Back to case studies

Replacing a Legacy VPN for Sensitive Systems Access

RoleCybersecurity Project Manager
OrganizationLarge-Scale Enterprise
StatusCompleted
500
Users Migrated
0
Downtime
95%
Access Reduction
6mo
Duration

Overview

This case study outlines the process of decommissioning a legacy VPN that provided access to a secure network hosting sensitive systems. The project's objective was to replace it with a more secure, scalable, and compliant solution while minimizing disruption to end users and maintaining operational continuity.

Defining Requirements and Goals

The first stage was to establish clear technical and operational requirements for the new VPN solution. This ensured that the solution would not only meet current needs but also remain viable for at least the next 5–10 years. Collaboration with network engineers and security architects was essential to design an architecture that was robust, policy-aligned, and adaptable to future technologies.

Pilot Program with Power Users

A pilot program was launched to validate the new VPN before a full rollout. A group of high-usage "power users" from the legacy system tested the new platform, providing real-world feedback on performance, authentication flows, and usability. Weekly feedback loops allowed the team to address issues quickly, refine onboarding documentation, and adjust settings such as connection timeouts and failover procedures. This early refinement reduced the support burden during the main migration.

User Analysis and Persona Development

In parallel with the pilot, the team conducted a 180-day usage analysis using Splunk logs to fully understand the existing user base. This analysis identified active accounts, removed redundant ones, and mapped user personas based on role, usage frequency, and technical needs. High-usage times were documented to ensure adequate system capacity during peak demand, and specific role-based requirements were recorded for tailored onboarding support.

Governance and Access Control Model

The governance framework was finalized before migration began to eliminate ambiguity. This included defining access approval workflows, assigning account expiry dates, and enforcing periodic reauthorization to remove dormant accounts. Instead of broad access rights, the new model restricted users to only the systems and IP ranges they were authorized to access, tracked through an asset management system. This prevented the overly permissive access that had existed in the legacy model.

Change Management and Communication Plan

With governance in place, the team implemented a robust change management strategy to prepare the 500 legacy VPN users for migration:

  • Direct email communications with timelines and step-by-step guides
  • Announcements on Slack, Teams, and the intranet for high visibility
  • Engagement with department heads and presentations at multiple change advisory boards over three months
  • A centralized "gold source" intranet page with FAQs, request forms, and troubleshooting guides

Migration Tracking and Final Cutover

Migration progress was tracked in real time through Splunk dashboards, enabling targeted outreach to specific teams or individuals who had not yet transitioned. The process began with 500 active users on the legacy VPN, and through continuous follow-up and support, this number was reduced to just 25 before the final cutover. These remaining users received direct outreach to resolve any last-minute issues.

Results and Lessons Learned

The migration was completed on schedule and without downtime for critical systems. The project achieved a significant reduction in unnecessary access, ensured compliance with modern security frameworks, and delivered a maintainable solution that met long-term strategic goals.

Key lessons included:

  • Piloting with high-usage users surfaces real issues before full rollout
  • Locking governance before rollout eliminates ambiguity during migration
  • Real-time migration tracking combined with targeted communication drives completion rates
  • Restricting access to only authorized systems dramatically reduces attack surface