The “Lateral Movement” Problem
Traditional VPNs are a security relic. They operate on a “castle and moat” model: once a user authenticates, they are inside the network and often have broad access to scan and move laterally. In an era of ransomware, this is a critical vulnerability.
Zero Trust Network Access (ZTNA) flips this model. It grants access to specific applications, not the network. Users are never “on the network”; they are merely authorized to see specific apps based on identity and context.
Technical Deep Dive
1. Clientless vs. Agent-based ZTNA
- Clientless (Browser-based): Great for contractors or unmanaged devices. Users access a portal and launch web apps. No software to install.
- Limitation: Only works for web apps (HTTP/HTTPS), RDP, and SSH.
- Agent-based (Tunnel): A lightweight agent on the device intercepts traffic and routes it to the ZTNA broker.
- Advantage: Supports all ports/protocols and provides device posture checks (e.g., “Is the OS patched?“).
2. Identity is the New Firewall
In ZTNA, your Identity Provider (IdP) like Okta or Entra ID becomes the control plane.
- Policy: “Marketing Group” can access “Salesforce” and “Intranet”, but not “Production DB”.
- Context: Access is denied if the user is logging in from an unknown country or a jailbroken device.
3. Microsegmentation: The “Kill the VPN” Strategy
You can’t just turn off the VPN on Monday. You need to map applications to users.
- Discovery: Use the ZTNA agent in “monitor mode” to see what apps users are actually accessing.
- Policy Creation: Build granular policies based on observed traffic.
- Enforcement: Switch to “block mode” one department at a time.
Cost Comparison: VPN vs. ZTNA
| Feature | Legacy VPN | ZTNA |
|---|---|---|
| Licensing | Concurrent user licenses + Hardware maintenance | Per-user/month subscription |
| Hardware | Expensive Concentrators (CapEx) | Cloud-delivered (OpEx) |
| Bandwidth | Hairpinning traffic costs bandwidth | Direct-to-app (Internet offload) |
| Security Ops | High (Patching appliances) | Low (SaaS model) |
Hidden Cost: The cost of a breach. VPNs are the #1 entry point for ransomware. ZTNA drastically reduces the blast radius.
Typical VPN to ZTNA Migration Roadmap
Phase 1: Discovery & Identity Prep (Months 1-2)
Activities:
- Integrate IdP (Entra ID/Okta) with ZTNA provider.
- Deploy ZTNA connectors in data centers/cloud VPCs.
- Run agents in “Discovery Mode” to map traffic.
Deliverables:
- Application Inventory.
- Identity-based Access Policies.
Phase 2: The “Low Hanging Fruit” (Months 3-4)
Activities:
- Migrate Contractors and Third Parties to Clientless ZTNA.
- Migrate Developers to Agent-based ZTNA for SSH/RDP access.
- Why? These are high-risk groups. Securing them first adds immediate value.
Deliverables:
- VPN access revoked for contractors.
- Secure remote access for devs.
Phase 3: General Workforce & SaaS (Months 5-6)
Activities:
- Route private web apps through ZTNA.
- Enable device posture checks (e.g., block access if antivirus is off).
- Begin phasing out VPN client for general staff.
Deliverables:
- 90% of workforce off VPN.
Phase 4: Legacy & Decommission (Months 7+)
Activities:
- Address “thick client” legacy apps requiring specific protocols.
- Keep a minimal VPN for “break glass” scenarios (if needed).
- Decommission VPN concentrators.
Deliverables:
- Hardware retired.
- Zero Trust architecture fully operational.
