SECURE NETWORK ACCESS
Corey O'Connor February 26, 2026 6 minute read

Insights from the Field: How Financial Institutions Are Replacing VPNs with Zero Trust Access

The financial services sector’s rapid digital expansion has unlocked new opportunities for growth, efficiency, and customer experience. However, this transformation has also intensified cybersecurity risk across highly regulated environments. As legacy perimeter-based access models break down, financial institutions need a more resilient approach to secure access. This blog explores how Zero Trust Network Access (ZTNA), and specifically AppGate ZTNA, is helping banks and capital markets organizations address these challenges through real-world deployments and the lessons learned along the way. 

Financial services organizations are modernizing at unprecedented speed. Cloud adoption, digital banking platforms, remote work, third-party integrations, and regional expansion are now business imperatives, not future plans. But this transformation has also placed extraordinary pressure on access control, auditability, and operational resilience.

For banks, capital markets, and specialty lenders alike, access is no longer just a security concern. It is a regulatory requirement, operational dependency, and business enabler. Legacy VPNs and perimeter-based controls, once sufficient for static networks, are increasingly misaligned with today’s distributed, highly regulated environments.

This blog examines how modern financial institutions are addressing these challenges using Zero Trust Network Access (ZTNA), drawing on real-world deployments of AppGate ZTNA across banking and capital markets environments to highlight what works, what changes, and what measurable outcomes organizations are achieving.

The Financial Services Security Imperative Has Changed

Financial institutions operate under constant scrutiny. Regulatory mandates such as PCI-DSS, SOX, GLBA, and regional cybersecurity regulations require provable enforcement of access controls, not just policy documentation. At the same time, institutions must support hybrid workforces, external partners, and fast-moving business initiatives without introducing unacceptable risk.

Several pressures converge in this environment:

  • Expanding attack surface driven by remote access, cloud services, and third-party users
  • Sophisticated threats targeting identity, credentials, and exposed infrastructure
  • Operational complexity caused by overlapping VPNs, manual access changes, and fragmented visibility
  • Regulatory expectations that demand continuous, auditable enforcement of least-privilege access

Traditional VPNs struggle under these conditions. Once connected, users often gain broad network visibility, increasing lateral movement risk and audit exposure. Manual client management, static rules, and public-facing infrastructure further compound security and operational challenges.

Zero Trust Access: From Concept to Practical Control

Zero Trust reframes access around a simple principle: never trust, always verify. Rather than extending the network perimeter to users, Zero Trust enforces access based on identity, device posture, and contextual risk, granting users access only to the specific resources they are authorized to use.

AppGate ZTNA operationalizes this model through:

  • Direct, point-to-point connections between verified users and authorized resources
  • Dynamic, least-privilege policies that adapt in real time
  • Resource cloaking, making systems invisible until access is explicitly granted
  • Continuous logging and auditability to support regulatory compliance

To understand how this translates into real financial environments, spanning consumer finance and capital markets, consider how two very different institutions applied these principles.

Case Study: Tarjeta Amiga – Eliminating VPN Exposure for a Growing Credit Provider

Tarjeta Amiga is a Mexican financial institution with more than 20 years of experience providing secure and flexible credit card services. The organization supports purchases across physical and online retailers, ATM withdrawals, and biweekly payment plans, while also offering digital services such as 24/7 virtual assistance and interest-free shopping at major partners like H-E-B.

As Tarjeta Amiga’s digital footprint expanded and remote work became essential, the organization faced growing security and operational challenges tied to its legacy VPN-based access model.

The Challenge 

Tarjeta Amiga relied first on IPsec VPNs and later on SSL VPNs to support employees and administrators. Over time, this approach introduced significant risk and inefficiency:

  • Public-facing VPN infrastructure increased exposure to external attacks
  • Manual VPN client updates were time-consuming and error-prone
  • Limited role-based segmentation forced overly broad access permissions
  • High volumes of false positives overwhelmed IT and security teams
  • Troubleshooting access issues was slow and resource intensive

The organization needed a modern access solution that could support remote operations, reduce the attack surface, and provide more precise control, without disrupting business continuity.

The Zero Trust Approach 

Tarjeta Amiga implemented AppGate ZTNA to replace its VPN-centric access model with an identity-driven Zero Trust architecture. Access policies were defined and enforced based on user role, device posture, and contextual conditions, allowing the organization to differentiate access for IT administrators versus general users while eliminating unnecessary network exposure.

