Chris ScheelsJuly 17, 2021
How to Plan for VPN to ZTNA Migration: Know Your Landscape and Create a Roadmap
This blog is the second of our three-part series on migrating from VPN to ZTNA. Part 1 explains why it’s time to move away from VPNs and provides a quick overview of the steps for success. This part discusses how to prepare for migration and part 3 covers the how-tos of scaling up ZTNA across the organization.
IT and security teams realize it’s time to evolve network security architecture and remote access strategies by augmenting or replacing their legacy virtual private network (VPN). This strategy shift is a response to the surge in remote workforces, accelerated digital transformation initiatives and the rise in cyberthreats we’ve all witnessed since early 2020.
VPNs are increasingly deficient and unwieldy, resulting in increased risk and complexity for today’s hybrid enterprises. Zero Trust Network Access (ZTNA) combats these inherent flaws, but some organizations might balk at modernizing their network security architecture because historical investments have ingrained VPNs into the security stack.
Here's how to get started building your plan to move from VPN to ZTNA.
Want the complete five-step guide to a smooth VPN to ZTNA migration?
Establish a Baseline: Understand Your VPN Landscape and Existing Network Security Architecture
Your organization has its own unique VPN setup and deployment. As you build your ZTNA implementation plan, it’s important to have a clear sense of your existing network security architecture and VPN landscape. If a map of your VPN framework doesn’t exist, create one to show where your VPNs are used—by application, network segment and user group.
This baseline assessment should detail how VPNs are integrated into your tech stack; what and how digital assets need to be secured; and should take into account existing technical, organizational and financial requirements.
You also should determine which user groups access the most sensitive data or pose the greatest risk if compromised. For example, rather than rolling out full ZTNA implementation for all remote workers at once, it may be wiser to pilot ZTNA with a smaller user group posing a higher risk. After achieving a win for that group and delivering immediate security posture advancements, you can scale to the broader user population.
Your VPN baseline provides a complete picture of how VPNs work within your organization while also considering all technical, organizational and financial influences.
Develop Your ZTNA Roadmap
Next, you should build a ZTNA roadmap for your network security architecture. It’s critical to consider your desired Zero Trust security end state and long-term strategy. With a robust ZTNA solution, your roadmap can extend beyond solving for remote access to include broader network security and access requirements. ZTNA is far more extensible than VPN, allowing you to deliver secure access for all users, devices and workloads, regardless of where they reside.
ZTNA supports many other use cases beyond remote access, so prioritization is entirely dependent on the objectives, risks and desired security posture of your organization.
Consider Use Cases Beyond Secure Remote Access:
- Cloud migration: Moving applications and data to the cloud — or multiple clouds — effectively turns all users into remote users but with some stark differences. ZTNA automatically scales with the IPs associated with cloud workloads, resulting in dynamic entitlements across multi-cloud environments without manual intervention.
- Secure DevOps access: DevOps teams require remote access to sensitive digital assets hosted in multi-cloud environments and on-premises, which causes friction and risk under the limited capabilities of VPN. ZTNA unleashes DevOps with concurrent access to multiple cloud environments plus the bandwidth and performance they need. This use case also is optimal to explore automation capabilities using metadata and integration capabilities (e.g., with IT service management).
- Third-party access: Third parties such as vendors, contractors and business partners are invariably remote in nature, so many organizations rely on VPNs to manage their access. ZTNA grants trusted access to third-party users without risking overprivileged access exposure to unauthorized resources.
- Machine-to-machine (M2M): More robust ZTNA solutions apply the same Zero Trust user principles to M2M connections (i.e., East/West network traffic). This is another way ZTNA reduces your attack surface, because it thwarts lateral movement if a machine is compromised.
- Café-style networking: This is the ultimate value of ZTNA—secure access for an amalgamation of all use cases into a single unified policy model across all users, networks, workloads and devices. This removes the need for varying access models when working remotely or in an office, whether connecting to the cloud or running on-premises workloads … or a hybrid combination of it all.
Using rich APIs, ZTNA can integrate and automate with existing IT, security and business systems, making it an ideal solution for all of your network access use cases. Make sure you account for all your use cases in the roadmap because automation and operational efficiencies likely will become strategic business demands.
After building your VPN to ZTNA migration plan, then it’s time to execute that plan by:
- Selecting a ZTNA provider
- Completing infrastructure setup, policy creation, onboarding and automation
- Implementing your first use case
- Scaling up across your organization
Taking a step-by-step approach to ZTNA migration ensures minimal business disruptions and your overall network security architecture success.
Download the eBook: 5 Steps for Successful VPN to ZTNA Migration
Interested in how we can help with your VPN to ZTNA migration?