How to Plan for VPN to ZTNA Migration: Know Your Landscape and Create a Roadmap

IT and security teams realize it’s time to evolve network security architecture and remote access strategies by augmenting or replacing their legacy virtual private network (VPN). This strategy shift is a response to the surge in remote workforces, accelerated digital transformation initiatives and the rise in cyberthreats we’ve all witnessed since early 2020.

VPNs are increasingly deficient and unwieldy, resulting in increased risk and complexity for today’s hybrid enterprises. Zero Trust Network Access (ZTNA) combats these inherent flaws, but some organizations might balk at modernizing their network security architecture because historical investments have ingrained VPNs into the security stack.

Here's how to get started building your plan to move from VPN to ZTNA.

Establish a Baseline: Understand Your VPN Landscape and Existing Network Security Architecture

Your organization has its own unique VPN setup and deployment. As you build your ZTNA implementation plan, it’s important to have a clear sense of your existing network security architecture and VPN landscape. If a map of your VPN framework doesn’t exist, create one to show where your VPNs are used—by application, network segment and user group.

This baseline assessment should detail how VPNs are integrated into your tech stack; what and how digital assets need to be secured; and should take into account existing technical, organizational and financial requirements.

You also should determine which user groups access the most sensitive data or pose the greatest risk if compromised. For example, rather than rolling out full ZTNA implementation for all remote workers at once, it may be wiser to pilot ZTNA with a smaller user group posing a higher risk. After achieving a win for that group and delivering immediate security posture advancements, you can scale to the broader user population.

Your VPN baseline provides a complete picture of how VPNs work within your organization while also considering all technical, organizational and financial influences.

Develop Your ZTNA Roadmap

Next, you should build a ZTNA roadmap for your network security architecture. It’s critical to consider your desired Zero Trust security end state and long-term strategy. With a robust ZTNA solution, your roadmap can extend beyond solving for remote access to include broader network security and access requirements. ZTNA is far more extensible than VPN, allowing you to deliver secure access for all users, devices and workloads, regardless of where they reside.

ZTNA supports many other use cases beyond remote access, so prioritization is entirely dependent on the objectives, risks and desired security posture of your organization.

Consider Use Cases Beyond Secure Remote Access:

• Cloud migration: Moving applications and data to the cloud — or multiple clouds — effectively turns all users into remote users but with some stark differences. ZTNA automatically scales with the IPs associated with cloud workloads, resulting in dynamic entitlements across multi-cloud environments without manual intervention.
• Secure DevOps access: DevOps teams require remote access to sensitive digital assets hosted in multi-cloud environments and on-premises, which causes friction and risk under the limited capabilities of VPN. ZTNA unleashes DevOps with concurrent access to multiple cloud environments plus the bandwidth and performance they need. This use case also is optimal to explore automation capabilities using metadata and integration capabilities (e.g., with IT service management).
• Third-party access: Third parties such as vendors, contractors and business partners are invariably remote in nature, so many organizations rely on VPNs to manage their access. ZTNA grants trusted access to third-party users without risking overprivileged access exposure to unauthorized resources.
• Machine-to-machine (M2M): More robust ZTNA solutions apply the same Zero Trust user principles to M2M connections (i.e., East/West network traffic). This is another way ZTNA reduces your attack surface, because it thwarts lateral movement if a machine is compromised.
• Café-style networking: This is the ultimate value of ZTNA—secure access for an amalgamation of all use cases into a single unified policy model across all users, networks, workloads and devices. This removes the need for varying access models when working remotely or in an office, whether connecting to the cloud or running on-premises workloads … or a hybrid combination of it all.

Using rich APIs, ZTNA can integrate and automate with existing IT, security and business systems, making it an ideal solution for all of your network access use cases. Make sure you account for all your use cases in the roadmap because automation and operational efficiencies likely will become strategic business demands.

What’s Next?

After building your VPN to ZTNA migration plan, then it’s time to execute that plan by:

• Selecting a ZTNA provider
• Completing infrastructure setup, policy creation, onboarding and automation
• Implementing your first use case
• Scaling up across your organization

Taking a step-by-step approach to ZTNA migration ensures minimal business disruptions and your overall network security architecture success.