Access Controls
Initiatives
Capabilities
IntegrationsCybersecurity 101 Categories
As enterprises move away from VPNs and perimeter-based access models, Zero Trust Network Access (ZTNA) is quickly becoming the gold standard for secure, scalable remote access. But not all ZTNA solutions are created equal. Some require agents. Others only focus on identity without device context. Many promise “zero trust” while offering little more than access brokers.
Starting Your ZTNA Checklist
If you’re evaluating ZTNA solutions in 2025, this ZTNA checklist will walk you through the key questions and features to assess — so you can avoid complexity, future-proof your investment, and align your access control strategy with true zero trust principles.
Do you need an agent for enforcement?
✅ Must-have on your ZTNA checklist: Agentless or lightweight deployment
🚩 Watch out for: Mandatory endpoint agents that slow adoption
Agents increase friction for end-users, add IT overhead, and often require complex compatibility testing. A modern ZTNA platform should offer agentless enforcement wherever possible — especially for SaaS access and BYOD scenarios.
➡️ Portnox Insight: Portnox ZTNA uses agentless enforcement with optional lightweight posture tools — zero-touch for end-users.
Does the platform enforce device posture checks?
✅ Must-have on your ZTNA checklist: Real-time device health, OS status, disk encryption, antivirus, patching, etc.
🚩 Watch out for: ZTNA tools that verify identity only
Identity is only half the zero trust equation. Device risk is just as critical — especially in hybrid workforces where unmanaged devices are common. A ZTNA solution must be able to block or limit access based on device posture.
➡️ Portnox Insight: Device posture enforcement is native to Portnox Cloud, with customizable compliance policies.
Can it cover both on-prem and cloud apps?
✅ Must-have on your ZTNA checklist: Application-agnostic ZTNA that supports SaaS, IaaS, and legacy apps
🚩 Watch out for: ZTNA tools that only proxy web-based SaaS
You shouldn’t have to run two systems to cover your internal tools and your cloud stack. Unified access across all application types ensures consistent policies, better visibility, and smoother compliance.
➡️ Portnox Insight: Portnox ZTNA can secure both SaaS and private/internal apps without a VPN.
How is access granted — per network or per resource?
✅ Must-have on your ZTNA checklist: Per-resource, least-privilege access based on policy
🚩 Watch out for: Tools that drop users onto a flat network (like a glorified VPN)
ZTNA isn’t about “network access”—it’s about application and resource access based on trust level. A true ZTNA platform should never give broad network access just to reach a single app.
➡️ Portnox Insight: ZTNA policies in Portnox are app- and context-aware, never exposing the underlying network.
Does it integrate with your identity provider and MDM/EDR tools?
✅ Must-have on your ZTNA checklist: Native support for Entra ID (Azure AD), Okta, Google Workspace, Intune, Jamf, CrowdStrike, etc.
🚩 Watch out for: Rigid integration requirements or limited third-party support
ZTNA platforms need to work within your broader identity and endpoint ecosystem. The more seamless the integration, the better the access decisions.
➡️ Portnox Insight: Portnox integrates directly with Entra ID, Intune, CrowdStrike, and more — no middleware required.
Is it scalable and cloud-native?
✅ Must-have on your ZTNA checklist: SaaS-based delivery with elastic performance and multi-tenant support
🚩 Watch out for: ZTNA tools that require deploying gateways, connectors, or self-hosted brokers
If your ZTNA solution feels like you’re building another VPN — you’re doing it wrong. You shouldn’t be racking servers to enable zero trust.
➡️ Portnox Insight: 100% cloud-native with multi-tenant architecture — no connectors, tunnels, or infrastructure required.
How does it handle enforcement for remote and hybrid users?
✅ Must-have on your ZTNA checklist: Remote-first enforcement that doesn’t rely on corporate network presence
🚩 Watch out for: Solutions that assume users are “in the office” or require VPN fallback
ZTNA should work from anywhere, on any device, without routing traffic back to a data center. The ideal platform provides the same enforcement posture regardless of location.
➡️ Portnox Insight: Portnox Cloud enforces policies wherever the user is — remote, roaming, or on-prem.
What kind of visibility and reporting is provided?
✅ Must-have on your ZTNA checklist:Real-time dashboards, historical logs, audit-friendly event tracking
🚩 Watch out for: Black-box systems with minimal access transparency
To meet compliance standards and reduce incident response times, your ZTNA platform should give you clear, auditable records of every access decision — who, when, from where, on what device, and why.
➡️ Portnox Insight: Granular logs and exportable reports make compliance easy.
How fast is deployment — and how disruptive is it?
✅ Must-have on your ZTNA checklist: Fast rollout (days to weeks), minimal user training required
🚩 Watch out for: Long onboarding timelines, network changes, or complex policy engines
ZTNA shouldn’t take 6 months to implement. Look for solutions that offer day-one value, especially in proof-of-concept deployments.
➡️ Portnox Insight: Most Portnox customers go live in under 30 days — some in under a week.
Does the vendor support a true zero trust strategy — or just rebranded VPN access?
✅ Must-have on your ZTNA checklist: Continuous verification, dynamic access control, granular segmentation
🚩 Watch out for: VPNs with a zero trust marketing coat of paint
ZTNA is not just a VPN replacement — it’s a shift in philosophy. Choose a vendor that doesn’t just block IPs but understands trust is dynamic, and access should always be earned.
➡️ Portnox Insight: Purpose-built for zero trust — with access control that extends from the network to the app layer.