From VPN to Zero Trust: What Does “Good” Look Like?

Zero Trust is now the default language of modern security, but that doesn’t mean it’s easy to implement. Its core ideas resonate universally: reduce implicit trust, tighten access, and continuously evaluate risk. Yet many organizations stall when they try to move from big-picture vision to concrete steps that actually improve security and user experience.

One of the most effective ways to break that logjam is to start with a focused, high-impact use case: replacing your VPN with a Zero Trust Network Access (ZTNA) model. This isn’t just a tactical swap of one remote access tool for another; it’s a way to materially reduce risk, improve resilience, and demonstrate visible progress to the business. Done right, it becomes the practical backbone of your Zero Trust program and a proving ground for better identity, governance, and operations.

Why VPN Replacement Is Such a Strong First Move

Traditional VPNs were built for a world with a clear perimeter and a small number of remote users. That world is gone. Today enterprises are supporting distributed workforces, hybrid and multi-cloud environments, third-party access, and increasingly sophisticated attackers. The legacy VPN model struggles under that weight.

In a VPN-centric environment, several issues show up again and again:

• Overly broad network access once a user connects
• Limited, often static device posture checks
• VPN concentrators exposed directly to the internet
• Disconnected identity lifecycle and inconsistent MFA
• Fragmented experiences between remote and on-prem users
• A perimeter-centric security model that doesn’t reflect how work actually happens
• Degraded performance and user experience due to forced WAN traversal

These aren’t edge cases; they’re structural characteristics of the VPN model. Trying to “tighten” a VPN architecture with incremental controls can buy you some time, but it rarely changes the fundamentals. Taken together, these issues translate into elevated breach impact, inconsistent controls across user populations, and mounting pressure from both compliance and the business to modernize the remote access model.

A Zero Trust approach to remote access, anchored in ZTNA, directly addresses these weaknesses. Instead of extending the network, you grant access to specific resources based on identity, device posture, and context. You reduce exposed attack surface, simplify the path users take to applications, and bring remote access into alignment with how you want the rest of your environment to work.

Crucially, VPN replacement doesn’t require you to re-architect everything at once. It lets you deliver immediate, measurable security gains while laying the foundation for a broader Zero Trust program.

A Phased Journey: From Traditional to Optimal Zero Trust

Zero Trust is often described as a “journey,” but that only helps if the journey is clearly mapped. For VPN replacement, it’s useful to think in terms of four distinct maturity phases:

• Traditional (the typical starting point)
• Initial Zero Trust
• Advanced Zero Trust
• Optimal Zero Trust

Each phase has its own implications, advancement criteria, and concrete steps. That’s what turns an abstract destination into a practical roadmap.

Traditional: The VPN-Centric Baseline

Most organizations begin in a traditional state: remote users connect via VPN, land on a network segment, and from there can reach all the systems they need, and often many they don’t. Access is fundamentally network-based rather than identity-centric.

The implications of this model are familiar:

• Broad lateral access once connected, which attackers can exploit
• Limited visibility into specific user and device activity
• Security that depends heavily on being “inside” the network
• A user experience that often suffers from slow, hair-pinned traffic

This phase isn’t a failure; it’s simply the baseline that modern enterprises have inherited. The key is to recognize it clearly and treat it as a starting point instead of an acceptable end state.

Initial Zero Trust: Introducing ZTNA and Gaining Visibility

The shift begins with the introduction of ZTNA for remote access. Rather than placing users on the network, you start brokering access to individual applications and resources based on who they are, what they’re using, and the context of the request.

In an initial Zero Trust phase, you typically see:

• Remote user access moving to ZTNA, from pilot to early production
• Enforced device posture checks instead of implicit assumptions
• Clearer visibility into user and device network activity
• Uniform authentication via your enterprise identity provider
• Contextual MFA, triggered at appropriate moments rather than uniformly applied
• Access policies that rely on identity attributes, roles, and groups
• A shift toward resource-centric access policies instead of subnet-centric ones

This is where many organizations get their first taste of tangible Zero Trust benefits. Visibility improves, policies become more precise, and it becomes easier to explain who can access what and why. It’s the first phase where enterprises can credibly show reduced exposure from remote access while improving the employee experience instead of degrading it.

To reach this phase, you typically must:

• Define requirements and priorities for ZTNA vendors.
• Evaluate architectures, functional fit, and cost.
• Pilot a ZTNA platform with early adopters.
• Assess the health and reliability of your identity group and attribute data.
• Begin improving user and device lifecycle processes to support the new model.

