documentation
url: https://docs.paloaltonetworks.com/prisma/prisma-access
- aid: zero-trust-network-access:tailscale-api
name: Tailscale API
description: >-
Tailscale is a WireGuard-based mesh-VPN ZTNA platform that exposes a
REST API for managing devices, ACL policies, tailnet keys, DNS, and
audit logs. It implements identity-based device-to-device tunnels
brokered by an identity-aware control plane.
humanURL: https://tailscale.com/api
tags:
- Mesh VPN
- Tailscale
- WireGuard
- ZTNA
properties:
- type: Documentation
url: https://tailscale.com/api
- type: APIReference
url: https://tailscale.com/api
- type: GitHubOrganization
url: https://github.com/tailscale
- aid: zero-trust-network-access:twingate-api
name: Twingate API
description: >-
Twingate is a software-defined ZTNA platform that exposes a GraphQL
Admin API for managing remote networks, resources, groups, users,
service accounts, and connectors.
humanURL: https://www.twingate.com/docs/api
tags:
- Twingate
- ZTNA
properties:
- type: Documentation
url: https://www.twingate.com/docs/api
- type: APIReference
url: https://www.twingate.com/docs/api
common:
- type: Documentation
title: Cloudflare - What Is Zero Trust
url: https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/
description: Cloudflare's reference explainer on Zero Trust security and ZTNA.
- type: Documentation
title: Gartner Definition of ZTNA
url: https://www.gartner.com/en/information-technology/glossary/zero-trust-network-access-ztna-
description: Gartner glossary entry defining ZTNA as a market category.
- type: Documentation
title: NIST SP 800-207 (ZTA underpinnings of ZTNA)
url: https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-207.pdf
description: NIST Special Publication 800-207 - the architectural foundation behind ZTNA.
- type: Compliance
title: CISA Zero Trust Maturity Model
url: https://www.cisa.gov/zero-trust-maturity-model
description: CISA Zero Trust Maturity Model that ZTNA deployments are commonly aligned to.
- type: Portal
title: Cloudflare Zero Trust
url: https://www.cloudflare.com/zero-trust/
- type: Portal
title: Zscaler Zero Trust Exchange
url: https://www.zscaler.com/products-and-solutions/zero-trust-exchange
- type: Portal
title: Netskope SASE
url: https://www.netskope.com/platform/sase
- type: Portal
title: Palo Alto Networks Prisma Access
url: https://www.paloaltonetworks.com/sase/access
- type: Portal
title: Tailscale
url: https://tailscale.com/
- type: Portal
title: Twingate
url: https://www.twingate.com/
- type: GitHubOrganization
title: Tailscale on GitHub
url: https://github.com/tailscale
- type: GitHubOrganization
title: WireGuard
url: https://github.com/WireGuard
- type: JSONSchema
title: ZTNA Access Policy Schema
url: json-schema/zero-trust-network-access-policy-schema.json
- type: JSONSchema
title: ZTNA Application Schema
url: json-schema/zero-trust-network-access-application-schema.json
- type: JSONSchema
title: ZTNA Device Posture Schema
url: json-schema/zero-trust-network-access-device-posture-schema.json
- type: JSONStructure
title: ZTNA Access Policy Structure
url: json-structure/zero-trust-network-access-policy-structure.json
- type: JSONLD
title: ZTNA JSON-LD Context
url: json-ld/zero-trust-network-access-context.jsonld
- type: CodeExamples
title: ZTNA Access Policy Example
url: examples/zero-trust-network-access-policy-example.json
- type: CodeExamples
title: ZTNA Device Posture Example
url: examples/zero-trust-network-access-device-posture-example.json
- type: Resources
title: ZTNA Vocabulary
url: vocabulary/zero-trust-network-access-vocabulary.yaml
- type: Features
data:
- name: Identity-Centric Access
description: Access decisions are based on user and workload identity rather than network location.
- name: Application-Level Tunnels
description: One-to-one encrypted connections between authenticated users and specific applications.
- name: Device Posture Checks
description: Continuous evaluation of device health, OS patch level, EDR status, and certificate state.
- name: Context-Aware Policy
description: Policies factor in time, location, risk score, and behavior in addition to identity.
- name: Application Cloaking
description: Private applications are dark to the public internet and not advertised by IP or DNS.
- name: SSO and MFA Integration
description: Native integration with SAML, OIDC, and modern MFA providers.
- name: Microsegmentation
description: Lateral movement is prevented by issuing scoped, per-application access.
- name: Continuous Authorization
description: Sessions are reauthenticated and reauthorized as conditions change.
- type: UseCases
data:
- name: VPN Replacement
description: Replacing legacy site-to-site and remote-access VPNs with identity-aware brokered access.
- name: Third-Party Contractor Access
description: Granting time-bounded, application-scoped access to vendors and contractors.
- name: M&A Network Integration
description: Enabling acquired companies to reach internal applications without merging networks.
- name: BYOD Access
description: Allowing personal and unmanaged devices to access selected applications under posture rules.
- name: Privileged Access
description: Brokering jump-host and bastion access to sensitive infrastructure.
- name: Multi-Cloud Application Access
description: Providing consistent ZTNA across applications hosted in AWS, Azure, GCP, and on-premises.
- type: Integrations
data:
- name: Okta
description: Enterprise identity provider used by virtually all ZTNA platforms.
- name: Microsoft Entra ID
description: Cloud identity platform integrated as IdP for ZTNA brokers.
- name: CrowdStrike Falcon
description: EDR signals fed into ZTNA device-posture rules.
- name: SentinelOne
description: EDR signals fed into ZTNA device-posture rules.
- name: Jamf
description: macOS / iOS MDM signals integrated into device posture for ZTNA.
- name: Intune
description: Microsoft Endpoint Manager signals integrated into device posture for ZTNA.
- name: Splunk
description: SIEM destination for ZTNA access and audit logs.
- name: ServiceNow
description: ITSM workflow integration for granting and revoking ZTNA access.
maintainers:
- FN: Kin Lane
email: [email protected]