According to the 2026 Kaseya State of the MSP Report, 55% of MSPs offer identity and access management as a service, making ZTNA and its alternative to VPN-based remote access increasingly central to the MSP service portfolio. Download the full report.
VPN has been the standard remote access technology for over two decades. It creates an encrypted tunnel between a remote device and the corporate network, placing the remote user logically “inside” the perimeter. In the network model of the 1990s and 2000s, this was a reasonable way to extend trusted access to remote users.
The problem is that the model has not aged well. VPN grants network-level access, not application-level access. A user connected via VPN has, in principle, the same network reach as someone physically sitting in the office, which means a compromised device with an active VPN session gives an attacker network-level entry to the corporate environment. Lateral movement from that point is straightforward. The blast radius of a single stolen credential becomes the entire network.
Zero Trust Network Access (ZTNA) addresses this directly by replacing network-level access with application-level access, applied continuously based on verified identity and device health. If you want the broader framework this sits within, see our guide to [zero trust security as an architecture.](/blog/zero-trust-security) This post focuses on the network access layer: how ZTNA works, how it compares to VPN, how it relates to SASE, and how MSPs can deploy it.
Replace VPN with zero trust network access
Datto Secure Edge delivers application-level access control with continuous identity verification and SafeCheck device posture enforcement, eliminating the lateral movement risk that VPN creates in client environments.
What ZTNA is
ZTNA is a security framework that grants users access to specific applications and services, not to the network, based on continuous verification of identity, device health, and context. The user never “joins the network” in the traditional VPN sense. They authenticate to the ZTNA system, which verifies their identity and the compliance status of their device, then proxies their connection to the specific application they need and nothing more.
This application-level model implements the zero trust principle of least privilege at the network access layer: users can only reach the applications they are authorized for, and that authorization is re-evaluated continuously based on context.
The concept of ZTNA has existed since around 2010, but early implementations were complex and expensive. Modern cloud-based ZTNA platforms have made the model accessible to SMB and mid-market organizations, not just enterprises with large security teams.
How ZTNA works
A typical ZTNA architecture operates through three components working in sequence.
Identity verification. The user authenticates, typically with MFA, to the ZTNA service, which verifies their identity against the corporate identity provider. This step establishes who is requesting access.
Device posture assessment. The ZTNA agent on the device checks that the endpoint meets the security policy: OS patched within a defined window, EDR agent running, disk encrypted, screen lock active. Devices that fail the posture check are denied access or granted reduced access depending on policy configuration. Datto Secure Edge implements this via SafeCheck, a continuous device posture check integrated with Datto RMM. When Datto RMM and Secure Edge are both deployed, SafeCheck verifies that endpoints meet patch status and antivirus requirements before allowing them to connect. Devices failing the check are denied access until they meet the policy, with a configurable grace period for patch status to cover scenarios like a device that was offline over a weekend.
Application proxy. Once identity and device posture are verified, the ZTNA service proxies the user’s connection to the specific application they are authorized to access. The user never has a direct network path to applications they are not authorized for, and never has network-level access to the broader environment.
This architecture limits lateral movement in a concrete way. An attacker who compromises a device with an active ZTNA session can only reach the specific applications that user was authorized to access, not the entire network behind the VPN tunnel.
—
ZTNA vs VPN: the key differences
The table below captures the operational differences that matter for MSPs evaluating the transition.
| VPN | ZTNA | |
|---|---|---|
| Access model | Network-level | Application-level |
| Trust assumption | Trusted once connected | Continuously re-verified |
| Lateral movement risk | High; network access is broad | Minimal; access is per application |
| Device posture enforcement | Typically limited or manual | Continuous and policy-based |
| User experience | Often slow, requires manual connection | Fast, can be always-on and transparent |
| Cloud and SaaS support | Poor; routes traffic through corporate network | Native; can direct cloud traffic optimally |
| Scalability | Complex and hardware-dependent | Cloud-native models scale easily |
The user experience improvement deserves more attention than it typically gets. VPN is a persistent source of end-user complaints: slow connections, dropped sessions, the requirement to manually connect before accessing applications. ZTNA architectures configured as always-on provide better performance and eliminate the connection friction that drives users toward shadow IT workarounds.
An MSP who has fielded repeated help desk tickets about VPN performance recognizes this immediately as a service quality argument, not just a security argument. Replacing VPN with Datto Secure Edge removes a recurring ticket category while improving the client’s security posture simultaneously.
SASE and ZTNA: how they relate
SASE (Secure Access Service Edge) is a broader architecture that consolidates network security functions into a single, cloud-delivered service. A full SASE stack includes ZTNA, Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Firewall-as-a-Service (FWaaS), and SD-WAN.