Architecture Transformation
graph TD
subgraph "Legacy VPN Model"
A[User] -->|Tunnel| B[VPN Concentrator]
B -->|Network Access| C[App 1]
B -->|Network Access| D[App 2]
B -->|Lateral Move| E[Database]
end
subgraph "Zero Trust Model"
F[User] -->|Auth + Context| G[Identity Provider]
G -->|Token| H[ZTNA Cloud Broker]
H -->|Micro-tunnel| I[App Connector 1]
H -->|Micro-tunnel| J[App Connector 2]
I --> C_New[App 1]
J --> D_New[App 2]
end
style B fill:#f9f,stroke:#333,stroke-width:2px
style H fill:#bbf,stroke:#333,stroke-width:2pxTop VPN to ZTNA Migration Services Companies
We analyzed 20+ VPN to ZTNA migration services companies based on:
- ZTNA broker expertise: Zscaler, Cloudflare, Palo Alto, Netskope specializations
- Phased migration methodology: Discovery → Pilot → Rollout (not “Big Bang”)
- Pricing transparency: Per-user costs, PoC pricing, enterprise vs. mid-market
How to Choose a VPN to ZTNA Migration Partner
If you need a full SASE transformation: Accenture or Wipro. They can overhaul your entire network (SD-WAN + ZTNA + SWG).
If you are Microsoft-centric: Avanade (via Accenture) or HCLTech. They have deep expertise in Entra Private Access and the Microsoft security stack.
If you need rapid user adoption: Slalom. Their change management focus ensures users don’t revolt against the new access methods.
Red flags:
- Vendors who suggest “Network Extension” mode for everything (recreating the VPN).
- Ignoring the “Unmanaged Device” use case.
- Lack of integration with your existing EDR/MDM tools (CrowdStrike, Intune).
Top 3 Reasons VPN to ZTNA Migrations Fail
35% of migrations fail. Click for prevention strategies.
1. The “Network Extension” Trap (45% of failures)
The Problem: Vendors configure ZTNA in “Network Extension” mode, which replicates VPN behavior (full network access via ZTNA). The Reality: This defeats the purpose. You’ve just moved your VPN to the cloud without gaining Zero Trust benefits. Prevention: Insist on application-level segmentation from Day 1.
2. Ignoring Unmanaged Devices (30% of failures)
The Problem: Contractors, partners, and BYOD users can’t install agents. The Reality: They keep using the old VPN, which you can’t sunset. Prevention: Deploy clientless ZTNA (browser-based) for unmanaged devices in Phase 1.
3. Legacy App Protocol Incompatibility (25% of failures)
The Problem: Apps using custom protocols (VOIP, active FTP, SAP GUI) break. The Reality: ZTNA works great for HTTP/HTTPS but struggles with legacy protocols. Prevention: Test legacy apps in PoC environment BEFORE production cutover.
When NOT to Migrate to ZTNA
Zero Trust isn’t always the answer. Keep your VPN if:
- Ultra-secure government networks: Air-gapped systems with no internet access require on-prem VPN.
- Short-term projects (<6 months): Migration ROI requires 12-18 months to break even.
- No modern Identity Provider: ZTNA requires Okta/Entra ID. If you’re still on pure on-prem Active Directory, modernize identity first.
- Mainframe-only environments: Legacy mainframes with 3270 emulation don’t benefit from ZTNA.
When to Hire VPN to ZTNA Migration Services
1. The Hardware Refresh
Your VPN concentrators are EOL. Buying new hardware feels like investing in fax machines. Trigger: “Budget approval needed for new Cisco ASAs.”
2. The Merger & Acquisition
You need to give a new subsidiary access to apps without merging networks (which takes years). ZTNA provides instant, granular access. Trigger: “How do we onboard the acquired team next week?“
3. The Compliance Audit
Auditors are flagging “excessive access” or lack of MFA on legacy apps. ZTNA wraps legacy apps in modern auth. Trigger: “We failed the SOC2 access control control.”
Total Cost of Ownership: VPN vs ZTNA
| Line Item | VPN (3 Years) | ZTNA (3 Years) |
|---|---|---|
| Hardware/Licensing | $500k (Upfront) | $360k (Subscription) |
| Bandwidth/MPLS | $200k | $50k (Internet) |
| Ops/Patching | $150k | $30k |
| Total | $850k | $440k |
Break-Even: Usually within 12-18 months, faster if avoiding a hardware refresh.