ZTNA: replace the corporate VPN
with Zero Trust Network Access

May 2026: two weeks that reshaped the perception of VPNs

Between 13 and 22 May 2026, Italy’s ACN (National Cybersecurity Agency) and the regional CSIRTs issued in rapid sequence alerts for two product categories that today guard the perimeter of most European SMBs: VPN concentrators and edge firewalls. On 13–15 May the CSIRT-ITA alert AL04/260513 hit Fortinet — two critical and one high-severity vulnerabilities in FortiSandbox, FortiOS and FortiAuthenticator, with unauthenticated RCE (Remote Code Execution). A few days later, Cisco shipped emergency patches for CVE-2026-20182 in the vdaemon service of Cisco SD-WAN controllers. On 21 May, ACN also flagged a critical vulnerability in Cisco Secure Workload, with remote unauthenticated access to the Site Admin role.

The technical details differ, but the common denominator is clear: the attacker manages to talk to an appliance exposed on the Internet and takes control of it, before user credentials, MFA or Conditional Access policies even come into play. For anyone running security at an SMB, this is the right moment to ask the strategic question: does it still make sense to defend the perimeter with VPN concentrators that need to be reachable from the entire world, or is it time to change paradigm?

The structural limit of the legacy VPN

The VPN (Virtual Private Network) was designed for a world where the corporate perimeter matched the physical office: few remote users, few external administrators, few exceptional accesses. In that model the VPN is an extension of the internal network — whoever is authenticated is «inside» and can see everything. That is exactly what we no longer want today.

• Mandatory Internet exposure. The VPN concentrator must be reachable from any IP to let users connect. Every unpatched vulnerability becomes a door on the perimeter.
• Network access, not application access. Once inside, the user — or the attacker — sees the entire network segment. Micro-segmentation can be built, but it is complex, expensive and rarely done in SMBs.
• Verified once, at the door. VPN authentication happens at login: once the session is established, context is not re-evaluated. If the device is compromised mid-session, the VPN does not notice.
• Critical patching window. Fortinet, Cisco, SonicWall and other vendors publish alerts on a recurring cadence. Between disclosure and effective patch deployment in SMBs, days or weeks go by: that is the window in which attackers know exactly where to strike.

What ZTNA is: from network perimeter to identity

ZTNA (Zero Trust Network Access) is the remote-access model that translates the Zero Trust principle into practice: «never trust, always verify». The differences with the VPN are not cosmetic — they are structural.

• 1Access to the single application, not the network. The user does not receive an internal IP. They get the ability to talk to the single application that has been published to them, and nothing else. If they are compromised, the attacker does not see the rest of the internal perimeter.
• 2Continuous verification, not once. Every request is evaluated in real time against identity (MFA, location, behaviour), device (managed, compliant, Defender risk level) and context. If the device changes state — loses compliance, gets compromised, leaves the allowed geography — access is revoked immediately via Continuous Access Evaluation (CAE).
• 3No Internet-exposed concentrator. Internal applications are published to the ZTNA service via connectors that speak outbound to the cloud: no inbound ports on the perimeter firewall, no public appliance to patch under fire.
• 4Identity-centric, not network-centric. Control is no longer «you are inside or outside the network». It is «who you are, from which device, from where, at which moment, with what risk». Identity becomes the effective perimeter.

Microsoft Entra Private Access: ZTNA inside Microsoft 365

Microsoft Entra Private Access is the ZTNA component of the Microsoft Global Secure Access suite. For SMBs already on Microsoft 365 and Microsoft Entra ID, it is the most natural entry point to a ZTNA model because it integrates with tools already in place: Conditional Access, Intune (device compliance), Microsoft Defender for Endpoint (real-time risk level), Continuous Access Evaluation.

The architecture is straightforward. A Microsoft Global Secure Access agent is deployed on user devices (Windows, macOS, iOS, Android). Internal applications — file servers, ERP, web apps, RDP sessions — are published to the Microsoft cloud service via private connectors that speak outbound. When a user wants to reach an application, traffic flows from the agent to the Microsoft cloud, which applies current Conditional Access policies (checking MFA, device, location, risk) and — only if all conditions are met — forwards the connection to the single app. The user never sees the underlying network: only the apps they are authorised for at that moment.

What changes for the SMB: progressive retirement, not big bang

A ZTNA migration is not a clean break — it is a phased path that runs alongside the existing VPN for as long as needed. The operational scheme we use with our customers has six steps.

• 1Application inventory. Map the internal applications reached today through VPN: file servers, ERP, line-of-business apps, RDP, intranet, development. For each app, identify the users who need it and the scenarios (branch office, remote work, external supplier).
• 2Identity posture. Make sure Microsoft Entra ID is configured with phishing-resistant MFA (FIDO2, passkeys, Windows Hello), that devices are managed via Intune or equivalent, and that Conditional Access policies cover the critical scenarios. Without these foundations, ZTNA does not add security.
• 3Pilot with a limited group. Publish 2–3 applications via Entra Private Access for a pilot group (e.g. IT team, helpdesk). Test continuous verification, user experience, anomaly alerts, exception handling.
• 4Progressive rollout. Publish the remaining applications via ZTNA for progressively larger groups of users. The VPN stays active in parallel for non-migrated scenarios (legacy, exceptional access, suppliers). What matters is reducing the number of applications the VPN needs to expose.
• 5VPN concentrator retirement. When all user applications are reachable via ZTNA, the VPN concentrator can be switched off or reserved for residual cases (network equipment management, documented exceptional access). The Internet-exposed attack surface shrinks significantly, and the patching window stops being a recurring emergency.
• 6Continuous governance. Monitor ZTNA access, review Conditional Access policies on a regular cadence, integrate alerts into the corporate SIEM, update the application inventory as new internal services emerge. Zero Trust is not an end state — it is a process. Cybersecurity services.

ZTNA, NIS2 and ISO 27001

For SMBs subject to NIS2 or working towards ISO/IEC 27001 certification, ZTNA is not just a technical choice — it is a compliance accelerator. On the NIS2 side, it covers key requirements of article 21 of Italian Legislative Decree 138/2024: access control, strong authentication, segmentation and vulnerability management. On the ISO 27001:2022 side, it answers directly to A.5.15 (Access control), A.5.17 (Authentication information), A.8.2 (Privileged access rights) and A.8.20 (Networks security).

Microsoft Entra Private Access is also certified ISO/IEC 27001, 27017, 27018 and SOC 2 — usable in scenarios with documented compliance controls without managing the underlying infrastructure.

How AtWorkStudio supports the migration

At AtWorkStudio we design and run identity and ZTNA solutions for SMBs: access-posture assessment, hardening of Microsoft Entra ID and Conditional Access, publishing of internal applications via Entra Private Access, progressive retirement of the VPN concentrator, integration with SIEM and ongoing governance. We operate from Piacenza, Italy, hold ISO/IEC 27001, 27017, 27018 and ISO 9001 certifications, are ACN-qualified for SaaS cloud services, members of Clusit (Italian Association for Information Security) and associated with Confindustria Piacenza in the RICT cluster.