For two decades a company’s security rested on a simple metaphor: a castle with a wall and a moat. Inside was the trusted network, outside the world. The VPN played the role of a drawbridge that let the employee inside. This logic worked as long as work happened in the office and data sat on the company server. Today applications are in the cloud, people work from home and cafes, and devices are sometimes private. The wall stopped surrounding anything meaningful, and the bridge turned out to be a convenient entrance for the attacker too. The answer to this change is the Zero Trust model.

Why the classic VPN stops being enough

The VPN rests on an assumption that today is wrong: that everything inside the company network deserves trust. The problems follow directly from that principle.

  • Access that is too broad. After logging in through the VPN, the user usually lands in the whole network, not in the single application they need. A compromised account means access to everything.
  • Lateral movement. An attacker who gets inside moves around the network freely, because inside no one checks them anymore. This is exactly how ransomware spreads.
  • No context. A classic VPN only asks for a login and password. It does not care whether the device is up to date or whether the login looks suspicious.
  • Vulnerabilities of the VPN gateways themselves. Access servers can be targets of attacks, and a single unpatched gap opens the way to the whole company.

In the incidents I have analysed, the attacker repeatedly got in through a legitimate VPN account, and then moved around the network unnoticed for weeks. The network trusted them because they were inside. This is exactly the assumption that Zero Trust eliminates.

What Zero Trust is

Zero Trust is not a product you buy, but a model for designing security. It is summed up by one principle: never trust, always verify. There is no trusted and untrusted network. Every access request is checked anew, regardless of where it comes from.

The model rests on three foundations.

  1. Assume a breach has happened. Design as if the attacker were already inside. This shifts the mindset from building a wall to limiting the damage.
  2. Verify explicitly. Make every access decision on the basis of many signals: identity, device state, location and risk level.
  3. Apply least privilege. Give exactly the access needed for the task, and only for the time it takes to do it.

Identity as the new perimeter

Since there is no longer a network wall, its role is taken over by identity. It is the user account, not the IP address, that becomes the point around which we build protection. That is why a Zero Trust deployment almost always begins with order in identity, for example in Entra ID.

  • Strong authentication. MFA as standard, and for privileged accounts phishing-resistant methods, such as FIDO2 keys.
  • A single source of identity. Central management of accounts instead of separate logins in every application.
  • Account lifecycle. Permissions are created on hiring, change when the role changes and expire on departure, without weeks of delay.

Conditional access instead of a gate

The heart of Zero Trust is conditional access. It is a mechanism that turns login from a single gate into a decision based on context. The system no longer asks only whether you know the password, but who, from where, from which device and in what situation wants to get in.

Typical rules that build this model:

  • Access to company data only from a device compliant with policy, for example managed and up to date.
  • Additional verification or a block when logging in from an unusual country or at elevated risk.
  • Different levels of access depending on the sensitivity of the application the user reaches for.

Only the combination of strong identity and conditional access gives the effect the VPN does not achieve: precise access, to a single application, checked at every request.

Segmentation, the end of the flat network

The last pillar is segmentation, and ultimately microsegmentation. Instead of one flat network you can move around freely, we divide the environment into small zones with separately controlled access. Thanks to this, taking over one account or device does not open the way to the rest of the company. Lateral movement, which is the fuel of most serious attacks, is cut off. Segmentation pairs well with a detection layer on devices, such as EDR and XDR solutions, which catch unusual behaviour inside each zone.

Zero Trust and the VPN in practice

This is not a binary choice made overnight. Zero Trust is deployed in stages, and in many companies the VPN will coexist with the new model for some time yet, for example for selected legacy systems. A sensible order usually looks like this:

  1. Sort out identity and enable strong MFA for everyone.
  2. Deploy basic conditional access policies based on device and risk.
  3. Start exposing applications without letting the user into the whole network.
  4. Divide the network into segments and limit traffic between them.
  5. Gradually wind down broad VPN access where the new model has already replaced it.

Zero Trust does not mean that the company network and VPN stop being needed. It means that trust stops arising from the mere fact of being inside. If you are wondering where to start in your company, a good starting point is a conversation about what your remote access looks like today and where that old logic of a trusted network creates real risk.