SASE and ZTNA are the cloud-delivered model replacing the traditional VPN for hybrid teams. Rather than dropping a remote worker onto your whole network, they grant access to one application at a time, based on who the user is and the state of their device — closing gaps a VPN cannot.
The VPN was built for a world that no longer exists — a head office, a server room, and the occasional laptop dialling in from a hotel. Hybrid work broke that model. This post explains why, what ZTNA and SASE mean once you strip out the acronyms, and the realistic path an SME takes to adopt them.
Why the traditional VPN is showing its age
A VPN does one job: it extends your corporate network to a remote device. Once a laptop in Camberwell connects, it behaves as though it is plugged into the office switch. That was fine when “remote” meant a handful of people occasionally. With half your staff working from home most weeks, the design becomes a liability for three reasons.
Performance and the hairpin problem
Most VPNs backhaul all traffic through a central concentrator at the office. A staff member in Ringwood opening a Microsoft 365 document sends their traffic to the office VPN box, which routes it out to Microsoft’s cloud and back again. This “hairpin” adds latency to every cloud app — which, for most businesses now, is nearly all of them. Teams calls stutter, SharePoint feels slow, and staff start turning the VPN off so things work.
Broad network access
This is the real problem. A VPN authenticates the user once at the door, then trusts them on the whole network. A connected laptop can usually reach the file server, the accounting system and a dozen other things the user never needs. If that laptop is compromised — through a phished credential or malware — the attacker inherits the same broad reach. The VPN never asks whether this person should reach this specific system; it only asked, once, whether the login was valid.
Attack surface
A VPN concentrator must be exposed to the internet for remote staff to reach it, which makes it a target. Unpatched VPN appliances have been behind some of the most damaging intrusions of recent years, and the Australian Cyber Security Centre (ACSC) has repeatedly issued advisories about actively exploited VPN flaws. A model that removes that exposed door is structurally safer.
What ZTNA actually is
Zero Trust Network Access (ZTNA) replaces “connect to the network” with “connect to an application”. Instead of dropping a device onto your LAN, ZTNA brokers access to individual apps one at a time. Each decision weighs two things: who the user is (verified identity, usually with MFA) and the context of the request (is the device managed and patched, where is it connecting from, does the sign-in look risky).
The practical differences are sharp. A user who needs the practice management system gets that and nothing else — they cannot see or reach the file server, because as far as the network is concerned it was never exposed to them. Applications sit behind a broker rather than the open internet, so there is no concentrator for an attacker to probe. And access is continuously evaluated, not granted once at login.
If your business runs on Microsoft 365, you already own a meaningful slice of this. Conditional Access in Microsoft Entra ID is identity-and-context-based access control for your cloud apps, and it is the natural starting point — we have a full walkthrough of Conditional Access policies if you want the detail.
What SASE actually is
Secure Access Service Edge (SASE, said “sassy”) is the bigger picture ZTNA fits into: the convergence of networking and security into a single cloud-delivered service, rather than a rack of separate appliances at your office. Security and routing follow your users and data wherever they are, enforced at a cloud edge close to the user instead of forced back through a head-office chokepoint.
SASE bundles several components that were once separate boxes:
- SD-WAN — software-defined networking that intelligently routes traffic across whatever links you have (NBN, 4G/5G, fibre).
- ZTNA — the per-app access model described above.
- SWG (Secure Web Gateway) — filters web traffic and blocks malicious sites, wherever the user is.
- CASB (Cloud Access Security Broker) — visibility and control over which cloud apps staff use, catching the “shadow IT” of an unsanctioned file-sharing tool.
- FWaaS (Firewall as a Service) — firewall capability delivered from the cloud instead of a physical appliance.
The selling point is that these stop being five disconnected products and become one policy framework. Full convergence, though, is an enterprise journey — for an SME, the value is in the components, not the badge.
How this maps to zero trust
SASE and ZTNA are the network and access expression of zero trust. The principle is “never trust, always verify” — assume no user or device is trustworthy by default, verify every request explicitly, and grant the least access needed. A VPN violates that on its face: it trusts broadly after one check. ZTNA implements it directly, verifying identity and device context on every request. If the idea is new to you, our zero trust security model explained post covers it in full. SASE is simply how you deliver those principles to a distributed workforce without anchoring everything to a head-office firewall.
