How do we transition from a traditional VPN to a Zero Trust Network Access (ZTNA) model safely?

All answers to this question.

The most successful migrations I’ve seen follow a "coexistence" phase rather than a hard cutover. You should start by identifying your most sensitive cloud-native applications and putting them behind a ZTNA gateway while keeping your general file shares on the VPN. This allows you to test your identity provider (IdP) integration and conditional access policies without a total blackout. In 2024, the "identity is the new perimeter" mantra is key—ensure your MFA is robust before you even touch the network layer. We found that migrating the IT and Finance departments first provided a great baseline for troubleshooting before a full global rollout.

   Answered 2024-02-17 by Jennifer Thompson

Are you planning to use an agent-based ZTNA approach, or are you looking for a clientless web-portal solution to support your BYOD users?

   Answered 2024-02-19 by Mark Davis

• We are leaning toward an agent-based approach for our corporate laptops to ensure continuous posture checking, but we definitely need clientless access for our third-party contractors. Does running both simultaneously complicate the policy engine management, or can most modern ZTNA vendors handle those as two distinct workflows within the same dashboard?

     Commented 2024-02-21 by Richard Wilson

Start by mapping your user groups. Zero Trust is only as good as your "Least Privilege" definitions, so cleaning up your Active Directory groups is the real first step.

   Answered 2024-02-23 by Charles Scott

• Great point, Charles. If your AD is messy, your Zero Trust policies will be just as broad and insecure as your old VPN tunnels.

     Commented 2024-02-24 by Sarah Miller