Start with Identity
Subscribe
← Guides
implementation · Advanced

Zero Trust rollout: from VPN replacement to mature program

By Deepak Gupta · Updated 2026-01-15 · 18 min

What Zero Trust actually is

Zero Trust is a model, not a product. NIST SP 800-207 describes it as continuous verification of identity, device, and context for every access decision. The product category that delivers most of it is ZTNA.

The honest sequence

Quarter 1: Foundation. Modernize identity. SSO covering 90% of apps. MFA enforced for all users. Conditional Access policies tested.

Quarter 2: ZTNA pilot. Pick one critical internal app. Replace VPN access to it with a ZTNA gateway. Verify the user experience and audit visibility.

Quarter 3-4: ZTNA expansion. Onboard the next 20 apps. Sunset the corresponding VPN tunnels. Establish device posture signals.

Year 2: Microsegmentation and continuous monitoring. East-west controls (Illumio-style) to limit blast radius after compromise. SOC integration for real-time policy decisions.

Year 2 ongoing: SaaS data controls. CASB / SSE for SaaS app traffic. Inline DLP. Browser isolation for risky URLs.

Vendor decisions

The ZTNA layer is the high-leverage decision. Cloudflare, Zscaler, Netskope, Palo Alto Prisma, and Tailscale represent different price-performance points. Microsegmentation is a separate purchase (Illumio, Akamai Guardicore, native cloud).

Common pitfalls

  • Buying ZTNA before identity hygiene is complete — garbage in, garbage out
  • Treating Zero Trust as a single project instead of a multi-year program
  • Skipping the VPN sunset — running both indefinitely is the worst of both worlds
  • Underestimating change management for users moving from VPN to ZTNA
  • Buying microsegmentation before basic posture signals are flowing