About this project
Enterprise zero trust architecture design and implementation — replacing legacy VPN with identity-aware, device-posture-verified, least-privilege network access across cloud and on-premises resources.
Background
The legacy VPN model is a perimeter that no longer makes sense when your workforce is remote, your applications are in the cloud, and your attackers are specifically targeting VPN appliances. The zero trust project at Accent Group was driven by a combination of risk posture work and a practical observation: the VPN was a single point of failure and a source of constant friction for end users. Replacing it required a fundamental architectural shift rather than a product swap.
The design centres on identity and device posture as the access control plane. Entra ID with Conditional Access evaluates every access request — who is the user, what device are they on, is the device compliant per CrowdStrike, what is the risk signal? Access is granted per application, not per network segment. That means a compromised credential gives an attacker access to what that user can access, not to the entire network.
Microsoft Entra Private Access replaced the VPN for internal application access. Cloudflare handles external traffic and provides an additional layer of zero trust enforcement at the edge. The migration was phased across three months — we moved workload by workload rather than cutting over wholesale, which allowed us to validate the new access patterns in production before decommissioning the VPN entirely. The result was improved security posture and a materially better user experience: no VPN client to connect, no latency through a concentrator.
Highlights
- Identity-based perimeter replacing implicit network trust
- Device posture verification integrated with EDR compliance signals
- Conditional Access policies with risk-based step-up authentication
- Application segmentation — no lateral movement between workload tiers
- Phased migration playbook from legacy VPN without service disruption