The Hidden Cost of Traditional ZTNA: Latency

Zero Trust Network Access (ZTNA) has become the poster child of modern remote access security, championed by vendors like Zscaler, Netskope, Palo Alto Networks (Prisma), and others. But while the security model is powerful—granting application access based on identity and device posture rather than network location—there’s a nagging issue many organizations don’t anticipate until it’s too late: latency.

If users are throwing their laptops out the window or cursing your IT department during a Zoom call, there’s a good chance ZTNA latency is playing a role.

Let’s unpack what causes these delays, how they hurt, and what to watch for before signing a contract with a ZTNA provider.

What Causes Traditional ZTNA Latency?

Traditional ZTNA isn’t just a simple on/off switch for app access. It’s a complex orchestration of security checks, tunneling, policy enforcement, and traffic routing. When done poorly—or even just at scale—performance suffers. Here’s why:

1. Backhauling and Traffic Hairpinning

Many ZTNA providers route all user traffic through their cloud points of presence (PoPs) for inspection and enforcement. This means that if your user is in Boston accessing an internal app hosted in New York, but your ZTNA PoP is in Virginia, that traffic might detour hundreds of miles before reaching its destination.

In technical terms, this is called “hairpinning”—and it’s a recipe for slowdowns. Real-time applications like VoIP, Zoom, or even shared document editing tools start to stutter, buffer, or time out.

2. Inline Inspection Bottlenecks

Traditional ZTNA providers often do more than just grant or deny access. They perform deep packet inspection, threat scanning, and DLP (data loss prevention) in-line. Each of these adds processing time. While this is a great security feature on paper, it means your packets are standing in line like weary travelers at TSA.

3. Limited Global PoP Distribution

Not all vendors have equally distributed global infrastructure. A user in Southeast Asia might be stuck connecting to a PoP in Tokyo or Sydney, causing regional latency spikes. This can be especially brutal for global organizations with remote branches and mobile workers.

4. Authentication and Device Posture Checks

Traditional ZTNA solutions often rely on frequent re-authentication and device posture assessments. These checks (Is the device compliant? Is the antivirus up to date? Is the user on a trusted network?) can cause delays, especially if the device or identity provider responds slowly.

5. Tunnel Establishment Overhead

Some traditional ZTNA vendors still use per-session or per-application tunnels, which must be negotiated and re-established frequently. These secure tunnels can introduce startup latency with each new session or app access request.

The Business Impact of Traditional ZTNA Latency

Latency isn’t just a user inconvenience—it’s a business risk. Here’s how it manifests:

• Reduced Productivity: Every second lost to slow logins, delayed app loading, or poor video quality adds up. Multiply that by hundreds or thousands of employees, and the cost becomes staggering.

• Shadow IT Workarounds: When official access routes are too slow, users will find workarounds. That could mean bypassing traditional ZTNA entirely, using personal devices or unsecured Wi-Fi, or storing data in unsanctioned apps—creating new security holes.

• Increased Support Tickets: Slow access means more complaints. Your help desk becomes a complaint box for problems they can’t fix, dragging down IT morale and performance.

• Abandonment of Critical Security Features: Some orgs turn off features like SSL inspection or posture enforcement just to speed things up. This neuters the value of ZTNA entirely and reopens the door to lateral movement and breach risks.

What to Consider Before Investing in ZTNA

To avoid turning your Zero Trust dream into a lag-filled nightmare, ask these questions during your vendor evaluation:

1. Where Are Their PoPs Located?

Demand a map. Your ZTNA provider’s PoPs should be as close to your users as possible—especially if you have a globally distributed workforce. Local presence equals lower latency.

2. Do They Support Split Tunneling or Selective Routing?

Not all traffic needs to go through your ZTNA provider. Look for vendors who can intelligently route traffic—sending Microsoft Teams or Zoom calls directly to the internet while securing access to internal apps.

3. What Are the Measured Latency Metrics in Practice?

Ask for benchmarks or, better yet, demand a live demo from multiple user geographies. Test worst-case scenarios, not just ideal conditions.

4. Can Security Be Applied Without Being Inline?

Some vendors offer “out-of-band” posture and risk checks, which don’t insert themselves directly into the traffic flow. These approaches can reduce inspection-induced bottlenecks.

5. What’s the Device Experience Like?

Look into the ZTNA agent footprint (if any). Does it slow down machines? Is it compatible with all operating systems used across your org? What happens on patch day?

Speed Is a Security Feature

Zero Trust shouldn’t mean zero patience. If users rebel against slowdowns, they’ll sidestep your controls, and your ZTNA investment will backfire. Build performance SLAs into contracts, pilot test across remote regions, and always remember: a secure connection that users refuse to use is not secure at all.