Key outcomes included:

  • Elimination of public internet exposure for critical internal systems through infrastructure cloaking
  • Granular role-based access controls aligned with least-privilege principles
  • Automated client updates, reducing administrative overhead
  • Improved alert quality, significantly reducing false positives
  • Enhanced visibility and audit logging, accelerating troubleshooting and access reviews

As Hugo Perez, Chief Information Officer at Tarjeta Amiga, noted:

“With AppGate ZTNA, we’ve enabled our teams to work securely from anywhere, with the same confidence and control as if they were in the office. It’s strengthened our security, simplified access management, and helped us reduce exposure without compromising usability.”

This deployment demonstrates how consumer-facing financial institutions can modernize access controls while strengthening security and operational efficiency.

Case Study: BYMA – Securing Capital Markets Infrastructure at Scale

Bolsas y Mercados Argentinos (BYMA) is the primary capital markets operator in Argentina, responsible for providing secure, transparent access to investment systems that support institutions, companies, and the public. Through its group company Caja de Valores, BYMA manages critical custody systems that underpin the country’s financial markets.

Rapid growth placed increasing pressure on BYMA’s access controls. By mid-2024, Caja de Valores managed more than 13 million accounts, representing an 87% year-over-year increase. Securing access to sensitive market infrastructure, while maintaining regulatory compliance and performance, became a top priority.

The Challenge 

As usage scaled, BYMA needed to:

  • Secure access to highly sensitive custody and capital markets systems
  • Support both internal staff and external market participants
  • Prevent unauthorized access from public and private networks
  • Improve visibility and reporting for regulatory compliance
  • Maintain performance for mission-critical financial operations

Legacy access controls struggled to keep pace with growth, increasing operational risk and complexity for both IT teams and end users.

The Zero Trust Approach 

BYMA implemented AppGate ZTNA to enforce Zero Trust access across its capital markets infrastructure. The solution provided context-aware access controls that ensured only authorized users and devices could reach sensitive systems, while integrating seamlessly with existing tools and technologies in under a month.

Key outcomes included:

  • Secure, scalable access for both internal and external users
  • Isolation of critical custody systems from public and unauthorized access
  • Improved visibility and reporting, supporting compliance and audit requirements
  • Reduced fraud risk associated with identity theft and credential abuse
  • Streamlined user experience, minimizing friction for business users

According to Maximiliano Ignaciuk, CIO of BYMA and Director of TECVAL:

“BYMA works with a constant focus: the evolution of the Argentine Capital Market, and technology is a central driver in this challenge. We celebrate the development carried out in conjunction with AppGate, as it favors the incorporation of leading technology to the local market to enhance the activity of all participants.”

This case highlights how Zero Trust access can support growth, compliance, and resilience in capital markets environments where security and performance are equally non-negotiable.

What These Real-World Deployments Prove About Secure Access in Financial Services

Despite differences in size, geography, and business model, these organizations reached similar conclusions:

  • Access must be intentionally designed, not inherited from network topology
  • Least privilege must be enforced dynamically, not approximated through static rules
  • Auditability must be continuous, not assembled retroactively
  • Performance and resilience matter, especially for financial transactions and market operations

AppGate’s direct-routed ZTNA architecture played a critical role by eliminating cloud bottlenecks, reducing latency, and giving organizations full control over policy enforcement, without introducing new dependencies or single points of failure.

Key Considerations for Financial Services Leaders

For financial institutions evaluating access modernization, these lessons stand out:

  • Start with access risk, not infrastructure: Identify where over-permissioning, public exposure, and audit gaps exist today.
  • Prioritize least privilege and segmentation: Ensure access policies are granular, role-based, and continuously evaluated.
  • Design for compliance from the start: Embed auditability and policy enforcement directly into access architecture.
  • Avoid architectures that trade security for latency: Preserve performance with direct access paths while maintaining strong controls.
  • Adopt incrementally but intentionally: Deliver immediate value with igh-impact use cases, i.e., remote workforce access, administrators, third parties.

Moving Forward with Zero Trust  

The financial services sector can no longer afford access models that slow the business or expose critical systems. As these real-world deployments show, ZTNA is not theoretical; it is already delivering measurable security, compliance, and operational benefits.

By replacing VPN-centric access with identity-driven, least-privilege controls, financial institutions can reduce risk, simplify audits, and move at the speed modern markets demand.

Strengthen secure access across your financial services environment. Explore how AppGate ZTNA replaces legacy VPNs with identity-driven, least-privilege control. Read the solution brief

Receive News and Updates From AppGate