Engineers routinely circumvent safety protocols to carry out their tasks, as aspirations for a zero-trust environment haven't been realized.
According to a survey conducted by Tailscale, Zero Trust Network Access (ZTNA) is currently in a transitional phase, with widespread discussion but limited implementation in most organizations[1][2]. The report highlights that while there's broad awareness and aspiration for Zero Trust principles, actual deployment is often incomplete, with many companies relying on multiple security tools rather than consolidating around a unified ZTNA platform[1][4].
**Key Adoption Metrics** - **Emerging Identity-First Architectures**: Nearly half of companies are trying to consolidate their toolsets, and early adopters are moving towards identity-first security and just-in-time access models[1]. - **Just-in-Time Access**: 47% of organizations have implemented at least some form of just-in-time or time-limited access, which is a core principle of ZTNA[2]. - **ZTNA Platforms**: 34% already use cloud-delivered ZTNA platforms, and 27% use peer-to-peer (mesh) VPNs like Tailscale, indicating a growing shift from appliance-based network concentrators to software-defined, identity-aware solutions[2]. - **Tool Proliferation**: 92% of organizations use multiple tools for network security, with nearly a third juggling four or more solutions, contributing to complexity and frustration[1].
**Roadblocks and Frustrations**
**Human and Organizational Hurdles** - **Circumventing Controls**: A staggering 83% of IT and engineering professionals admit to bypassing security controls to perform their jobs, highlighting the friction caused by overly complex or slow security systems[1][3]. - **Delayed Upgrades**: Upgrades to modern secure access are often delayed by concerns about workflow disruption (42%), unclear business value (33%), or lack of direction (31%)[3]. - **Skepticism and Knowledge Gaps**: 55% of respondents are either unsure or skeptical about where to find better solutions, indicating a significant education gap around adaptive access, AI-enhanced threat detection, and modern Zero Trust architectures[1].
**Impact on Legacy VPNs**
**Industry Trends** - **Gradual Sunsetting**: The survey forecasts that security-minded organizations are likely to retire or phase out legacy VPNs by the end of 2026, moving toward more flexible, composable, cloud-native ZTNA solutions[1]. - **Layered Approach**: Some organizations layer identity-centric approaches (like just-in-time access) on top of existing VPNs to reduce risk during the transition[2]. - **Identity as the New Perimeter**: Modern ZTNA solutions treat identity—not the network edge—as the new perimeter, improving offboarding and auditing, especially compared to traditional VPNs, which often leave lingering access for ex-employees (68% found this problematic)[2].
**Future Outlook**
**Migration and Consolidation** - The move away from legacy VPNs is not expected to be a "big bang" event, but rather a gradual migration to avoid business disruption[2]. - The industry is moving towards unified, cloud-native secure access platforms (sometimes called universal ZTNA), with identity verification and device posture checks for each application session[1]. - AI and automation are increasingly used not only for threat detection but also for dynamically adjusting access based on context[1].
**Summary Table: Key Findings**
| Area | Current Status | Trend/Impact on VPNs | |----------------------|-------------------------------------------------|---------------------------------------| | ZTNA Adoption | Partial, aspirational, tool proliferation | Gradual replacement of VPNs by 2026 | | Just-in-Time Access | 47% have some implementation | Reduces standing privileges | | ZTNA Platforms | 34% use cloud ZTNA, 27% use mesh VPNs | Shift to identity-aware, SW-defined | | Bypass Behavior | 83% admit to circumventing controls | Highlights VPN/ZTNA friction | | Offboarding/Auditing | ZTNA improves offboarding (identity-centric) | VPNs often leave lingering access |
**Conclusion**
The current state of ZTNA adoption is one of aspiration, partial deployment, and growing but uneven maturity. While legacy VPNs are still widely used, the trend is clearly toward their eventual retirement in favor of identity-first, just-in-time access architectures enabled by ZTNA platforms[1][2]. However, human resistance, organizational inertia, and lack of education remain significant barriers. Organizations that successfully navigate this transition will benefit from improved security, better auditability, and a smoother user experience—but the process is expected to be gradual, with most enterprises still in the middle of their Zero Trust journeys[1][2][3].
The survey, commissioned by Tailscale, drew responses from 1,000 IT, security, and engineering professionals across North America. Education around adaptive access, AI-enhanced threat detection, and modern zero trust architectures will be critical over the next two years.
- The study by Tailscale reveals that while there's widespread discussion about Zero Trust Network Access (ZTNA), its implementation in most organizations remains incomplete, with many relying on multiple security tools instead of consolidating around a unified ZTNA platform.
- The survey also indicates a growing shift in the networking infrastructure, with 34% already using cloud-delivered ZTNA platforms and 27% using peer-to-peer VPNs like Tailscale, signifying a move from appliance-based network concentrators to software-defined, identity-aware solutions.
- In addition, the report highlights that nearly half of the companies are trying to consolidate their toolsets, moving towards identity-first security and just-in-time access models, which are core principles of ZTNA.
- Furthermore, the finance sector may profit from the transition to ZTNA as improvements in security, auditability, and user experience could potentially reduce cybersecurity risks and costs associated with legacy VPNs.
