Out with the old, in with the new: From VPNs to ZTNA

The VPN held an important role in the evolution of the internet, and for decades has supported businesses in securing their networks. VPNs have been used by businesses and individuals across the globe, but now the tide is turning. As technology advancements are made, a plague of malicious individuals follow closely behind, seeking out the weak and exploiting any vulnerability they find. Over time, criminals have been able to identify and manipulate security flaws found in technology, and VPNs are no exception.


Security flaws have been found in several areas of VPNs, including open ports. Further, network admins are often made to choose between broad network access policies or the more restrictive options without sufficient flexibility or control. Neither option is particularly favored, and both could leave the system vulnerable to attack.

New tech is entering the ring

Recent years have witnessed huge advancements in network technologies, with new challengers to the well-established VPNs. The biggest contender in the opposing corner is zero trust network access (ZTNA). With its “authenticate, then trust” approach (compared to VPNs’ trust of IP addresses), ZTNA is becoming an increasingly mainstream choice among businesses.

High levels of account takeovers and credential theft are leaving traditional VPN systems vulnerable, forcing businesses to look to alternative approaches. On top of this, most VPNs remain connected to hardware which is challenging and costly to scale to keep up with business developments.

ZTNA is designed to close the gaps left by outdated technology that no longer protects businesses from the evolving tools and techniques used by modern cybercriminals. It is founded on the concept that all users are suspicious until they prove otherwise through verification.

The shift from VPN to ZTNA does not have to be a complicated one. Businesses can achieve this in a small number of steps. The hardest part of the journey is making the first move, and kickstarting the transition; after that, it should be smooth sailing.

1. Look at what you have now

Step one – refamiliarize yourself with your current VPN landscape. It will be harder to implement replacement technology if you don’t fully understand what it is you’re replacing. A comprehensive VPN baseline assessment will do the job, providing an overview of the organization’s technology stack and how the VPN fits in to it. This step is crucial to understanding how future changes will impact the business, both short and long-term. Some companies choose to conduct smaller, “test” rollouts of the new technology to witness the impacts first-hand before going business wide.

2. Building a step-by-step plan

Now that you have mapped out your current system, it’s time to plan your journey forwards. Organizations often look to cloud access as a priority, especially because ZTNA has the capabilities to manage privileges across several cloud environments independently. This is particularly important for teams working remotely and having to access data from different cloud locations, as well as third party businesses that require remote access. ZTNA enables organizations to grant this level of access without endangering the business network.

3. Taking the first step

Armed with a comprehensive plan and overview of the current systems, it’s time to take that all important first step. Implementing ZTNA is not a quick process, so to avoid feeling overwhelmed it’s important to focus on each individual stage, and what you want to achieve at each milestone. A couple of examples of good starting points are risk mitigation and productivity.

Whatever that first step is, it is highly recommended to tie the ZTNA approach to the entire business. This will make it easier in the long run, as it will avoid having to get teams on board later – instead, it will be business-wide from the start.

4. Choosing your partner against crime

You’re making excellent progress and are nearing the end of the ZTNA journey. Choosing your ZTNA provider is the next step, and it’s a crucial one. This provider will be working with you to deliver the required level of flexibility and agility as per your plan, so it’s important to put in the time and effort to find the perfect match.

This stage of the process has several different elements to consider, including policy creation and infrastructure set up. The policies that are most important will consider the fundamental points, namely time, location, and multi-factor authentication. When it comes to user onboarding, companies could either use an installed client or browser-based access to support the process, depending on use case and total number of users. It’s at this point businesses can see where automation should be implemented to help ease the load on workers.

Finally, it’s time to establish the metrics on which success will be measured. This will all be determined by the company’s priorities, and will often include adoption rates, end-user satisfaction and improved productivity.

5. Apply across the business

Assuming the business is satisfied with the results of the transition so far, now the ZTNA roadmap can be applied to the rest of the company. The technology is designed with agility in mind, so its software-defined model is easy to apply across a wider scope by defining new policies, adding further gateways, and increasing the user numbers.

As well as expanding wider, ZTNA can also go deeper by facilitating more advanced abilities. This could include orchestrating workflows, automating policies and infrastructure, and analyzing log activity data. This data can be used in tools like user and entity behavior analytics (UEBA) to deliver valuable insights.

Unlike other technologies, it’s clear from the above what the result would be when VPNs and ZTNA step into the ring together. The tired, outdated VPN has certainly contributed enormously to the evolution of the internet, but now it’s time for it to take a step back.

Swapping it out for a solution that doesn’t let users within a mile of the network without providing sufficient authentication first is how businesses will future proof their operations and stand strong against the army of attackers heading their way. It’s not a complicated process, but it does require business-wide understanding and the confidence to take the first step.

Looking ahead to the long-term benefits will surely encourage more organizations to make the leap.

Don't miss