The traditional VPN model assumes that once you’re on the network, you’re trusted. Zero trust flips this: trust nothing, verify everything. With remote work becoming permanent, the differences matter more than ever.
Here’s how these approaches compare and when to use each.
The VPN Model
How It Works
┌─────────────────────────────────────────────────────────────┐
│ Corporate Network │
│ (Trusted Zone) │
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Server │ │ Email │ │ DB │ │
│ └─────────┘ └─────────┘ └─────────┘ │
│ │
└───────────────────────┬─────────────────────────────────────┘
│ VPN Tunnel
│
┌───────────────────────▼─────────────────────────────────────┐
│ Internet │
│ (Untrusted) │
└───────────────────────┬─────────────────────────────────────┘
│
┌──────▼──────┐
│ Remote │
│ Worker │
└─────────────┘
Assumption: Network perimeter = security boundary
VPN Problems
Flat network access:
- VPN grants access to entire network
- Lateral movement easy once inside
- Overly broad permissions common
Performance:
- All traffic routes through VPN gateway
- Bottleneck during peak hours
- Cloud services accessed inefficiently
User experience:
- Connection drops
- Slow access to cloud resources
- Split-tunneling security tradeoffs
Security gaps:
- Compromised device = compromised network
- Credential theft = full access
- No continuous verification
The Zero Trust Model
Core Principles
┌─────────────────────────────────────────────────────────────┐
│ │
│ 1. Never trust, always verify │
│ 2. Assume breach │
│ 3. Verify explicitly │
│ 4. Least privilege access │
│ 5. Continuous validation │
│ │
└─────────────────────────────────────────────────────────────┘
How It Works
┌─────────────────────────────────────────┐
│ Identity Provider │
│ (Authentication) │
└──────────────────┬──────────────────────┘
│
┌──────────────────▼──────────────────────┐
│ Policy Engine │
│ (User + Device + Context = Decision) │
└──────────────────┬──────────────────────┘
│
┌─────────────────────────────┼─────────────────────────────┐
│ │ │
▼ ▼ ▼
┌────────────────┐ ┌────────────────┐ ┌────────────────┐
│ Service A │ │ Service B │ │ Service C │
│ (Authorized) │ │ (Not Authorized)│ │ (Authorized) │
└────────────────┘ └────────────────┘ └────────────────┘
Every access request evaluates:
- Who is requesting? (identity)
- What device? (device posture)
- What are they accessing? (resource)
- What context? (location, time, risk signals)
Zero Trust Components
identity:
- Strong authentication (MFA everywhere)
- Single sign-on (SSO)
- Continuous session validation
device:
- Device health verification
- Endpoint detection and response (EDR)
- Certificate-based identity
network:
- Micro-segmentation
- Encrypted communication
- No implicit trust
application:
- Per-application access policies
- Just-in-time access
- Session-based authorization
data:
- Data classification
- Encryption at rest and in transit
- Access logging
Comparison
Access Model
VPN:
Connect → Full network access → Access resources
Zero Trust:
Request resource → Verify identity → Verify device → Check policy → Grant specific access
Security Posture
| Aspect | VPN | Zero Trust |
|---|---|---|
| Network trust | Internal = trusted | Nothing trusted |
| Access scope | Broad | Specific |
| Lateral movement | Easy | Difficult |
| Compromised credential impact | High | Limited |
| Visibility | Network perimeter | Every request |
Performance
VPN:
User → VPN Gateway → Internet → Cloud Service
(backhauled through corporate network)
Zero Trust:
User → Identity/Policy → Cloud Service
(direct path to resource)
Implementation
Zero Trust Architecture
components:
identity_provider:
- Okta / Azure AD / Google Workspace
- MFA required for all users
- Risk-based authentication
access_proxy:
- Cloudflare Access / Zscaler / Google BeyondCorp
- Per-application policies
- No network-level access
device_trust:
- MDM enrollment required
- EDR agent required
- Compliance checks (encryption, updates, etc.)
policy_engine:
- User + Device + Context = Allow/Deny
- Continuous evaluation
- Audit logging
Migration Path
Phase 1: Inventory and Identity
- Catalog all applications
- Implement SSO for all apps
- Enable MFA everywhere
Phase 2: Device Trust
- Deploy endpoint management
- Define device compliance policies
- Implement device certificates
Phase 3: Access Proxy
- Deploy zero trust access proxy
- Migrate applications one by one
- Start with low-risk applications
Phase 4: Reduce VPN Dependency
- Move remaining apps to zero trust
- VPN for legacy only
- Eventually deprecate VPN
Policy Examples
# Application access policy
app: internal-wiki
rules:
- name: "Standard access"
conditions:
- identity: authenticated
- groups: employees
- device: managed
- device_compliance: true
action: allow
- name: "Contractor access"
conditions:
- identity: authenticated
- groups: contractors
- device: any
- mfa: required_per_session
- location: approved_countries
action: allow
- name: "Default deny"
action: deny
# High-security application
app: hr-system
rules:
- name: "HR team access"
conditions:
- identity: authenticated
- groups: hr-team
- device: managed
- device_compliance: true
- mfa: hardware_key_required
- location: corporate_or_approved_home
- time: business_hours
action: allow
- name: "Default deny"
action: deny
When to Use Each
VPN Still Makes Sense
- Legacy applications that can’t be proxied
- Network-level protocols (RDP, SSH to many hosts)
- Extremely sensitive environments (air-gapped)
- Transitional period during zero trust migration
Zero Trust Preferred
- Cloud-native applications
- Web-based tools
- Remote workforce
- BYOD scenarios
- Third-party/contractor access
Hybrid Approach
Many organizations use both:
Modern apps → Zero Trust (Cloudflare Access, etc.)
Legacy apps → VPN (limited, segmented)
Internal network → Zero trust principles (micro-segmentation)
Challenges
Zero Trust Challenges
Complexity:
- More components to manage
- Policy management overhead
- Integration requirements
User friction:
- More authentication prompts
- Device compliance requirements
- Learning curve
Legacy applications:
- Some apps can’t be proxied
- Protocol limitations
- Rearchitecting required
Implementation Tips
success_factors:
- Start with identity: Strong SSO and MFA foundation
- Inventory first: Know what you're protecting
- Pilot before rollout: Test with friendly users
- User communication: Explain why, not just what
- Measure: Track adoption and issues
- Iterate: Improve policies based on feedback
Key Takeaways
- VPNs assume network perimeter equals security boundary; zero trust assumes no trust
- Zero trust verifies identity, device, and context for every access request
- Performance can improve with zero trust; direct paths vs. backhauling through VPN
- Zero trust limits blast radius; compromised credentials don’t grant network access
- Migration is gradual; start with identity and MFA, then add device trust and access proxy
- VPNs still useful for legacy apps and network-level protocols
- Most organizations will use hybrid approach during transition
- User experience matters; poorly implemented zero trust creates friction
- Policy management is the ongoing challenge; automate where possible
The network perimeter has dissolved. Zero trust acknowledges this reality and builds security around identity and context rather than network location.