When organizations begin evaluating Zero Trust Network Access (ZTNA), the conversation often starts—and ends—with web applications. Browser-based access to SaaS and internal web apps is frequently presented as the primary ZTNA use case, leaving a critical question unanswered: What about SSH, RDP, and other forms of console access? For most enterprises, administrative access to servers, infrastructure, and legacy systems remains one of the highest-risk access paths in the environment, yet many ZTNA discussions implicitly assume that this type of access will continue to rely on traditional VPNs. This gap is not just an oversight—it represents one of the biggest missed opportunities in modern access security.
The Hidden Risk of Console Access
Remote access to infrastructure via protocols like SSH and RDP is essential for IT operations, DevOps, and support teams. Unfortunately, it is also a favorite target for attackers. VPNs were never designed to provide granular control over this kind of access. Once connected, users gain broad network-level reach, even if they only need access to a single system. This creates an unnecessarily large attack surface and enables lateral movement if credentials are compromised. Many high profile breaches have repeatedly demonstrated the risk of over-permissive remote access. In many cases, attackers didn’t exploit exotic vulnerabilities—they simply logged in using stolen credentials and moved freely across the network. If zero trust is about never trusting, always verifying, then console access cannot be exempt.
Why ZTNA Is Often Deployed First for Web Applications
Early ZTNA solutions focused heavily on web applications for a practical reason: HTTP-based traffic is easier to broker and control. From a product design perspective, securing browser access was a logical first step. However, this narrow focus has created a misconception that ZTNA is inherently limited to web apps. As a result, many organizations are left with a split access model:
- ZTNA for web applications
- VPNs for SSH, RDP, and infrastructure access
This hybrid approach undermines the core goals of zero trust. It preserves the most dangerous access paths while modernizing only the least risky ones.
Applying Zero Trust Principles to SSH and RDP
Securing console access using zero trust principles requires a shift in how access is granted and enforced. Rather than providing network-level connectivity, a zero trust approach enforces access at the application or service boundary. This means:
- Users are granted access only to the specific system and protocol they are authorized to use
- Access is evaluated based on identity, device posture, and contextual risk
- Trust is continuously re-evaluated throughout the session
- No implicit trust is granted to the surrounding network
In practice, this allows organizations to secure SSH, RDP, and similar protocols without exposing internal networks or relying on broad VPN tunnels.
Eliminating VPNs for Administrative Access
Replacing VPN-based console access with ZTNA provides several tangible benefits:
- Reduced Attack Surface
- By eliminating network-level access, ZTNA dramatically limits lateral movement opportunities. Even if credentials are compromised, attackers cannot pivot freely across the environment.
- Improved Visibility
- ZTNA enables organizations to see who is accessing what, from where, and under what conditions. This level of visibility is often lacking in traditional VPN deployments.
- Stronger Access Controls
- Access decisions can incorporate device security posture, compliance status, and contextual risk—ensuring that only trusted devices can initiate sensitive console sessions.
- Simplified Operations
- ZTNA reduces reliance on complex VPN configurations, firewall rules, and split-tunnel policies, making access easier to manage at scale.
Beyond Identity-Only Access
One of the most important lessons learned from early ZTNA deployments is that identity alone is not enough—especially for infrastructure access. Administrators frequently connect from:
- Personal devices
- Temporary or contractor-managed systems
- Shared jump hosts
A zero trust approach to console access must account for device posture and risk, not just who the user is. Continuous evaluation ensures that if a device becomes non-compliant during a session—such as losing endpoint protection—access can be restricted or terminated in real time.
A Unified Access Model for Applications and Infrastructure
Enterprises should not have to maintain separate access strategies for different types of resources. A mature ZTNA solution extends zero trust controls consistently across:
- SaaS and cloud applications
- Hosted and on-premises web apps
- Infrastructure and administrative services (SSH, RDP, and more)
By enforcing policy centrally and applying it at the application and service level, organizations can replace VPNs entirely—without disrupting workflows or introducing unnecessary complexity.
Rethinking What ZTNA Is For
ZTNA was never meant to be a browser-only solution. At its core, zero trust is about reducing risk by tightly controlling access to all resources, especially the most sensitive ones. If VPNs remain the default method for SSH and RDP, organizations are leaving a critical gap in their zero trust strategy. Extending ZTNA to console access closes that gap and brings administrative access into the same security model as the rest of the environment. As enterprises continue to modernize their access strategies, the question is no longer whether ZTNA can replace VPNs for web applications—but whether it can replace them everywhere they matter most.