Fast track bck post

Chris ScheelsJanuary 13, 2021

Developing Your VPN Replacement Roadmap

Step 2 of 4 in your Fast Track to Superior Secure Remote Access


The time has come to phase out your VPN and adopt a Zero Trust approach to remote enterprise network access. We know it can be easier said than done. Many before you have been daunted by the scope of the transition and fear of operational disruption. It doesn’t have to be this way. Many of our customers start small, prove value, then scale quickly as part of a crawl, walk, run approach.

Our Software-Defined Perimeter (SDP), designed and built with Zero Trust principles in mind, can work with your VPN and other legacy technology as you work to phase it out. There are a multitude of ways to approach a VPN replacement. Our diverse customers have found viable paths to move their Zero Trust journey forward in safe, non-disruptive ways, including:

  • Define Your VPN Baseline
  • Uncover Impending Budget Triggers
  • Assess Highest Risk Users and/or Apps
  • Factor in the Business Value

A Less Painful Path to Zero Trust

First of all, a full-scale rip-and-replace of all your VPNs is unrealistic. Many of our customers who adopt SDP over a VPN approach did it strategically and incrementally, phasing out VPNs as part of their greater Zero Trust journey. The most pain-free way to shift from a VPN to an SDP is to identify initial areas where the change can be made with the least amount of friction or disruption to business workflows with the highest risk reduction.

With this in mind, we lay out the following considerations when starting your VPN replacement journey:

1. Define Your VPN Baseline

If you are like most mid- to large-sized organizations, you have acquired multiple VPN solutions to control access to different resources in different locations. Identify what and where those are, who is using them, and for what purpose. This should include the identification of vendor names, user numbers, contract expirations and any upcoming hardware refreshes. Also important is the assessment of the nature of the network, data and people each VPN bucket is providing access to, and the cost of each platform— both in terms of hardware maintenance and software licensing.

2. Uncover Impending Budget Triggers

Search for VPN replacement points that would cause the least amount of friction and disruption to business workflows. Using your list of VPN vendor buckets, sort by the nearest renewal date, and estimate the annual renewal cost for hardware maintenance, support and any licensing costs. This becomes your initial budget for killing your VPN over time and truly securing your remote access. A hardware refresh or license renewal trigger date can serve as the entry point for your first Software-Defined Perimeter use case.

3. Assess High-Risk Users and/or Applications

Identify the most pressing risks of the continued use of VPNs present. What would cause the most damage to your organization if the vulnerability inherent in all VPNs was exploited by attackers tomorrow? Would it be the compromise of a financial app, a database containing IP or PII, a code repository, or often just plain old third-party vendor access? Maybe all of the above? While your organization may have robust security standards and practices in place, third-party partners that are allowed to connect to your network might not. VPN access points used by third-parties are often the weakest security link and have become the attack vector of choice by cybercriminals and hackers.

4. Factor in the Business Value of Improving Operations

Client VPNs all have the limitation of only being able to connect to one location at a time. Maintaining site-to-site VPNs to connect to different site infrastructures is not only costly, it’s complex and brings its own set of vulnerabilities. This exposes more of the network to attack via inside lateral movement should one entry point be compromised. Users from different teams must connect to multiple locations throughout the day to do their jobs. This leads to excessive VPN switching, which lowers workflow efficiency and creates further security vulnerabilities. Moving to an SDP with multi-tunnel capability eliminates the need for VPN switching, and reduces the overhead cost and complexity of maintaining many site-to-site VPNs or MPLS traffic flows.

These are just a few preliminary considerations for undergoing a VPN replacement. But in reality, there is no single right way to go about it. Every organization is different, with different complexities, teams, risks and needs—these will need to be factored in as you embark on your journey from VPN-based security to an SDP.

We have partnered with hundreds of enterprises on their journeys to replace VPN. We first seek to understand their unique situation and challenges, then we work together to build a plan to start small, demonstrate value and scale quickly on a path to full Zero Trust secure access and café style networks.

Explore Appgate SDP