VPN vs. Zero Trust: when the tunnel is no longer enough
2026-07-12 · by SECURITYSQUAD

The VPN is the workhorse of remote access: an encrypted tunnel into the corporate network, and the home office works as if it were sitting in the building. That very equation is the problem. Because whoever is inside the tunnel is treated as trusted in many places – and trust that ends at the network boundary is too coarse for 2026.
The promise – and the weakness of the classic VPN
The VPN follows the perimeter idea: inside is safe, outside is dangerous. After a successful login, the user lands on the internal network, often with far-reaching access. That works as long as the boundary is clear-cut. When it isn't – because devices get compromised, credentials fall into the wrong hands or service providers are connected in – the tunnel becomes a door opener. An attacker with valid access moves sideways through the network (lateral movement) and reaches systems that have nothing to do with their actual task. The VPN checks whether someone may enter, but hardly what for.
Zero Trust: trust is not a matter of network location
Zero Trust reverses the assumption: no system, user or device is trustworthy simply because of where it sits on the network. The principle "never trust, always verify" means, in concrete terms, that every access is checked individually – based on identity, device posture, context and authorisation. The US standards body NIST described the model as a reference in SP 800-207.
In practice, broad network access is replaced by application-level access (Zero Trust Network Access, ZTNA): a user is granted access to exactly the application they need – not to the entire network segment behind it. Permissions follow the principle of least privilege, and verification is continuous, not just once at login.
Either-or? More like together
In reality, the switch is not a single toggle. Many organisations keep running their VPN and gradually move critical applications behind ZTNA. There are plenty of sensible intermediate steps: enforce multi-factor authentication consistently, segment the internal network so that one compromised account does not open the whole house, and factor device posture into the access decision. Each of these steps reduces implicit trust without rebuilding operations overnight.
The realistic path there
It starts not with technology but with an inventory: which applications are business-critical, who accesses them from where, and which data hangs off them? These "crown jewels" move into a Zero Trust model first; the rest follows by risk. For many companies the pressure will come from outside anyway: NIS2 and the growing requirements for access control and accountability turn fine-grained access from a nice-to-have into an obligation.
VPN and Zero Trust are not a holy war. The VPN will not disappear overnight – but it should no longer be the only guard between a stolen password and your most important systems.
Read more: Expertise & Services · Zero Trust in practice · NIS2 for mid-sized companies