Infrastructure & Network Security

VPN & Zero Trust Network Access

  • May 9, 2025
  • 0

Sherlocked Security – VPN & Zero Trust Network Access (ZTNA) Assessment & Implementation

Modernize Access Control for the Hybrid Workforce

1. Statement of Work (SOW)

Service Name: VPN & Zero Trust Network Access Assessment and Implementation
Client Type: Enterprises, Remote Workforces, Financial Institutions, Cloud-First Organizations
Service Model: Assessment, Design & Deployment, or Full Replacement Project
Compliance Alignment: NIST 800-207, Zero Trust Architecture (ZTA), CIS Controls, ISO/IEC 27001, HIPAA

VPN / ZTNA Service Covers:

  • Current VPN infrastructure assessment
  • Evaluation of user/device trust posture
  • Risk-based access segmentation
  • ZTNA platform selection and integration
  • Transition roadmap from VPN to ZTNA
  • Policy enforcement and identity integration
  • Visibility and access auditing enhancements

2. Our Approach

[Discovery] → [Trust Boundary Definition] → [Access Risk Mapping] → [VPN Gap Analysis] → [ZTNA Design] → [Pilot Deployment] → [Full Rollout & Monitoring]

3. Methodology

  • VPN Assessment: Audit existing VPN usage, access controls, and segmentation strategies.
  • User & Device Trust Analysis: Evaluate authentication, endpoint posture, and identity verification mechanisms.
  • Access Mapping: Identify application dependencies, network paths, and user roles.
  • Risk-Based Segmentation: Propose fine-grained access control policies to minimize lateral movement.
  • ZTNA Platform Evaluation: Compare options like Zscaler, Netskope, Cloudflare Access, Tailscale, Banyan, or self-hosted solutions.
  • Policy Design: Define access policies using identity, device context, geolocation, and time-based constraints.
  • SSO & IAM Integration: Integrate ZTNA with Identity Providers (Okta, Azure AD, Google Workspace, etc.).
  • Pilot & Rollout Plan: Deploy ZTNA solution in parallel with VPN and gradually transition users.
  • Monitoring & Logging: Configure visibility, audit trails, and alerting for all access attempts.

4. Deliverables to the Client

  1. VPN Security Assessment Report: Findings related to VPN exposure, segmentation, and user/device security.
  2. Zero Trust Readiness Scorecard: Maturity assessment based on NIST 800-207 and industry benchmarks.
  3. Access Risk Map: Visualization of user roles, access paths, and trust boundaries.
  4. ZTNA Architecture Design: Logical and technical design of proposed ZTNA solution.
  5. Pilot Rollout Plan: Staged migration approach with rollback scenarios.
  6. Policy Templates: Example identity-based access control policies.
  7. Implementation Runbook: Steps for ZTNA platform deployment and validation.
  8. Visibility & Auditing Enhancements: Logging, monitoring, and access visibility dashboards.
  9. Governance SOP: Access review cadence, exception handling, and change control workflow.

5. What We Need from You (Client Requirements)

  • VPN Configuration Data: Export of current VPN settings, policies, and usage logs.
  • User Directory Access: Details on identity provider(s), groups, and authentication flows.
  • Application Inventory: Systems and applications accessed over VPN.
  • Network Diagrams: Topology for remote access zones, gateways, and protected services.
  • Security Policies: Existing access control, segmentation, and user access governance policies.
  • Compliance Requirements: Frameworks applicable to remote access (e.g., HIPAA, PCI-DSS, NIST).

6. Tools & Technology Stack

  • VPN Platforms Supported:

    • Cisco AnyConnect, Fortinet VPN, Palo Alto GlobalProtect, OpenVPN, WireGuard, Pulse Secure

  • ZTNA Providers:

    • Zscaler ZPA, Cloudflare Access, Tailscale, Netskope Private Access, Banyan Security, Akamai EAA, Appgate, Perimeter 81

  • Directory/SSO:

    • Okta, Azure AD, Google Workspace, Ping Identity, Keycloak

  • Monitoring & Logging:

    • SIEM integration (e.g., Splunk, Sentinel)
    • ZTNA dashboards & analytics

  • Compliance Frameworks Referenced:

