Remote access has gone from edge case to default in most organisations. The way that access gets delivered, however, varies wildly. Some businesses still rely on traditional VPNs that grant network-level connectivity. Others have moved to zero trust network access, where each application gets its own brokered connection. The choice matters, both for user experience and for the attack surface that comes with it.
VPNs Are Not What They Used to Be
Traditional VPN concentrators served a clear purpose when staff worked in offices and remote access was occasional. The model granted users access to the corporate network as if they were physically present, with all the assumptions that came with it. Today, that same model creates problems: a compromised device gets the same network-level access as the legitimate user.
Zero Trust Network Access Reframes the Problem
ZTNA inverts the traditional model. Rather than placing the user on the network, it brokers individual application connections through an identity-aware proxy. Each request gets evaluated against policy, including device posture, user identity, application sensitivity, and current risk signals. The user never sees the network behind the proxy.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
“Many of my clients are mid-migration from VPN to ZTNA, with both running side by side for an extended period. The mid-migration state is often the riskiest part. Old VPN policies remain in place while new ZTNA controls assume different defaults, and attackers find the inconsistencies faster than the security team.”
Device Posture Matters More Than People Realise
Both VPN and ZTNA can incorporate device posture checks, but the implementations vary widely. Posture assessment, ideally continuous rather than at connection time, gives you a chance to revoke access when something changes mid-session.
Authentication Cannot Be an Afterthought
Password-based authentication on remote access endpoints attracts brute force attempts constantly. MFA reduces but does not eliminate the risk, particularly with the rise of token theft attacks. Phish-resistant authentication using FIDO2 raises the bar substantially.
Logging and Detection Specific to Remote Access
Watch for impossible travel, unusual access times, and connections from regions where you have no staff. Monitor authentication failures and successful authentications from new devices. Most VPN and ZTNA products produce excellent logs out of the box.
Building the Right Stack
If you still rely entirely on a traditional VPN, consider whether ZTNA would reduce your exposure for high-value applications without forcing a complete migration. Pair the access layer with strong identity controls, device posture assessment, and tight monitoring. Remote access is too important to leave to default settings.
