The question of whether a VPN still makes sense comes up more and more often in conversations with clients. On one hand, you hear the slogan Zero Trust everywhere, with suggestions that the VPN is a relic. On the other, half of companies still log into their resources through a VPN and it works fine. The truth, as usual, lies in between. The VPN has not died, but its role has changed, and it is worth understanding where it stops being enough.
What a VPN does well
Let us start honestly. The VPN still solves real problems and will be present in many companies for a long time yet.
- An encrypted tunnel. Traffic between the employee and the company is secured, including on an open network in a cafe or hotel.
- Access to local resources. A file server, a network printer, an ERP system on your own infrastructure. For such things a VPN is still practical.
- Simplicity. The configuration is well known, cheap and supported by most network hardware.
If the company keeps data on its own server in the office and employees look in there occasionally, a well configured company VPN is still a sensible solution. The problem begins when the VPN becomes the only and main gateway to the whole company’s world.
Where a VPN fails
The VPN model rests on an assumption that today is increasingly wrong: that everything inside the company network deserves trust. Specific weaknesses follow from that assumption.
- Access that is too broad. After logging in, the user usually lands in the whole network, not in the single application they need. A compromised account means access to everything.
- Lateral movement. An attacker who gets inside moves freely, because inside no one checks them anymore. This is how ransomware spreads.
- No context. A classic VPN only asks for a login and password. It does not care whether the device is up to date or whether the login looks suspicious.
- Vulnerabilities of VPN gateways. Access servers can be targets of attacks, and a single unpatched gap opens the way to the whole company.
In the incidents I have analysed, the attacker repeatedly got in through a legitimate VPN account, and then moved around the network unnoticed for weeks. The network trusted them because they were inside. This is exactly the problem that Zero Trust addresses.
Zero Trust is not a product
Zero Trust is sometimes sold like a box you buy and switch on. That is a misunderstanding. Zero Trust is a model for designing access, summed up by one principle: never trust, always verify. There is no trusted and untrusted network. Every request is checked anew, based on who, from where and from which device wants to get in.
In practice the foundation of this model is identity and conditional access. Instead of letting the user into the whole network, we give them a single application, after checking many signals at once:
- whether the account has confirmed its identity through MFA,
- whether the device is managed and up to date,
- whether the login is not happening from an unusual location or at elevated risk.
The natural anchor point here is orderly identity, for example in Entra ID, which lets you build such rules without a major infrastructure expansion.
So should you drop the VPN
Not overnight and not by force. This is not a binary choice. In many companies the VPN will coexist with the new model for some time yet, for example for legacy systems that cannot easily be exposed another way. A sensible approach looks like this:
- Sort out identity and enable strong MFA for everyone.
- Deploy basic conditional access policies based on device and risk.
- Start exposing applications without letting the user into the whole network.
- Limit what is visible through the VPN, instead of granting access to the whole network.
- Gradually wind down broad VPN access where the new model has already replaced it.
Common misconceptions
A few myths have grown around this topic, worth defusing before you make a decision.
- A VPN is dangerous in itself. It is not. What is dangerous is treating it as the only protection and granting access to the whole network through it at once.
- Zero Trust requires replacing the whole infrastructure. It does not. It starts with identity and rules, which can largely be built on what the company already has.
- Since I have MFA, I have Zero Trust. MFA is an important element, but on its own it is not an access model. Zero Trust is also about the device, context and limiting the reach.
It is also worth remembering that a VPN alone does not protect the end device. If a laptop is infected, the tunnel simply carries the threat straight into the company. That is why the direction of thinking should cover not only the way of connecting, but also the state of the hardware people log in from.
A simple decision cheat sheet
- You have data on your own server and occasional remote access: a VPN still makes sense, but limit its reach.
- You work mainly in the cloud, people log in from various places and devices: the direction is Zero Trust.
- There was an incident or you are preparing for regulatory requirements: this is a good moment to review the whole access model.
A VPN is not a mistake, as long as you understand its limits and do not treat it as the only safeguard. If you want to check whether your remote access matches today’s threats, start with a simple conversation about how people connect to the company today and what they see after logging in. We will gladly help set the next steps without a revolution.