Stanislav Elenkrich
Director of Product Management, ESG, Broadcom
Stephen Hearty
Head of Symantec Product Marketing EMEA
October 13, 2025
5 Min
We don’t need to look far to see why Zero Trust Network Access (ZTNA) is a good idea; it’s right there in the numbers. Third-party breaches jumped to 35.5% of all security incidents in 2024. These numbers highlight the need for strong authentication – not just at the edge, but throughout the organization. That’s what ZTNA provides.
Many IT teams still cling to their VPNs, convinced they’re good enough for today’s hybrid workforce. In reality, your VPN is operating on an outdated model that’s putting your organization at risk. That’s why Gartner predicted that ZTNA would serve at least 70% of new remote access deployments by the end of 2025, as opposed to VPN services. ZTNA is a proven path for maximizing access security while keeping disruption to a minimum. Here are five reasons to embrace this security approach.
Your contractors and remote employees need access to specific applications, not your entire network. Unfortunately, VPNs don’t work that way. They hand over broad network access after a single authentication check. Once inside, attackers can move laterally through your systems, which is exactly what happens in ransomware attacks that exploit VPN vulnerabilities.
Traditional VPNs lack just-in-time privileged access, granting full access to unneeded resources and making end-to-end activity tracing difficult. ZTNA changes the game by providing application-level connectivity between authenticated users and only specific applications, eliminating network-wide exposure. Resources stay cloaked and invisible to unauthorized users.
Nobody loves VPNs, especially not your users. Routing all traffic through central data centers creates the dreaded ‘hairpinning’ effect, in which user traffic takes the long way round.
Someone in the UK wanting to connect to a server in London shouldn’t need to go via a data center in Munich to get there. It causes latency that makes cloud apps crawl.
Third-party contractors struggle even more when their own devices can’t support clunky VPN clients. It stops them from getting their basic tasks done.
This is where existing Symantec Cloud SWG customers win big. ZTNA integrates seamlessly with that infrastructure, creating a unified Secure Service Edge platform. Symantec SSE delivers Cloud SWG, CASB, DLP, Web Isolation, ZTNA and so much more. This consolidates your security stack while delivering location-agnostic access. That means fewer vendors, simpler management, better integration and reduced costs.
VPNs give you network connectivity but zero visibility into what users do with your applications and data. Logs are typically scattered across multiple servers and locations, making compliance audits difficult.
Plus, Web Isolation keeps risky content in secure containers, preventing malware from ever touching user devices. This builds enhanced threat prevention directly into the platform.
ZTNA with integrated DLP changes everything. The cloud detector inspects data in motion while maintaining on-premises policy control, ensuring your DLP rules follow users wherever they connect.
You can use DLP to identify sensitive data at risk, then apply granular protection policies. Symantec ZTNA is even integrated with Symantec’s trusted Threat Intelligence Service to inspect all traffic for malicious threats and can block malware uploads from infected devices.
Traditional VPNs were built for a time when applications lived in data centers and remote work was a rarity. Today, applications are scattered across multiple clouds. Employees and third-party partners alike expect seamless and immediate access from anywhere.
VPNs need expensive DMZ and firewall setups that are complicated to scale. Conversely, Symantec ZTNA runs on Google Cloud’s backbone, delivering rock-solid performance and scale to support organizations of all sizes.
Symantec’s SaaS model means no hardware to manage, no capacity-planning headaches and automatic updates that keep you protected. You can deploy in minutes, not months. And when your Minneapolis team needs to access a London-hosted app, they connect directly with no detours through distant data centers.
Nothing unnerves an IT team like ripping out infrastructure that technically still works. A phased approach to ZTNA deployment lets you keep the VPN running while you transition. Focusing on third-party, contractor and remote worker access first enables you to address your biggest risk at the beginning, creating a quick win that immediately shrinks your attack surface.
Adding threat intelligence to inspect all traffic and DLP to identify and protect sensitive data at risk enables you to flesh out your security, driving it deeper into your data landscape before gradually extending ZTNA across your organization. You can deploy on a per-department or per-location basis, or by user groups.
The proof is in the numbers: we find that roughly 80% of customers who run a proof-of-concept ZTNA project end up purchasing. That’s because starting small proves the value without the risk. You can even position it as a “gradual, phased deployment” to VPN holdouts who insist they’re happy with the status quo or have yet to see the full value of ZTNA.
Upgrading from a VPN infrastructure to ZTNA is about fixing fundamental security flaws before they become material issues. We live in a new environment of remote and hybrid work, and of partnerships underpinned by digital access. It’s time to rethink the way we handle access to our computing resources and data by embracing application-level security with continuous verification.