The VPN That Let Attackers Walk Right In
In January 2024, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that Chinese state-sponsored threat actors had exploited Ivanti Connect Secure VPN vulnerabilities to breach multiple U.S. federal agencies. The attackers didn't kick down the door. They walked through it — using the very tool those agencies trusted to keep them safe.
That breach crystallized something I've been telling organizations for years: perimeter-based security is a liability. And it's exactly why zero trust network access has moved from buzzword to boardroom priority in 2025.
This guide breaks down what zero trust network access actually means in practice, why your legacy VPN is probably your biggest vulnerability, and the specific steps to implement ZTNA without blowing your budget or your team's patience. If you're responsible for protecting an organization's data and users, this is the playbook.
What Is Zero Trust Network Access, Exactly?
Zero trust network access (ZTNA) is a security framework that eliminates implicit trust for any user, device, or application — regardless of whether they're inside or outside the network perimeter. Every access request is verified continuously based on identity, device posture, context, and policy.
Unlike traditional VPNs that grant broad network access once authenticated, ZTNA provides granular, application-level access. A user gets access only to the specific resources they need. Nothing more.
The National Institute of Standards and Technology (NIST) formalized this in Special Publication 800-207, which defines zero trust architecture principles. If you haven't read it, you should. It's the foundation everything else builds on.
Why Legacy VPNs Are a Threat Actor's Best Friend
I've done incident response work where the root cause was a compromised VPN credential. Not a sophisticated zero-day. Not a custom exploit. Just a stolen username and password, reused from a credential theft dump, plugged into a VPN concentrator that granted full network access.
Here's the fundamental problem: VPNs authenticate once and then trust. A user logs in, and suddenly they can see file servers, databases, internal applications — everything on the network segment. Lateral movement becomes trivial.
The Numbers Tell the Story
The 2024 Verizon Data Breach Investigations Report found that stolen credentials were involved in 77% of attacks against web applications. VPN portals are web applications. When your VPN is the front door and credentials are the only lock, you've made the attacker's job embarrassingly easy.
Remote and hybrid work hasn't slowed down. Your attack surface hasn't shrunk. And VPN vulnerabilities — Ivanti, Fortinet, Cisco — have been on CISA's Known Exploited Vulnerabilities catalog repeatedly throughout 2024 and into 2025.
The Core Principles of Zero Trust Network Access
ZTNA isn't a product you buy. It's an architecture you build. Here are the principles that actually matter when you're implementing it.
1. Never Trust, Always Verify
Every access request is treated as potentially hostile. User identity is verified through strong multi-factor authentication. Device health is checked — is the OS patched? Is endpoint protection running? Is the device managed or personal?
This happens continuously, not just at the initial login. If a device's posture changes mid-session — say, endpoint protection gets disabled — access gets revoked immediately.
2. Least Privilege Access
Users get access to specific applications, not network segments. A marketing analyst doesn't need access to the production database server. A contractor doesn't need to see your HR system.
In my experience, over-provisioned access is one of the top three findings in every security assessment I've done. ZTNA forces you to fix this because you have to define policies application by application.
3. Assume Breach
Zero trust architecture assumes attackers are already inside. Every internal connection is treated with the same suspicion as an external one. Microsegmentation limits blast radius. Logging captures everything for detection and response.
This mindset shift is the hardest part for legacy IT teams. They've spent decades building castle-and-moat architectures. Zero trust says the moat is irrelevant.
4. Continuous Monitoring and Validation
Access decisions aren't static. Context matters — where is the user connecting from? What time is it? Is this behavior consistent with their normal pattern? Anomalies trigger step-up authentication or access revocation.
ZTNA vs. VPN: The Practical Differences
Let me be specific about what changes when you move from VPN to zero trust network access.
- Visibility: VPN gives you a tunnel. ZTNA gives you a policy engine. You see exactly who accessed what, when, and from which device.
- Attack surface: VPN concentrators are publicly exposed and discoverable. ZTNA brokers can be invisible — applications aren't exposed to the internet at all.
- Lateral movement: VPN puts users on the network. ZTNA connects users to applications without network access. An attacker who compromises a ZTNA session can't pivot to other resources.
- User experience: Surprisingly, ZTNA is often faster. No full tunnel backhaul to a data center. Users connect directly to the application through the nearest broker.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2024 Cost of a Data Breach Report pegged the global average breach cost at $4.88 million — the highest ever recorded. Organizations with mature zero trust deployments saved an average of $1.76 million per breach compared to those without.
That's not theoretical savings. That's the difference between a contained incident and a catastrophic one. Zero trust network access is the single most impactful architectural decision you can make to reduce breach costs.
But architecture alone isn't enough. The humans clicking links, reusing passwords, and falling for social engineering attacks are still your biggest variable. That's why pairing ZTNA with ongoing cybersecurity awareness training isn't optional — it's essential.
