VPN is Dead. Long Live Zero Trust and ZTNA 2.0

By Koobasen Moodley Cybersecurity: Principal Security Architect at NEC XON

Hybrid work is a given these days, as are cloud-first strategies - which means cybersecurity teams face an urgent reality: traditional network architectures are no longer enough. Perimeter-based models — especially those relying on VPNs — are increasingly ineffective against modern threat actors who thrive on lateral movement and credential theft.

The old VPN model, often likened to a castle-and-moat design, trusts users implicitly once they’re inside the network. But that trust is easily abused. Once attackers gain initial access — whether through stolen credentials, phishing, or malware — they can move freely, escalate privileges, and compromise critical systems from the inside. It’s a weakness that ransomware gangs and nation-state actors have repeatedly exploited.

Enter Zero Trust and ZTNA 2.0
Rather than assuming trust based on location or initial login, Zero Trust operates on a radically different premise: never trust, always verify. But modern threats have required an evolution of that concept — one that goes beyond static access checks to something far more dynamic.

Continuous Verification, Not Just at the Gate
Zero Trust Network Access (ZTNA) 2.0 represents the next phase of Zero Trust. It doesn’t just check credentials at login and open the gates. It continuously evaluates context — the user’s identity, device health, location, behavior, and the sensitivity of the application being accessed.

If anything changes — such as a device becoming non-compliant, or a user suddenly accessing unfamiliar resources — access can be limited or revoked in real-time. This granular, adaptive control is what makes ZTNA 2.0 such a powerful deterrent against lateral movement, insider threats, and credential misuse.
​
Whereas ZTNA 1.0 implementations typically relied on basic identity checks and provided broad access after authentication, ZTNA 2.0 inspects all traffic — not just initial access — and enforces least-privilege access continuously.

Breaking the Attacker’s Playbook
Attackers think in terms of paths: gain access, escalate privileges, move laterally, execute objectives. Defenders must adopt the same mindset — and then design infrastructure to block each of those steps.
​
ZTNA 2.0 directly addresses this by denying implicit trust and constantly evaluating behavior and risk signals. Unlike traditional security tools that alert after the damage has begun, this model acts proactively — isolating and shutting down abnormal sessions in real time.
This is especially crucial in remote and hybrid environments where users may connect from personal devices, unsecured networks, or unfamiliar geographies. In such scenarios, ZTNA 2.0 limits access to only what is necessary, and only for as long as necessary.

From Risk Mitigation to Business Enablement
The strategic advantage of ZTNA 2.0 lies not only in reducing risk but in enabling secure digital transformation. By removing the dependency on VPNs, organisations can:

• Eliminate expensive MPLS circuits and complex backhauling,
• Improve user experience with local breakout and faster application access,
• Support cloud adoption and remote work securely, and

Reduce the operational overhead of legacy security tools.It’s a model that doesn’t just protect — it empowers. When security is built into every layer of access and application use, innovation can thrive without fear of compromise.

Toward a Unified Security Fabric
For Zero Trust to work at scale, it needs to be part of a broader architecture — one that integrates networking and security in a seamless way. This is where Secure Access Service Edge (SASE) platforms like Palo Alto Networks’ Prisma Access come in. By combining firewall, threat prevention, CASB, SWG, and DNS security into a single, cloud-delivered solution, Prisma Access operationalises Zero Trust at the edge — where users connect. With built-in support for ZTNA 2.0, Prisma Access ensures that every connection is inspected, every user is verified, and every risk signal is acted upon — all without slowing down performance or compromising experience.

Security That Thinks Like an Attacker
The real test of a security architecture is not just whether it blocks known threats, but whether it can disrupt the attacker’s entire kill chain. Zero Trust and ZTNA 2.0 are designed to do exactly that — making it harder to move inside the network, harder to hide malicious activity, and easier for defenders to contain threats before they spread.

It’s a shift from reactive defense to preemptive resilience — and in today’s threat landscape, that shift is no longer optional. NEC XON has been at the forefront of this evolution, leading some of the largest Prisma Access and SASE deployments across South Africa.

About NEC XON
NEC XON is a leading African integrator of ICT solutions and part of NEC, a Japanese global company. The holding company has operated in Africa since 1963 and delivers communications, energy, safety, security, and digital solutions. It co-creates social value through innovation to help overcome serious societal challenges. The organisation operates in 54 African countries and has a footprint in 16 of them. Regional headquarters are located in South, East, and West Africa. NEC XON is a level 1-certified broad-based black economic empowerment (B-BBEE) business. Discover more at www.nec.africa.
 
Issued by: Michelle Oelschig, Scarlet Letter 
Contact details: 083-636-1766, [email protected]