VPN vs. Zero Trust Network Access Explained

Your office is closed. Your employees work from home. They need to access:

• Shared files on your file server
• Your accounting software
• Your internal apps
• Maybe your POS reporting system

How do they connect securely?

Two main options: VPN (the traditional approach) and Zero Trust Network Access (ZTNA, the modern approach).

Both solve remote access. They work differently.

What a VPN does

A VPN creates an encrypted tunnel between your employee's device and your network. Once connected, the employee's device acts like it's physically on your office network.

How it works:

1. Employee launches VPN client
2. Authenticates with credentials (and hopefully MFA)
3. Encrypted tunnel established
4. Employee accesses network resources as if sitting in the office

What it provides:

• Access to everything on your network
• Encrypted traffic (can't be intercepted)
• IP address appears as your office IP

The problems:

• Once connected, the employee can reach everything on your network (over-provisioned access)
• If the VPN endpoint is compromised, the attacker has network access
• Performance varies (all traffic routed through VPN)
• User experience can be poor for cloud apps (traffic goes through office first)
• Difficult to manage granular access

What Zero Trust does

Zero Trust Network Access (ZTNA) is based on a simple principle: Never trust, always verify.

Instead of creating a network tunnel, ZTNA grants access to specific applications on a per-user, per-device basis.

How it works:

1. Employee launches ZTNA client (or accesses via web portal)
2. Authenticates with identity provider (Okta, Azure AD, Google Workspace)
3. Device posture is checked (is it patched? antivirus running?)
4. Access granted only to specific applications, not the whole network
5. Access is session-based and can be revoked instantly

What it provides:

• Access to only the specific apps a user needs
• Continuous verification (not just at login)
• Better performance for cloud apps (direct access)
• More granular control

The tradeoff:

• Requires more initial setup
• Requires identity management infrastructure
• More complex to understand and explain

The comparison

| Factor | VPN | ZTNA | |--------|-----|------| | Access scope | Full network | Specific apps only | | Trust model | Trust connected devices | Never trust, always verify | | Setup complexity | Lower | Higher | | Management complexity | Lower | Medium | | User experience | Varies | Often better for cloud apps | | Security | Good | Better | | Cost | $5-$20/user/month | $5-$30/user/month | | Best for | Simple remote access | Modern cloud-first businesses |

What can go wrong with VPN

Over-provisioned access. Once on VPN, a user can reach everything. Salesperson accessing the HR folder? Accountant accessing the production system? It's possible.

VPN credential theft. If credentials are compromised (phishing, breach), the attacker has network access. MFA helps but isn't foolproof.

VPN server as single point of failure. If your VPN concentrator fails, no one can connect. High availability costs more.

Split tunneling problems. Some VPNs route cloud app traffic directly (split tunnel) while others route everything through the office. Misconfiguration creates security gaps.

Performance issues. All traffic through one point. Video calls over VPN can be choppy.

Legacy VPN vulnerabilities. Old VPN software has known vulnerabilities. Not patching is dangerous.

What can go wrong with ZTNA

Initial setup complexity. Needs identity provider integration, app cataloging, policy definition. Takes time.

Application compatibility. Some legacy apps don't work well with ZTNA. May need additional configuration.

User friction. If verification is too frequent or too burdensome, users work around it.

Vendor lock-in. Moving between ZTNA vendors means rebuilding policies.

Cost surprises. Per-user, per-app pricing can get expensive.

What it costs

VPN solutions:

| Option | Cost | Notes | |--------|------|-------| | Built-in router VPN | $0-$200 | If your router supports it | | SSL VPN (software) | $500-$2,000/year | For up to 50 users | | Full VPN concentrator | $1,500-$10,000 | Hardware + subscription |

ZTNA solutions:

| Option | Cost | Notes | |--------|------|-------| | Cloud ZTNA (basic) | $5-$15/user/month | Best for pure cloud businesses | | Cloud ZTNA (enterprise) | $15-$30/user/month | More features, better support | | Self-hosted ZTNA | $2,000-$10,000 + maintenance | More control, more complexity |

Hybrid approach: VPN for some, ZTNA for others

Many businesses end up using both:

• VPN for legacy systems that don't support ZTNA
• ZTNA for modern cloud applications
• VPN as backup if ZTNA fails

This isn't ideal but is realistic during transition periods.

Vendor questions (copy/paste)

For VPN:

• "How many simultaneous connections does this support?"
• "Does it support MFA? What methods?"
• "Can I set up split tunneling? What are the security implications?"
• "What's the performance impact on video calls?"
• "How do I monitor who is connected and when?"

For ZTNA:

• "What identity providers do you integrate with?"
• "How does device posture checking work? What gets checked?"
• "Can you handle [list your critical apps]?"
• "What's the migration path from our current VPN?"
• "How does this work for guest access or contractors?"

For either:

• "What happens if the service goes down? Is there offline access?"
• "Can you handle our peak concurrent user count?"
• "What's included in support? What's the escalation process?"

Minimum viable implementation

Basic VPN (if you just need remote access now):

1. Use your firewall's built-in VPN if it supports it
2. Require MFA for all VPN users
3. Document who has VPN access and why
4. Review access quarterly—remove inactive accounts
5. Keep VPN software updated

ZTNA for cloud-first businesses:

1. Ensure you have a solid identity provider (Azure AD, Okta, Google Workspace)
2. Catalog what apps your users need to access
3. Start with one app, test the flow
4. Roll out to pilot users
5. Expand to all users and apps over 3-6 months

Migration path (VPN to ZTNA):

1. Inventory current VPN usage and access patterns
2. Identify apps that could move to ZTNA first (cloud apps)
3. Deploy ZTNA alongside VPN
4. Move users gradually as apps are migrated
5. Retire VPN when ZTNA covers all use cases

When to hire help

• You're ready to move away from VPN and want guidance on ZTNA options.
• You have a mix of legacy and modern apps and need help designing access.
• You need help integrating ZTNA with your identity provider.
• You're a compliance-regulated business and need documented remote access controls.
• You keep having VPN issues and need a more modern solution.

VPN isn't going away—it's still a useful tool. But for businesses building new remote access infrastructure, ZTNA is the better long-term choice. For businesses with existing VPN, evaluate the cost of migration against the security benefits.