ZTNA vs VPN Battles Heat Up with 14 New Data Centers

7 min read
The Architectural Friction
- The Infrastructure Expansion: ThreatLocker launches its deny-by-default network and cloud access tools at Zero Trust World 2026, backed by 14 newly built data centers to minimize edge latency.
- The Operational Realignment: Transitioning from legacy VPNs to Zero Trust Network Access (ZTNA) shifts the administrative burden from network engineering to identity and policy management.
- The Exposure Profile: Organizations clinging to traditional firewalls remain vulnerable to lateral network movement, while those rushing into ZTNA face immediate operational disruptions from misconfigured micro-segmentation policies.
The Orlando Realization: Why the Perimeter Died in 2026
In early March 2026, inside the convention halls of Orlando, Florida, the conversation among managed service providers (MSPs) shifted from theoretical security frameworks to hard physical infrastructure. ThreatLocker co-founder and CEO Danny Jenkins stood before an audience of IT operators to announce a massive product expansion into zero trust network and cloud access. To make this software-defined approach work without crushing user experience, his firm had quietly spent the previous twelve months building 14 new data centers, placing twelve of them strategically across the United States. This was not a minor software update; it was a heavy capital bet on the reality that traditional network perimeters have become liabilities.
The push is fueled by market demand that MSPs cannot ignore. According to the 2026 Kaseya State of the MSP Report, 71% of MSPs reported year-over-year cybersecurity revenue growth, with zero trust architecture emerging as the primary framework clients demand during vendor evaluations. The days of treating everything inside the office firewall as safe are gone. With remote workforces accessing distributed SaaS platforms from unmanaged home networks, the traditional virtual private network (VPN) has transformed from a secure tunnel into an open highway for lateral threat propagation.
Yet, behind the marketing promises of zero trust lies a complex operational reality. Buyers are told that migrating to ZTNA will instantly secure their environments, but they are rarely warned about the administrative toll of enforcing a strict deny-by-default posture at the network layer. The transition is not a simple software swap; it is an architectural trade-off between the blunt simplicity of a network tunnel and the granular friction of identity-aware micro-segmentation.
The Under-the-Hood Reality of Network Cloaking
To evaluate these options, buyers must look past the glossy datasheets and analyze how packets actually flow. A traditional VPN operates at the Network Layer (Layer 3) or Transport Layer (Layer 4) of the OSI model. When a remote user authenticates via a legacy client, the VPN gateway assigns them an IP address on the internal subnet. From that moment, the user's device is logically inside the network. If a threat actor compromises that endpoint via a phishing email, they can scan the network, locate high-value assets, and exploit vulnerabilities like unpatched active directory servers.
ZTNA platforms, such as those from Zscaler, Cloudflare One, or the newly expanded ThreatLocker Network Access, operate on a completely different philosophy. They decouple application access from network connectivity. Instead of bridging the user to the network, ZTNA creates an ephemeral, encrypted 1-to-1 connection between the authenticated user and the specific application they are authorized to use. The rest of the network remains entirely invisible to the client device.
Think of a legacy VPN as giving a visitor a physical master key to the corporate office building, whereas ZTNA acts as an armed security escort who unlocks exactly one cabinet door for five minutes before vanishing.
The Real-World Friction of Policy Mapping
In a representative mid-market engineering firm with 350 remote employees, the legacy VPN setup was simple: one tunnel for engineers, one for administration. When the IT team attempted to migrate to a strict ZTNA model, they ran directly into the policy-mapping wall. The firm's proprietary project management tool relied on dynamic RPC ports that negotiated connections on the fly. Because ZTNA requires explicit, pre-defined rules for every application port and destination, the automated policy engine blocked these dynamic connections. The migration halted as the helpdesk was flooded with tickets, forcing the team to temporarily revert to open-port policies, which defeated the security purpose of the tool.
"The hidden cost of zero trust is not the software subscription; it is the hundreds of engineering hours spent mapping undocumented application behaviors before you can safely turn on deny-by-default rules."
How to Transition from VPN to ZTNA Without Dropping Packets
For organizations planning their network security roadmap, the choice between these two architectures is rarely a clean break. It requires a phase-by-phase migration strategy that respects the operational limits of your IT staff. If you attempt to cut over your entire workforce overnight, your helpdesk will buckle under the weight of broken application dependencies.
A successful migration begins with a thorough audit of your application traffic. Before deploying a single ZTNA agent, use network flow analyzers to document every internal resource, its port requirements, and its authentication mechanisms. Start by migrating low-risk, web-based internal applications that use standard HTTPS protocols. This allows your team to refine their identity provider (IdP) integrations with tools like Okta or Microsoft Entra ID without risking business-critical workflows. Keep your legacy VPN running in parallel as a fallback mechanism, restricted only to senior administrators who can troubleshoot connectivity issues without exposing the entire subnet.
