Implementing zero trust network access for a 500-person org
We're migrating from traditional VPN to ZTNA. Current setup: Cisco AnyConnect VPN → flat network. Target: identity-aware, per-app access.
Evaluating: Zscaler Private Access, Cloudflare Access, and Tailscale.
Requirements:
- Device posture checks (EDR running, OS patched)
- Per-application access policies
- Works with our existing Okta IdP
- Logging that feeds into our SIEM
Anyone done this migration? What surprised you?
Did this 6 months ago with Cloudflare Access. The biggest surprise was how many legacy apps assumed network-level trust. We had internal tools that used IP whitelisting instead of auth. Had to fix those first.
Device posture was the hardest part. You need reliable telemetry from every device. We use AlertMonitor's software monitoring to verify EDR is installed and running — that status feeds into our ZTNA posture checks.
Run VPN and ZTNA in parallel for at least 3 months. We found edge cases every week — printers, legacy HVAC systems, vendor laptops that couldn't run the ZTNA client. You need a fallback.
Tailscale is underrated for smaller deployments. Dead simple, WireGuard under the hood, and the ACL model is surprisingly powerful. We use it for our admin access tier.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access