VPN versus ZTNA at a glance
| Aspect | Traditional VPN | ZTNA |
|---|---|---|
| Access granted | Whole network | Single application |
| Trust model | Verify once at login | Verify every request, continuously |
| Device posture | Rarely checked | Checked on each access |
| Internet exposure | Concentrator published to the internet | Apps hidden behind a broker |
| Cloud app performance | Hairpinned through the office | Direct to the cloud edge |
| Blast radius if a device is compromised | The entire network | Only the apps that user was granted |
The realistic SME adoption path
Here is the honest part most vendor material skips: you do not buy “SASE”. There is no single SKU that delivers it, and any SME chasing a full convergence project will spend a fortune and stall. You adopt the components in order of value, and most Melbourne SMEs already own the first ones:
- MFA everywhere, no exceptions. The foundation of every model that follows. If a single shared mailbox or service account is still exempt, fix that first.
- Conditional Access. Use Entra ID to enforce identity-and-context rules on your Microsoft 365 apps — require a compliant device, block risky sign-ins, restrict by location. This is ZTNA for the apps most of your business already runs on.
- ZTNA for the remaining internal apps. Line-of-business systems that are not cloud SaaS — an on-prem ERP, an internal web tool — go behind a ZTNA broker so you can decommission the VPN for them.
- Layer on SWG, CASB and FWaaS as the case arises. Worth adding when scale and risk justify them.
Done this way, you reach the security outcomes of SASE incrementally, and the VPN gets retired app by app rather than in one risky cutover. Plenty of capable vendors play here — the major identity, networking and security platforms all have ZTNA and SASE offerings — and we stay deliberately vendor-neutral. The right stack depends on what you already run and your appetite for consolidation. Chasing a brand-name “SASE platform” before MFA and Conditional Access are locked down is putting the roof on before the walls.
A Box Hill example
A professional services firm in Box Hill we work with came to us frustrated that their VPN made every cloud document feel sluggish, so staff habitually disconnected it — leaving their security control off most of the day. We did not sell them a SASE platform. We hardened MFA, built out Conditional Access in Entra ID so their Microsoft 365 access enforced compliant-device and location rules, and put their one remaining on-prem application behind a ZTNA broker. The concentrator came off the internet entirely, cloud apps got faster, and their attack surface shrank to nothing.
The MSP role
This is where an MSP earns its keep, because the failure modes are subtle. Conditional Access with one too many exclusions, or a ZTNA policy so broad it recreates the VPN’s flat-access problem — these are configuration details, and they are where the value and the risk both sit. The point of moving off a VPN is least-privilege access; a half-configured replacement gives you the complexity without the benefit.
TechAssist is a Melbourne-based MSP, founded in 2014, with thirteen Australian-employed engineers and a 24/7 NOC in Tecoma — no offshore helpdesk. We design and run these transitions as part of our cybersecurity services, and because our pricing is per-user fixed monthly, the configuration and ongoing tuning are in scope, not a surprise project fee. We treat the VPN-to-ZTNA move as an identity-hardening exercise first, because that is where the leverage sits.
Frequently asked questions
Do I have to replace my VPN all at once?
No, and you should not. The sensible approach retires the VPN application by application. As each internal system moves behind Conditional Access or a ZTNA broker, the VPN has one less reason to exist, until eventually you take the concentrator off the internet.
Is ZTNA the same as a VPN with MFA bolted on?
No. Adding MFA to a VPN strengthens the front door but changes nothing after login — the user is still dropped onto the whole network. ZTNA changes the model: access is granted per application, evaluated on every request, and the apps are never exposed to the open internet.
We already use Microsoft 365 — do we have any of this?
Yes. Conditional Access in Microsoft Entra ID is identity-and-context-based access control, the core of ZTNA for your cloud apps. If you are on Microsoft 365 Business Premium you already hold the licence. The question is whether it is actually configured — for many tenants it is not.
Talk to us about moving off the VPN
If your VPN is slowing your team down, exposing an appliance to the internet, or granting more access than anyone needs, there is a better model — and you probably already own the first pieces of it. Our cybersecurity team can audit what you have and map the path off the VPN. Get in touch and we will tell you plainly where you stand.