Technology

Securing Remote Access: VPN and ZTNA Considerations

Remote access has gone from edge case to default in most organisations. The way that access gets delivered, however, varies wildly. Some businesses still rely on traditional VPNs that grant network-level connectivity. Others have moved to zero trust network access, where each application gets its own brokered connection. The choice matters, both for user experience and for the attack surface that comes with it.

VPNs Are Not What They Used to Be

Traditional VPN concentrators served a clear purpose when staff worked in offices and remote access was occasional. The model granted users access to the corporate network as if they were physically present, with all the assumptions that came with it. Today, that same model creates problems. A compromised device gets the same network-level access as the legitimate user, and lateral movement begins immediately. The major VPN vendors have all faced critical vulnerabilities that highlight the cost of having appliances always exposed to the internet.

Zero Trust Network Access Reframes the Problem

ZTNA inverts the traditional model. Rather than placing the user on the network, it brokers individual application connections through an identity-aware proxy. Each request gets evaluated against policy, including device posture, user identity, application sensitivity, and current risk signals. The user never sees the network behind the proxy. An attacker who steals credentials still needs to satisfy the policy conditions, which raises the bar significantly. external network penetration testing that probes both the perimeter and the application proxies finds the seams between the two layers.

Expert Commentary

Name: William Fieldhouse

Title: Director of Aardwolf Security Ltd

Comments: Many of my clients are mid-migration from VPN to ZTNA, with both running side by side for an extended period. The mid-migration state is often the riskiest part. Old VPN policies remain in place while new ZTNA controls assume different defaults, and attackers find the inconsistencies between them faster than the security team finds them.

Device Posture Matters More Than People Realise

Both VPN and ZTNA can incorporate device posture checks, but the implementations vary. A laptop with disabled antivirus, an outdated operating system, or signs of compromise should not have the same access as a fully managed corporate device. Posture assessment, ideally continuous rather than at connection time, gives you a chance to revoke access when something changes mid-session. The setup is fiddly. The protection is real.

Authentication Cannot Be an Afterthought

Whether you use VPN or ZTNA, the authentication layer is where most attacks land. Password-based authentication on remote access endpoints attracts brute force attempts constantly. MFA reduces but does not eliminate the risk, particularly with the rise of token theft attacks. Phish-resistant authentication using FIDO2 or platform credentials raises the bar substantially. The cost of rolling these out is modest. The peace of mind they bring is significant.

Logging and Detection Specific to Remote Access

Watch for impossible travel, unusual access times, and connections from regions where you have no staff. Monitor authentication failures and successful authentications from new devices. Investigate when a single user account connects from multiple geographies in quick succession. Most VPN and ZTNA products produce excellent logs out of the box, but few organisations set up the alerting that turns those logs into actionable intelligence.

Building the Right Stack

If you still rely entirely on a traditional VPN, consider whether ZTNA would reduce your exposure for high-value applications without forcing a complete migration. Pair the access layer with strong identity controls, device posture assessment, and tight monitoring. Engage a best penetration testing company who has hands-on experience with both technologies and can review the resulting configuration end to end. Remote access is too important to leave to default settings.