Rule of Thumb: If your IT team cannot produce an up-to-date, verified inventory of every application port used by your remote workforce, you are not ready for ZTNA; you are merely ready to break your business.
The Regulatory Pressures Driving the Migration
The shift away from legacy VPNs is no longer just an internal IT preference; it is increasingly mandated by federal oversight and compliance frameworks. Regulatory bodies have documented how threat actors exploit weak VPN configurations and unpatched gateway vulnerabilities to gain initial access to critical infrastructure.
- CISA Zero Trust Maturity Model 2.0: This framework explicitly requires organizations to transition from perimeter-based security to micro-segmentation, urging the adoption of identity-aware proxies to protect federal systems.
- NIST SP 800-207: The gold standard for zero trust architecture, this guidelines states that access to individual resources must be granted on a per-session basis, rendering broad-subnet VPN access non-compliant.
- SEC Cybersecurity Disclosure Rules: With public companies now forced to report material breaches within four business days, CISOs are migrating to ZTNA to limit the blast radius of potential intrusions, preventing a single endpoint compromise from turning into a reportable incident.
The Three Operational Signals That Dictate Your Choice
Deciding when to maintain a VPN and when to invest in a ZTNA platform comes down to three operational signals within your enterprise stack. There is no one-size-fits-all solution, and a mature organization may choose to run a hybrid model indefinitely.
- Application Modernization Level: If your core business relies on legacy, thick-client applications that use non-standard, dynamic ports, the policy-configuration overhead of ZTNA may outweigh its immediate benefits. In this scenario, a heavily restricted VPN with multi-factor authentication (MFA) and strict network access control (NAC) policies remains a viable, lower-maintenance choice.
- Identity Infrastructure Maturity: ZTNA is only as strong as your identity provider. If your organization lacks centralized identity management, role-based access control (RBAC), or continuous authentication capabilities, implementing ZTNA is akin to building a vault door on a cardboard house.
- Staffing and MSP Support: Managing a deny-by-default network security posture requires continuous monitoring and rapid policy adjustment. For smaller organizations without a dedicated Security Operations Center (SOC) or a highly capable MSP, the automated, application-level blocking of ZTNA can lead to operational paralysis.
Figures compiled from the sources cited below.
Frequently Asked Questions
What happens to our legacy on-premise Active Directory replication when we move to a pure ZTNA model?
Active Directory replication relies on dynamic RPC port allocation, which frequently breaks under standard ZTNA policies. To prevent replication failures, organizations must either configure explicit, complex port-range rules within their ZTNA policy engine or route domain controller traffic through a dedicated, highly restricted site-to-site VPN tunnel rather than client-to-gateway ZTNA brokers.
How do we handle third-party contractors who refuse to install our proprietary ZTNA agent on their personal machines?
For unmanaged contractor devices, a clientless ZTNA approach is required. This involves routing their access through an identity-aware web proxy or a secure virtual desktop infrastructure (VDI) instance. This allows them to access specific internal web applications via a browser session without requiring local agent installation or exposing your network to their unmanaged endpoint.
When a ZTNA vendor's cloud broker experiences a regional outage, what is the automated fallback mechanism to prevent global user lockout?
A resilient ZTNA deployment must feature a hybrid-ingress failover plan. If the vendor's cloud control plane goes dark, traffic should automatically reroute through local virtual appliances deployed at your physical edge, or fallback to an emergency, MFA-protected backup VPN gateway that is kept offline during normal operations.
The Final Verdict: If your organization has a highly centralized identity provider and primarily accesses web-based or SaaS applications, the security benefits of migrating to ZTNA justify the migration costs. However, if you are running legacy on-premise infrastructure with dynamic ports and a lean IT team, stick with a hardened, MFA-gated VPN until your identity stack is mature enough to handle the policy overhead. Do not buy the marketing until you have mapped your packets.
Industry References & Signals
This analysis is synthesized directly from active operational signals and the reporting within the Source Data:
- ThreatLocker's infrastructure expansion and deny-by-default approach announced at Zero Trust World 2026 crn.com.
- Market trends and MSP growth metrics from the 2026 Kaseya State of the MSP Report Kaseya.
When you look at your current remote access logs, how many of your active VPN sessions have remained open for more than 24 hours without a single re-authentication event?
Related from this blog
- How SASE Architecture Deployments Avoid Costly Vendor Lock
- How ZTNA Migration Forces Bitter Operational Trade-offs
- Post-Quantum Cryptography: Why Key Exchange Won't Save Your Data
- ZTNA vs VPN: The Hard Truth of a Half-Finished Migration
- API Security Gateways Enterprise Strategy: The 2-Year Outlook