The result is not yet a fully transformed environment, but a meaningful shift: you’ve created a viable alternative to the VPN and started to align remote access with your identity strategy. For leadership, the key outcome is a validated pattern you can scale with acceptable risk and clear success criteria.

Advanced Zero Trust: Reducing VPN Dependency and Simplifying the Network

As ZTNA matures and proves itself, more remote access use cases migrate onto it. The VPN becomes less central to operations, and its risks and complexity can be systematically reduced.

In an advanced Zero Trust phase, your environment typically looks like this:

• Remote user access is provided only via ZTNA, not VPN.
• Internet-exposed VPN entry points are eliminated.
• WAN traversal requirements are reduced, improving performance and lowering cost.
• Remote and on-prem access policies begin to unify, so location no longer dictates control strength.
• Dynamic and contextual access decisions become the default.
• Service access via VPN is removed, shrinking the attack surface.
• Firewall and network rule sets are simplified because fewer paths need to be maintained.

At this point, Zero Trust is no longer a pilot, it’s the standard for remote access. The technical plumbing has shifted, but just as importantly, your teams have started to operate differently. Identity, posture, and context are first-class citizens in policy decisions, not afterthoughts. This gives leaders a much stronger story for auditors, boards, and regulators about how remote access risk is being managed.

Advancing to this phase usually involves:

• Refining user groups and attributes so they can drive more nuanced policies
• Improving visibility into resource access patterns and lifecycle management
• Decommissioning VPN access for most users, moving them fully onto ZTNA
• Strengthening and enforcing governance and lifecycle processes
• Eliminating higher-risk gaps in user access requirements
• Beginning to onboard service accounts into ZTNA.

The payoff is a significant reduction in exposed attack surface and operational complexity, alongside a more consistent experience for users and a clearer link between security investments and business outcomes.

Optimal Zero Trust: Fully Operationalized Remote Access

The optimal phase is where Zero Trust becomes fully embedded in how your organization handles remote and on-prem access: VPN decommissioned, governance in place, and access decisions continuously informed by real-time signals.

In an optimal Zero Trust state for VPN replacement, you see:

• Unified remote and on-prem access policies that are mature and consistently enforced.
• Fine-grained access policies for all resources, not just a subset of applications.
• Governance and lifecycle processes enforced from day one for users and service accounts.
• No significant gaps in visibility or access control coverage.
• Ephemeral, just-in-time and just-enough access patterns in regular use.
• Real-time device, network, and identity risk feeding into access decisions and detection.
• Accurate detection and response to anomalous activity tied directly to your access controls.

By this point, all users and systems have been onboarded and transitioned to ZTNA, VPN infrastructure has been decommissioned, and exceptions are explicitly documented, risk-accepted, and managed with mitigations. Zero Trust is not a “project” anymore; it’s the default operational model for access, one that supports growth, M&A, and regulatory demands without constant one-off exceptions.

Getting here involves steps such as:

• Onboarding all remaining users and service accounts into ZTNA
• Eliminating remaining gaps in user and service access
• Fully decommissioning VPN infrastructure
• Measuring and continuously improving governance and lifecycle processes
• Validating that logging, detection, and response cover all access activity
• Defining change control processes to support new business needs without eroding control

This is where the promise of Zero Trust, including reduced risk, improved resilience, and better alignment with how modern enterprises work, becomes a lived reality.

From One Use Case to a Holistic Strategy

Treating VPN replacement as a focused project is useful for scoping and execution. But it’s important to remember that Zero Trust itself is a holistic strategy. The same principles you apply here, including identity-centric controls, continuous evaluation, fine-grained access, strong governance, are applicable far beyond remote access.

The maturity progression you follow for VPN replacement becomes a template for other scenarios: privileged access, third-party connectivity, contractor environments, OT/industrial systems, and more. Each will have its own specifics, but the pattern is the same: understand your traditional model, define what “good” looks like, and move through clearly articulated stages of maturity.

That’s exactly the mindset Numberline brings to its Zero Trust advisory work. By aligning strategy, architecture, and execution around concrete use cases like VPN replacement, you can make Zero Trust real in your environment and demonstrate value at every step along the way. For CISOs and security leaders, it provides a roadmap you can defend to the board: clear phases, measurable milestones, and a direct line from investment to risk reduction and resilience.

If VPN replacement is on your roadmap, explore what ‘good’ looks like at each stage of the journey in our comprehensive infographic.