    • NIST 800-207, CISA ZT Maturity Model, CIS Controls v8, ISO/IEC 27001

7. Engagement Lifecycle

  1. Kickoff & Scoping

    • Identify VPN usage, endpoints, applications, and current pain points

  2. VPN Architecture Review

    • Assess segmentation, authentication, and traffic routing

  3. Access Mapping & Trust Assessment

    • Map user groups, roles, device types, and access dependencies

  4. ZTNA Readiness Assessment

    • Evaluate current capabilities, risks, and transition feasibility

  5. ZTNA Design

    • Propose architecture, policies, and integration strategy

  6. Pilot Rollout & Validation

    • Deploy for a subset of users and validate experience/security

  7. Full Implementation

    • Gradual migration and VPN deprecation

  8. Governance & Audit Integration

    • Integrate access logs with SIEM, setup review cadence, and policy governance

8. Why Sherlocked Security?

Feature Sherlocked Advantage
Hybrid Access Expertise Experience in both traditional VPN and modern ZTNA deployments
Vendor-Neutral Guidance We help you choose based on use case, not vendor partnership
Compliance-Aware Design Aligns Zero Trust design with your regulatory needs
Cloud-First Implementation Support for remote work, BYOD, and SaaS access controls
Real-World Experience Trusted by financial and healthcare clients for secure access rollouts

9. Real-World Case Studies

Global SaaS Provider – ZTNA Migration

Client: Distributed SaaS company with 100% remote staff.
Problem: Legacy VPN created latency, lacked device context, and was hard to scale.
Solution: Migrated to Cloudflare Access with Okta integration.
Outcome: Improved user experience, reduced attack surface, and implemented device-based conditional access.

Healthcare Network – VPN Hardening + ZTNA Transition

Client: Regional hospital system using Fortinet VPNs.
Problem: VPN rules were flat, allowing lateral movement; no visibility into user devices.
Solution: Hardened VPN configs, designed phased ZTNA rollout with strict access boundaries.
Outcome: Reduced insider risk, achieved HIPAA compliance goals, and introduced access analytics.

10. SOP – Standard Operating Procedure

  1. Pre-Assessment

    • Gather current VPN architecture, logs, and access control info
    • Identify key applications accessed remotely

  2. VPN Security Review

    • Evaluate VPN segmentation, authentication, and encryption
    • Analyze logs for risky patterns or policy violations

  3. ZTNA Readiness Check

    • Assess identity provider, endpoint management, and cloud maturity
    • Define user/device/app trust attributes

  4. Access Mapping

    • Diagram who accesses what, from where, using what devices
    • Highlight high-risk access paths or privileged flows

  5. Design & Recommendation

    • Recommend appropriate ZTNA platform and architecture
    • Propose access policies with dynamic context controls

  6. Pilot & Rollout

    • Execute phased deployment and validate user experience
    • Tune policies based on usage and feedback

  7. Governance & Monitoring

    • Implement audit logging, policy review cadence, and alerting
    • Provide ongoing tuning recommendations

11. ZTNA Readiness Checklist

1. Before Engagement

  • [ ] Identify current VPN users and usage volume
  • [ ] Export VPN configurations and logs
  • [ ] Provide identity provider and SSO setup info
  • [ ] List critical applications accessed remotely
  • [ ] Define compliance needs related to access control

2. During Engagement

  • [ ] Review VPN segmentation and access control flaws
  • [ ] Map users to applications and roles
  • [ ] Assess endpoint trust signals (AV, patch, location, etc.)
  • [ ] Select suitable ZTNA platform
  • [ ] Design and test identity-driven access policies

3. After Engagement

  • [ ] Launch ZTNA pilot and gather feedback
  • [ ] Define rollback/contingency for each user group
  • [ ] Migrate users in staged fashion
  • [ ] Monitor access behavior continuously
  • [ ] Update SOPs and access governance documents

4. Continuous Improvement

  • [ ] Conduct periodic access reviews
  • [ ] Monitor device and location posture changes
  • [ ] Review access logs and update risk scores
  • [ ] Reassess policies as apps or teams evolve
  • [ ] Evaluate new ZTNA features and integrations
Network Architecture Review
Endpoint Detection & Response