The Gaming Boardroom

Where the gambling industry comes to think

Zero trust migration: How will I know if I can remove my VPN?

Steve Tyler Free Content

Zero trust migration: How will I know if I can remove my VPN?

Summary

This NCSC blog explains when it is (and isn’t) safe to remove an Always On VPN (AOVPN) during a zero trust migration. The core message: don’t switch off your AOVPN until you have replicated the security benefits it provides by other means. The post walks through the specific protections an AOVPN gives and the zero trust controls that must be in place first.

Key protections covered include data-in-transit encryption (TLS), mutual authentication, managed tunnels for legacy systems, blocking inbound device connectivity, authenticating proxies for servers, forward proxies or SaaS proxies for first-hop protection and DNS monitoring/filtering. The guidance also notes that large, complex or legacy-heavy estates may still need an AOVPN, or a hybrid approach combining VPN and zero trust controls.

Key Points

  • An AOVPN protects data-in-transit, enables legacy remote access and provides defence-in-depth; don’t remove it until its benefits are matched elsewhere.
  • All internal communication should use secure transport (TLS); if any link lacks it, keep the AOVPN.
  • Mutual authentication (user/device and service) is required; TLS alone often proves only the server, not the client.
  • Managed tunnels can safely expose specific legacy services when full zero trust can’t be applied.
  • Devices must block inbound connectivity by default to limit network-born attacks when an AOVPN is removed.
  • Use authenticating proxies to protect internal servers from unauthenticated external access.
  • Protect the first hop to the internet (eg via an authenticated TLS tunnel to a proxy or SaaS proxy) to replicate VPN breakout controls and monitoring.
  • DNS requests must be protected, filtered and monitored to prevent hijacking and detect compromise.
  • Some networks may always need an AOVPN; where removal is possible, replicate every AOVPN benefit with other controls first.

Why should I read this?

If you’re tempted to rip out your VPN because you’re moving to zero trust — stop. This short piece tells you the exact checks and replacements you need so you don’t create a huge security hole. It’s a quick, practical reality-check for IT and security teams planning migration.

Context and relevance

The blog is aimed at organisations of all sizes and cyber security professionals moving toward a zero trust architecture. It’s directly relevant to current trends: the shift to cloud and SaaS, remote working, and the drive to reduce perimeter-based security. The guidance helps teams map VPN-provided protections to zero trust controls and highlights where hybrid approaches remain necessary.

Source

Source: https://www.ncsc.gov.uk/blog-post/zero-trust-migration-how-will-i-know-if-i-can-remove-my-vpn