Why Teams Choose to Replace VPN (Not Just “Add MFA”)
Virtual private networks solved a simple problem: extend the corporate LAN to remote users. In 2026, that model collides with multi-cloud workloads, contractor-heavy teams, and compliance expectations that demand who accessed what—not only who joined the network. When security leaders search for how to replace VPN infrastructure, they are usually chasing three outcomes at once: shrink lateral movement, improve user experience for SSH, databases, RDP, and internal apps, and produce audit-ready evidence without bolting on half a dozen compensating controls.
OnePAM fits that migration story because it treats privileged and infrastructure access as the product surface area: short-lived paths, centralized policy, and session visibility—rather than a tunnel that drops people onto a subnet and hopes segmentation holds. This guide walks through a migration sequence that mirrors what successful teams do in production: discover, pilot, parallel-run, tighten policy, then retire VPN paths incrementally.
Migration Principle
Replace behaviors before you replace hardware. If users still need “network presence” to do their job, they will fight the project. Map jobs-to-be-done (SSH to CI runners, SQL to reporting DB, RDP to jump workflows) and land OnePAM on those flows first—VPN can remain as a temporary backstop for long-tail traffic.
VPN vs OnePAM-Oriented Access: What Changes on Day One
Clarifying the target state prevents scope creep. You are not merely swapping concentrator vendors—you are shifting the authorization boundary from “admitted to the network” to “approved for this resource, under these conditions, for this long.”
| Dimension | Typical VPN | OnePAM-aligned migration target |
|---|---|---|
| Unit of access | Subnet / VLAN reach | Named resources (hosts, DBs, clusters, apps) |
| Credential model | Often shared VPN accounts, long-lived sessions | IdP-backed identity, JIT elevation where needed |
| Audit story | Connect / disconnect logs; sparse app context | Per-resource access events & richer session signals |
| Contractor onboarding | Broad network slices & static firewall exceptions | Narrow, time-bound entitlements with owner approvals |
| Cutover style | Big-bang risky; hard to roll back | Phased: parallel paths, measurable decommission |
Phase 0: Build the Inventory That Makes Migration Boring
Most VPN replacement projects stall for one reason: nobody agrees on what the VPN is actually used for. Export VPN connection logs, interview team leads, and tag each destination by environment (prod / staging / dev), data class (PII / PCI / none), and frequency. Merge that with CMDB or cloud tags where you can—disagreement here becomes shadow IT later.
Produce a simple RACI: application owners confirm business criticality, platform owners confirm technical paths, security signs off on risk tiers. You are building the backlog for OnePAM onboarding, not a slide deck for leadership.
What to capture for every VPN-backed destination
-
Identity & population
List which groups (engineering, finance admins, vendors) need access, whether access is standing or break-glass, and which IdP groups should map to OnePAM roles after cutover. -
Protocols & ports
SSH, RDP, database wire protocols, Kubernetes API, HTTPS internal apps—each path may need different connectors, health checks, and MFA posture. -
Dependencies on “LAN assumptions”
Legacy apps that hard-code private IPs, multicast discovery, or license servers on flat networks are the usual surprises; flag them early for redesign or temporary bridging. -
Compliance triggers
Note SOC 2, ISO, or customer contract clauses that require session review, segregation of duties, or evidence of least privilege—these shape policy templates in OnePAM.
Phased Migration: From Parallel Run to VPN Retirement
The following sequence keeps rollback trivial: users can fall back to VPN until each cohort of resources is stable on OnePAM, then you shrink VPN routes deliberately.
Treat migration as a pipeline: inventory, pilot, parallel validation, then deliberate VPN retirement per cohort.
Integrate Identity First, Then Onboard Resources
Connect your SAML or OIDC identity provider before you touch production systems. Align group claims with how you want OnePAM to express least privilege: by team, by environment, or by sensitivity tier. This step is where many migrations win or lose the security narrative—if MFA, device posture, or step-up rules already exist in the IdP, reuse them instead of inventing parallel VPN-specific credentials.
Pick a pilot cohort with patient power users: often platform engineering or SRE, because they tolerate rough edges and give actionable feedback. Onboard two or three non-production resources, mirror the old VPN workflow in documentation, and run a timed drill (can a new hire reach the staging cluster without VPN within 15 minutes?). Capture failure modes: DNS split views, private CA chains, bastion habits, and local hosts files are frequent culprits.
Policy Design: Turn “VPN ACL Soup” into Explicit Entitlements
VPN access lists tend to accrete for years—exceptions for one vendor, temporary openings for a migration weekend, “just allow 10.0.0.0/8” shortcuts. OnePAM migrations succeed when you translate those rules into resource-scoped entitlements with time bounds and approvers. Start permissive if you must, but log everything: who requested access, who approved, and when it expired.
Pair network migration with human process: change windows, rollback steps, and a communications plan that tells users exactly which hostnames move off VPN on which date. Confusion drives shadow tunnels, personal VPNs, and shared screen sessions—each of which undermines the security outcome you wanted.
Avoid the Two-Gateway Trap
If OnePAM and VPN both reach the same sensitive subnet indefinitely, attackers will follow the weakest path. Set a written sunset date for overlapping access per resource tier, and measure VPN session counts weekly until they flatline for migrated cohorts.
Cutover Week: Checklists, Rollback, and Proof for Auditors
When you are ready to replace VPN routes for a cohort, execute a freeze on unrelated firewall changes, snapshot VPN configs, and pre-stage support macros for common breakages (certificate trust, MFA prompts, stale DNS). Run synthetic checks from representative user locations—not only from headquarters—to catch asymmetric routing issues.
After each cutover block, export evidence packs: access reviews, policy versions, ticket IDs for approvals, and session samples if your compliance program requires them. Auditors respond well to narratives that show deliberate control migration rather than “we turned off the old box.”
-
Go / no-go criteria
Error rates under threshold, P99 connect latency acceptable, on-call not overloaded, and owners signed the readiness note. -
Rollback lever
Keep VPN ACL restoration steps tested until two stable weeks pass; document who can authorize emergency VPN re-enablement. -
User messaging
Single source of truth wiki page with screenshots, expected MFA behavior, and escalation path—reduces helpdesk load sharply.
Start Your VPN-to-OnePAM Migration
Connect your IdP, onboard your first resources, and move from network-wide trust to per-resource, auditable access—without a painful big bang.
Start free trialAfter VPN: Operate Access Like a Product
Finishing the technical cutover is not the end state. Schedule quarterly access reviews, tune JIT durations based on real session lengths, and feed incident retrospectives back into policy. The organizations that get the most from replacing VPN treat access changes with the same rigor as production deployments—versioned policy, peer review, and metrics on entitlement drift.
If you are comparing this journey to a pure ZTNA roll-out, the through-line is the same: shrink implicit trust, make paths explicit, and measure outcomes. OnePAM anchors that story on the infrastructure and privileged surfaces where breaches actually hurt—so when someone asks why you retired VPN, you can answer with data, not slogans.