ZTNA is a component of SASE, not a synonym for it. An organization can implement ZTNA as a VPN replacement while keeping existing network security controls in place. A full SASE implementation consolidates all of these functions into one cloud service, eliminating the multi-vendor complexity that comes from stitching together separate point solutions.
Datto Secure Edge is a full SASE solution purpose-built for MSP deployment. Its security stack includes ZTNA, SWG for web filtering and threat inspection, FWaaS for cloud-delivered firewall policy enforcement, and SD-WAN for traffic optimization. Integrations with Datto RMM and Autotask PSA allow Secure Edge alerts to automatically generate service tickets, and software updates for Secure Edge are distributed through the VSA 10 and Datto RMM catalogs so endpoints stay current without manual intervention.
For most SMBs and mid-market clients, ZTNA as a VPN replacement is the practical starting point. Full SASE is the natural evolution for organizations with more complex multi-site, multi-cloud connectivity requirements and for MSPs building out a complete managed network security practice.
Implementing ZTNA: a phased approach
ZTNA implementation is incremental. Moving all users and all access on day one is rarely practical. A phased approach manages complexity and demonstrates value at each stage.
Phase 1: VPN replacement for remote access. Deploy ZTNA for remote users, replacing or supplementing existing VPN. Focus on the highest-risk access patterns first: privileged user access to administrative systems, access to sensitive data repositories, and access from unmanaged or BYOD devices. These are the scenarios where VPN’s lateral movement risk is most consequential.
Phase 2: Extend to all application access. Expand ZTNA coverage beyond remote users to cover all application access, including on-premises users connecting to internal applications through the same verified-access model. At this stage, the access model is consistent regardless of where the user is physically located.
Phase 3: Tighten device posture policies. Integrate device compliance more tightly, using EDR status as a real-time posture signal. Implement adaptive policies that reduce access scope or terminate sessions when device posture degrades during an active session, not just at connection time. SafeCheck in Datto Secure Edge provides this continuous enforcement via the Datto RMM integration.
Phase 4: Behavioral monitoring and adaptive access. Implement monitoring that can reduce or terminate access in real time when anomalous behavior is detected during an authenticated session: bulk file downloads, access to unusual applications, authentication anomalies, or lateral movement attempts.
A useful benchmark: one MSP in the Datto partner panel program noted that Datto Secure Edge helped their clients meet more than 10 distinct control requirements under NIST 800-171, even though zero trust is not explicitly named in the framework. The access controls, audit logging, and device posture verification map naturally to multiple control families.
ZTNA for MSPs
MSPs have two distinct reasons to invest in ZTNA: protecting their own access to client environments and delivering ZTNA as a managed service.
Internally, MSP credentials are among the highest-value targets in the SMB supply chain. An attacker who compromises an RMM credential or a PSA admin account gains access to every client environment that MSP manages. ZTNA-based access control, with per-session identity verification and continuous device posture enforcement, limits what any single compromised credential can reach. One MSP using Datto Secure Edge put it plainly: their technicians cannot authenticate to KaseyaOne without being connected through Secure Edge first. The session verification is not an optional additional step; it is the precondition for access.
For clients, the commercial conversation has become easier as cyber insurance requirements have tightened. Many insurers now require MFA and application-level access controls as a condition of coverage. An MSP that can deliver ZTNA as a managed network security service, with centralized policy management across all client tenants and automated alerting through the PSA, is addressing a client requirement that previously required enterprise-grade resources to fulfill.
The operational case is also strong. Replacing VPN with Datto Secure Edge reduces recurring help desk volume from VPN performance complaints, improves the user experience for remote workers, and eliminates the hardware refresh cycles that on-premises VPN appliances require. For clients, that translates to a better IT experience. For MSPs, it translates to a cleaner service delivery model.
Datto Secure Edge is available for Windows, macOS, iOS, and Android, with the mobile client released in June 2025, giving MSPs a single ZTNA deployment that covers the full range of devices their clients use.
Key Takeaways
- ZTNA replaces VPN’s network-level access with application-level access, continuously verified against identity and device posture. A compromised credential with ZTNA access can reach only authorized applications, not the entire network.
- The device posture dimension is where ZTNA and RMM integration matter most. SafeCheck in Datto Secure Edge uses Datto RMM to continuously verify endpoint compliance before and during access sessions.
- ZTNA is a component of SASE. For most SMB clients, ZTNA as a VPN replacement is the starting point. Full SASE consolidates ZTNA, web gateway, cloud firewall, and SD-WAN into one cloud-delivered service.
- Implementation is incremental: start with privileged and remote access, extend to all application access, then tighten posture policies and add behavioral monitoring.
- MSPs have both internal and commercial incentives: protecting high-privilege MSP-to-client access, and delivering ZTNA as a managed service that addresses compliance requirements and eliminates VPN-related help desk volume.
