Why replace your corporate VPN with Zero Trust Network Access (ZTNA)

Corporate VPN is 1990s technology. The principle — open an encrypted tunnel between the user’s machine and the company’s internal network, then grant access to “everything” — fit a world where the IT estate lived behind the headquarters’ walls. Today the IT estate is fragmented across M365, Google Workspace, business SaaS, residual on-premise servers and cloud (Azure, AWS). Stacking more VPN rules on top of that landscape becomes unmanageable. Zero Trust Network Access (ZTNA) proposes a different contract.

The traditional VPN problem

A corporate VPN does two things: it encrypts traffic between the user and the internal network, and it authorizes the user to reach that internal network. The second point is the structural weakness. Once the VPN is open, the user can usually scan and try to reach any internal resource — including ones they don’t need. If the endpoint is compromised, the attacker has the same latitude.

Practical issues pile on: uneven performance (mobile users disconnect “just for the call”), heavy maintenance (cert renewals, concentrator updates, firewall rules), low granularity (often no difference between a managed-and-up-to-date Mac and a jailbroken one).

What Zero Trust Network Access changes

ZTNA flips the model. Rather than opening a network tunnel, ZTNA exposes each application individually and checks three things on every access attempt: who (identity, MFA, group, role), from what (device compliance: encrypted, up to date, EDR active), to do what (the requested app and its risk profile).

Concretely, the internal application (a GitLab, an on-premise Jira, a SharePoint, a file share) is no longer exposed to a private network any VPN-connected user can reach — it sits behind a ZTNA proxy that only lets validated requests through. The user no longer needs to “connect to the VPN”: they open the app’s URL, get redirected to their IdP (Entra ID, Okta), prove identity, and access either passes or doesn’t, based on policy.

The three ZTNA platforms we deploy most

Three solutions cover 90% of our client situations:

• Cloudflare Access — excellent simplicity-to-security ratio, per-user pricing, native integration with Cloudflare Tunnel for exposing internal apps with no open port. Our default for SMBs up to 200 staff.
• Zscaler Private Access (ZPA) — the enterprise reference, full ecosystem (with ZIA for outbound web proxy), ideal for globally distributed multi-site organizations. More complex to operate, more structured.
• Tailscale — a peer-to-peer approach over WireGuard, very simple to deploy for technical teams, with fine-grained Tailscale ACLs. Our pick for startups and tech-savvy agencies.

Identity at the core

ZTNA only makes sense with a robust corporate identity layer in front. Concretely: a single IdP (Entra ID, Okta, Google Workspace), mandatory MFA with at least one strong method (FIDO2 passkey or Authenticator with biometric phone lock), and SSO federation to all business apps via SAML or OIDC.

This is also the moment to introduce passkeys: a phishing-resistant authentication factor, supported by all major vendors since 2023, gradually replacing password + SMS code. On recent ZTNA deployments we enable passkeys by default on admin accounts.

Device compliance, the second pillar

ZTNA’s other strength is conditioning access to the device’s compliance posture: an encrypted, up-to-date, EDR-active, MDM-managed Mac can reach the finance app; an unmanaged personal Mac cannot. This logic requires coupling ZTNA with the MDM (Kandji, Jamf, Intune) and EDR (Defender, CrowdStrike) to surface “device posture” to the ZTNA policy engine.

It is the marriage of MDM + EDR + IdP + ZTNA that earns the Zero Trust label: trust nothing by default, verify on every access.

How long it takes

For a 50-staff SMB, a typical ZTNA deployment runs 6 to 10 weeks: 2-3 weeks of scoping and design (app inventory, identifying network dependencies, identity model and policy design), 2-3 weeks of technical setup (Cloudflare Tunnel or equivalent, IdP integration, first tests), 2-4 weeks of progressive migration with VPN/ZTNA coexistence, then final VPN decommission.

If you still operate a corporate VPN and feel the operational weight rising, the form at the bottom of the home is built to start the conversation.