My team is evaluating moving away from our corporate VPN in favor of a ZTNA model like Cloudflare One or Zscaler. I’m worried about the impact on our "legacy" on-prem apps that don't support modern identity protocols. Have you successfully made the switch? How do you handle the "blast radius" if an identity provider like Okta gets compromised while you’re in a Zero Trust setup?
3 answers
We finished our VPN retirement project last summer. For the legacy apps, we used a "ZTNA Connector" that acts as a proxy. The user authenticates with their modern IDP, and the connector handles the legacy handshake behind the scenes. Regarding the "Okta compromise" fear—that's why we implemented "Device Posture" checks. Even if an attacker has a valid session token, if they aren't on a company-managed laptop with the latest patches and an active EDR, they get blocked. You have to move the trust from the "network" to a combination of "identity" and "device health."
Sharon, did your remote employees complain about the "always-on" monitoring of their devices? Some of our staff are very sensitive about privacy when working from home.
We use a "Continuous Authentication" model where the session is re-evaluated every 15 minutes based on behavior. If the user's location jumps from NYC to London, it triggers an MFA prompt.
Behavioral triggers are essential for Zero Trust. It turns security into a moving target for hackers, which is exactly where we need to be in 2025.
Philip, we were very transparent. We told them the tool only checks for "Security Vitals" (Is the disk encrypted? Is the firewall on?) and doesn't log their browsing history. We also created a "Privacy Dashboard" where they can see exactly what the security team sees. Once they realized it meant they no longer had to deal with the slow, clunky VPN, most of the complaints disappeared.