UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ConfiguratorGet in Touch
Network migration
From
VPN (flat-tunnel)
To
Zero-Trust Network Access (ZTNA)

VPN to ZTNA migration — UK Zero-Trust programme

Traditional VPN gives every authenticated user a flat tunnel into the corporate network — a known cause of lateral movement during ransomware incidents and a poor fit for modern hybrid working. ZTNA (Zero-Trust Network Access) gives per-app authenticated + posture-checked access without exposing the network. Servnet runs end-to-end VPN → ZTNA migrations including app discovery, ZTNA platform selection, pilot user wave and final VPN decommission.

Vendor migration programme — VPN (flat-tunnel) source on the left, Zero-Trust Network Access (ZTNA) target on the right, with parallel-running data streams converging through a central Servnet cutover hub.
From → To: VPN (flat-tunnel) vs Zero-Trust Network Access (ZTNA)
CURRENTVPN (flat-tunnel)Production workloadsLegacy management planeRenewal due / EoSServnetparallel-running migrationTARGETZero-Trust Network Access (ZTNA)Production workloadsModern management planeStrategic 5-yr position
Typical outcomes

What good looks like after a VPN (flat-tunnel)Zero-Trust Network Access (ZTNA) migration

Lateral-movement risk
↓ significant

Per-app access removes the "flat tunnel = network access" pattern that enables lateral movement.

Migration window
12-20 wk

End-to-end including app discovery, pilot user wave, mass rollout, VPN decommission.

User experience
↑ better

No VPN client logon delays; transparent per-app access; faster overall.

Cyber-insurance posture
↑ material

Most UK cyber-insurers now ask about ZTNA in renewal questionnaires; ZTNA materially affects premium.

The why

Why UK organisations migrate from VPN (flat-tunnel) to Zero-Trust Network Access (ZTNA)

  • Eliminate lateral movement risk from flat VPN tunnels — a top ransomware enabler
  • Per-app authentication + device posture checks (vs once-authenticated flat tunnel)
  • Better user experience — no client logon delays, no MFA prompts per session
  • Conditional Access integration with Entra ID + Defender for Endpoint posture
  • Material reduction in cyber-insurance premium (most insurers now require ZTNA or similar)
  • Strategic alignment with SASE direction (ZTNA is the access pillar of SASE)
How we run it

Migration phasing — typical VPN (flat-tunnel)Zero-Trust Network Access (ZTNA) programme

VPN (flat-tunnel) → Zero-Trust Network Access (ZTNA) — programme timeline
W0W3W6W9W12W15W18W20Discovery + app inventory4wZTNA platform deployment4wPilot user wave (20-50 users)3wMass rollout7wVPN decommission2wTotal programme: 20 weeks · parallel running throughout
  1. 1

    Discovery + app inventory

    Weeks 1-4

    Application inventory — every internal app users access via VPN; usage pattern fingerprint; ZTNA platform selection (<a href="/zscaler">Zscaler Private Access</a>, Cisco Duo Network Gateway, Cloudflare Access, Fortinet ZTNA, others); architecture design.

  2. 2

    ZTNA platform deployment

    Weeks 5-8

    Connector deployment in each network segment hosting target apps; user identity federation with Entra ID; device posture policies; app-by-app access policies; SIEM forwarding.

  3. 3

    Pilot user wave (20-50 users)

    Weeks 9-11

    Pilot users access apps via ZTNA in parallel with VPN; performance + functional validation; helpdesk training; runbook refined.

  4. 4

    Mass rollout

    Weeks 12-18

    User waves migrated per department; VPN access removed per wave after ZTNA validated; daily review of access tickets.

  5. 5

    VPN decommission

    Weeks 19-20

    Legacy VPN infrastructure decommissioned; firewall rules tightened; remaining VPN exceptions documented (rare).

Included in scope

What Servnet delivers in a VPN (flat-tunnel)Zero-Trust Network Access (ZTNA) migration

App inventory + ZTNA platform selection

Honest evaluation of ZTNA platforms against your environment; selection documented with rationale.

ZTNA platform deployment

Connectors deployed; user federation; device posture; app-by-app policies — full architecture implemented.

Entra ID Conditional Access integration

Conditional Access policies enforce identity + device + risk posture per access.

Per-app access policies

Every app discovered during inventory gets a documented access policy (who, what device posture, when).

User wave plan + helpdesk runbooks

Detailed wave plan + helpdesk scripts for access escalations + edge cases.

Post-migration support

90-day hypercare; optional ongoing managed ZTNA service.

De-risking the cutover

Top risks + how we mitigate them

⚠️ Users access apps we didn't discover
Discovery phase combines tooling (VPN logs, NetFlow, EDR) + user surveys. Pilot wave catches anything missed. Post-cutover any "I can't access X" ticket gets fast-tracked into the access policy.
⚠️ Apps with complex network requirements (multicast, broadcast)
Most modern apps work fine over ZTNA; edge cases (multicast, broadcast, certain SCADA / OT protocols) may genuinely need VPN or other connectivity. Discovery phase identifies these honestly.
⚠️ User experience worse than VPN initially
Modern ZTNA platforms generally improve UX vs VPN (no logon delay, transparent access). Where there's regression we tune the platform + connector placement before mass rollout.
⚠️ Cyber-insurance still wants VPN-style access reports
ZTNA platforms provide more detailed access logs than VPN — easier reporting, not harder. We provide the report template insurers typically ask for.
Pricing guide rail

Indicative: VPN → ZTNA migrations for a 500-3,000 user estate typically run £25k-£60k professional services (excluding ZTNA platform licensing). ZTNA licensing typically £8-£25 per user per month depending on platform + tier. Total programme often cost-neutral with VPN eliminated and security uplift substantial. Talk to us for a sized commercial proposal.

Frequently asked

FAQs — VPN (flat-tunnel)Zero-Trust Network Access (ZTNA)

Which ZTNA platform should we pick?

Depends on your existing stack. M365 / Defender-heavy = Cisco Duo or Cloudflare. Existing Zscaler customers = ZPA. Fortinet FortiGate shops = Fortinet ZTNA. Genuinely vendor-neutral evaluation happens during discovery; we recommend platforms based on your environment, not commission.

Can we keep VPN for specific use cases?

Yes — many enterprises keep a slim VPN for very specific use cases (third-party contractor access, legacy device support, OT protocols). The goal is "VPN as exception, ZTNA as default" not "delete all VPN".

What about Conditional Access — isn't that already ZTNA?

Conditional Access enforces identity + device posture per app — it's a foundational component of ZTNA. But ZTNA platforms add the per-app network access tunnelling that lets you decommission the VPN entirely.

How does this fit with broader SASE strategy?

ZTNA is the access pillar of SASE; combined with SWG, CASB, DLP and SD-WAN you have the full SASE stack. Our 2026 SASE buyer's guide covers the strategy.

Go deeper

Ready to scope your VPN (flat-tunnel)Zero-Trust Network Access (ZTNA) migration?

30-minute discovery call with an engineer who's run this migration before. Honest scoping, no sales script.

Book a scoping call →