How to Implement Zero Trust Network Access: A Step-by-Step Approach
Here's the practical roadmap I walk organizations through. No vendor pitches. Just the work.
Step 1: Map Your Protect Surface
Forget the attack surface for a moment. Identify what you're actually protecting: critical data, applications, assets, and services (DAAS). You can't build access policies if you don't know what needs protecting.
This sounds obvious. In practice, most organizations can't produce a complete inventory. Start here and be thorough.
Step 2: Map Transaction Flows
Understand how traffic moves across your network. Who talks to what? Which applications depend on which databases? Where do users connect from?
You'll uncover shadow IT. You'll find forgotten servers. You'll discover that one contractor account with admin access to everything. Good. That's the point.
Step 3: Architect Your ZTNA Policies
Define access policies based on identity, device posture, and context. Be granular. Each application should have its own access policy. Use role-based access control and enforce least privilege ruthlessly.
Multi-factor authentication is non-negotiable at this stage. Phishing-resistant MFA — FIDO2 keys or passkeys — is the standard in 2025. SMS-based MFA is better than nothing, but threat actors routinely bypass it through SIM swapping and social engineering.
Step 4: Deploy in Phases
Don't try to boil the ocean. Start with your highest-risk applications — the ones that hold sensitive data or face the internet. Migrate users in groups. Monitor aggressively for policy gaps and access failures.
I've seen organizations try to flip the switch overnight. It fails every time. Phased rollout with continuous feedback is the only approach that works.
Step 5: Monitor, Log, and Iterate
ZTNA generates rich telemetry. Use it. Feed access logs into your SIEM. Build detection rules for anomalous access patterns. Review policies quarterly — business needs change, and access policies must change with them.
The Human Layer Zero Trust Can't Fix
Here's something the ZTNA vendors won't tell you: zero trust network access doesn't stop a user from entering their credentials into a phishing page. It doesn't prevent an employee from sending sensitive data to the wrong person. It doesn't block social engineering over the phone.
Architecture reduces risk. Training reduces the likelihood of the human mistakes that create risk in the first place.
I consistently recommend that organizations run regular phishing simulations alongside ZTNA deployment. Simulated attacks — done correctly — build muscle memory. They teach employees to pause, verify, and report. Our phishing awareness training for organizations is specifically designed for this: realistic scenarios that map to the actual tactics threat actors use in 2025.
Ransomware Loves Flat Networks
Ransomware operators like the groups behind LockBit, BlackCat, and Cl0p thrive in environments with broad network access. Once they get initial access — usually through phishing or credential theft — they move laterally, escalate privileges, and deploy encryption across everything they can reach.
ZTNA with microsegmentation starves ransomware of the lateral movement it depends on. An attacker who compromises one application session can't reach the file server, the domain controller, or the backup infrastructure. You've turned a potential catastrophe into a contained incident.
What CISA and Federal Agencies Are Doing
The federal government has been moving toward zero trust since Executive Order 14028 in May 2021. By 2025, agencies are required to meet specific zero trust maturity benchmarks under the Office of Management and Budget's M-22-09 memorandum.
CISA's Zero Trust Maturity Model provides a framework that any organization — not just federal agencies — can use to assess their progress. It covers five pillars: Identity, Devices, Networks, Applications and Workloads, and Data. Each pillar has maturity levels from Traditional to Optimal.
If you're wondering where to start, CISA's model is the best framework available. It's vendor-neutral and pragmatic.
Common Mistakes That Derail ZTNA Projects
I've watched organizations stumble on the same issues repeatedly. Avoid these.
- Treating ZTNA as a product swap: Replacing your VPN appliance with a ZTNA product without rearchitecting policies gives you expensive VPN. You've changed nothing meaningful.
- Ignoring unmanaged devices: BYOD and contractor devices need a strategy. If your ZTNA doesn't assess device posture for unmanaged endpoints, you've got a gap.
- Skipping security awareness training: Technology controls fail when humans fail. Invest in both. They're complementary, not interchangeable.
- Forgetting legacy applications: That on-premises ERP system from 2011 doesn't speak SAML or OIDC. Plan for application-level proxying or agent-based access for legacy systems.
- No executive sponsorship: ZTNA changes how people work. Without leadership backing, pushback from business units will kill your project in quarter two.
The Bottom Line for 2025
Zero trust network access isn't a trend. It's the architectural response to a threat landscape where perimeters don't exist, credentials are constantly compromised, and attackers operate inside networks for weeks before detection.
The organizations that survive breaches in 2025 will be the ones that verified every access request, limited blast radius through microsegmentation, and invested in their people through consistent security awareness training.
Start with CISA's maturity model. Map your protect surface. Deploy MFA that resists phishing. Roll out ZTNA in phases. And train your people — because the best architecture in the world can't compensate for an employee who doesn't recognize a spear-phishing email.
Your network doesn't need a bigger moat. It needs to stop trusting everyone who's already inside.