VPNs vs Zero Trust Networks for Remote Access

With everyone working from home, VPN infrastructure is straining. Many are discovering that VPNs were never the right answer for accessing applications.

The VPN Model

Traditional VPN approach:

Employee's Home → VPN Tunnel → Corporate Network → All Resources
                    ↑
             Trust everything inside

Once connected, users have broad network access. It’s perimeter security extended to home networks.

VPN Problems

Implicit Trust

VPN = access to everything. A compromised user account can traverse the entire network.

Performance

User → VPN Concentrator → Application
       ↑
  Bottleneck under load

All traffic through central point. Not designed for 100% remote workforce.

Complexity

• Split tunneling security risks
• Client software maintenance
• Network conflicts
• Troubleshooting is painful

Doesn’t Protect Against Insider Threats

Once you’re “in,” you’re trusted. Malicious insiders or compromised credentials have free reign.

Zero Trust Approach

User + Device + Context → Policy Decision → Specific Application
                 ↓
         Never implicit trust
         Always verify
         Least privilege

Core Principles

1. Verify explicitly: Every access request authenticated/authorized
2. Least privilege: Minimum access needed
3. Assume breach: Design for compromised networks

Architecture Comparison

VPN Architecture

┌─────────────────────────────────────────┐
│            Corporate Network            │
│  ┌─────────┐ ┌─────────┐ ┌─────────┐  │
│  │ App A   │ │ App B   │ │ Database │  │
│  └─────────┘ └─────────┘ └─────────┘  │
│                ▲                        │
│       ┌──────────────┐                 │
│       │ VPN Gateway  │ ← Remote User   │
│       └──────────────┘                 │
└─────────────────────────────────────────┘

Access = access to everything.

Zero Trust Architecture

                          ┌───────────┐
                          │ Policy    │
                          │ Engine    │
                          └─────┬─────┘
                                │
┌────────────────────────────────────────────────┐
│                                                │
│   ┌──────────────────────────────────────┐   │
│   │            Identity Proxy             │   │
│   └────────┬────────────┬────────────────┘   │
│            │            │                     │
│       ┌────▼───┐   ┌────▼───┐   ┌────────┐  │
│       │ App A  │   │ App B  │   │Database │  │
│       │ (yes)  │   │ (no)   │   │ (no)    │  │
│       └────────┘   └────────┘   └────────┘  │
│                                              │
└────────────────────────────────────────────────┘

Remote User → Identity Proxy → Only App A

Access = only what’s authorized.

Zero Trust Components

Identity Provider

Strong authentication for every user:

# Example policy
- user: developer@company.com
  mfa_required: true
  device_requirements:
    - enrolled_in_mdm
    - encrypted_disk
    - updated_os

Device Trust

Verify the endpoint, not just the user:

• Is device managed/enrolled?
• Is disk encrypted?
• Is security software running?
• Is OS patched?

Access Proxy

Sits in front of applications:

# Conceptual - actual implementation varies
server {
    location /app {
        auth_request /auth-verify;
        proxy_pass http://internal-app;
    }
}

Continuous Verification

Trust isn’t static:

• Re-verify periodically
• Detect anomalies (unusual location, time, behavior)
• Step-up authentication for sensitive actions

Zero Trust Solutions

BeyondCorp Enterprise (Google)

Google’s internal model, now available:

• Context-aware access
• Chrome Enterprise integration
• Works with Google Workspace

Cloudflare Access

Edge-based zero trust:

• No hardware
• Works with any identity provider
• Per-application access

Zscaler Private Access

Cloud-delivered ZTNA:

• User-to-application segmentation
• No network access granted
• Works like SaaS

Azure AD + Conditional Access

Microsoft ecosystem:

• Integrates with Intune (devices)
• Conditional access policies
• Works with any Azure AD app

Migration Path

Phase 1: Inventory

1. List all applications requiring remote access
2. Identify users and their access needs
3. Map current VPN usage patterns

Phase 2: Identity Foundation

1. Implement SSO if not present
2. Enable MFA everywhere
3. Integrate device management

Phase 3: Pilot Applications

1. Choose 2-3 applications
2. Put behind identity proxy
3. Test with pilot group

Phase 4: Gradual Migration

1. Move applications one by one
2. Keep VPN as fallback
3. Reduce VPN scope progressively

Phase 5: VPN Sunset

1. VPN only for legacy/exceptions
2. Block broad network access
3. Eventually retire

Practical Example

Before: VPN Access

User connects VPN → Gets 10.0.0.0/8 access → Can reach everything

After: Zero Trust

# Access policy for Jenkins
application: jenkins.internal
requirements:
  - mfa_verified: true
  - device_enrolled: true
  - groups: [developers, devops]
  - network: [office_ips, approved_countries]

# Access policy for production database
application: prod-db.internal
requirements:
  - mfa_verified: true
  - device_enrolled: true
  - groups: [dba]
  - time: business_hours
  - approval: required

What About VPN?

VPNs won’t disappear immediately. They’re still useful for:

• Legacy applications that can’t be proxied
• Network-level access requirements
• Transition period fallback

But VPN scope should shrink over time.

Final Thoughts

Zero Trust isn’t a product—it’s an architecture. The goal is removing implicit trust from your network.

Start with identity. Add device trust. Put applications behind access proxies. Shrink VPN scope.

The pandemic accelerated this transition. Don’t go back to VPN-first when it’s over.

Trust nothing. Verify everything.