I have seen many PowerPoint slide from Zscaler that show ZPA can prevent risk from lateral threat movement and secure more than VPN with mapping user to application but not explain about detail. What is technic Zscaler use to do more secure than VPN and Zscaler prevent risk from lateral movement from end users devices to end users devices or end users devices to server.
In simplest terms, properly-architected and implement ZPA (and zero trust in general) prevents lateral movement because every connection is one-to-one. Meaning, every connection attempt to a configured application or service by a user is checked against the access policies in ZPA, and only if it passes the required criteria for access will the connection actually be brokered by an App Connector and the micro tunnel opened between the user and the application/server. When the transaction is complete, the tunnel is closed, and a new connection (such as a page refresh) will go through the whole process again. Further, unless an application or service is configured to be served by ZPA to that specific user, it is invisible to that user. No amount of port scans or packet captures will give any intel on the rest of the network as ZPA CGNATs all connections to applications and the NAT assignment is relevant only to that user and that specific session.
With traditional VPN, once the tunnel is open, the user is “on the network”, and unless the security team has really put in the work as far as network segmentation (ACLs, interior firewalling, VRF policies, etc.) is concerned, a user has a lot more freedom to move around because they only needed to open the one inbound hole through the network perimeter.
Hope that helps!