VPN is dead. Long live zero trust, ZTNA 2.0

Koobasen Moodley, Cybersecurity: Principal Security Architect at NEC XON.

---

Hybrid work is a given these days, as are cloud-first strategies – which means cyber security teams face an urgent reality: traditional network architectures are no longer enough. Perimeter-based models – especially those relying on VPNs – are increasingly ineffective against modern threat actors who thrive on lateral movement and credential theft.

The old VPN model, often likened to a castle-and-moat design, trusts users implicitly once they’re inside the network. But that trust is easily abused. Once attackers gain initial access – whether through stolen credentials, phishing or malware – they can move freely, escalate privileges and compromise critical systems from the inside. It’s a weakness that ransomware gangs and nation-state actors have repeatedly exploited.

Rather than assuming trust based on location or initial login, zero trust operates on a radically different premise: never trust, always verify. But modern threats have required an evolution of that concept – one that goes beyond static access checks to something far more dynamic.

Zero trust network access (ZTNA) 2.0 represents the next phase of zero trust. It doesn’t just check credentials at login and open the gates. It continuously evaluates context – the user’s identity, device health, location, behaviour and the sensitivity of the application being accessed.

If anything changes – such as a device becoming non-compliant or a user suddenly accessing unfamiliar resources – access can be limited or revoked in real-time. This granular, adaptive control is what makes ZTNA 2.0 such a powerful deterrent against lateral movement, insider threats and credential misuse.

Whereas ZTNA 1.0 implementations typically relied on basic identity checks and provided broad access after authentication, ZTNA 2.0 inspects all traffic – not just initial access – and enforces least-privilege access continuously.

Attackers think in terms of paths: gain access, escalate privileges, move laterally, execute objectives. Defenders must adopt the same mindset – and then design infrastructure to block each of those steps.

ZTNA 2.0 directly addresses this by denying implicit trust and constantly evaluating behaviour and risk signals. Unlike traditional security tools that alert after the damage has begun, this model acts proactively – isolating and shutting down abnormal sessions in real-time.

This is especially crucial in remote and hybrid environments where users may connect from personal devices, unsecured networks or unfamiliar geographies. In such scenarios, ZTNA 2.0 limits access to only what is necessary, and only for as long as necessary.

The strategic advantage of ZTNA 2.0 lies not only in reducing risk but in enabling secure digital transformation. By removing the dependency on VPNs, organisations can:

• Eliminate expensive MPLS circuits and complex backhauling.
• Improve user experience with local breakout and faster application access.
• Support cloud adoption and remote work securely.
• Reduce the operational overhead of legacy security tools.

It’s a model that doesn’t just protect – it empowers. When security is built into every layer of access and application use, innovation can thrive without fear of compromise.

For zero trust to work at scale, it needs to be part of a broader architecture – one that integrates networking and security in a seamless way. This is where secure access service edge (SASE) platforms, like Palo Alto Networks’ Prisma Access, come in. By combining firewall, threat prevention, CASB, SWG and DNS security into a single, cloud-delivered solution, Prisma Access operationalises zero trust at the edge – where users connect. With built-in support for ZTNA 2.0, Prisma Access ensures that every connection is inspected, every user is verified and every risk signal is acted on – all without slowing down performance or compromising experience.

The real test of a security architecture is not just whether it blocks known threats, but whether it can disrupt the attacker’s entire kill chain. Zero trust and ZTNA 2.0 are designed to do exactly that – making it harder to move inside the network, harder to hide malicious activity and easier for defenders to contain threats before they spread.

It’s a shift from reactive defence to pre-emptive resilience – and in today’s threat landscape, that shift is no longer optional. NEC XON has been at the forefront of this evolution, leading some of the largest Prisma Access and SASE deployments across South Africa.