Secure Remote Access: VPN, ZTNA, and Modern Solutions
Secure remote access encompasses the technologies, protocols, and architectural frameworks that allow authorized users and devices to connect to organizational networks and resources from locations outside the physical perimeter. The dominant approaches — Virtual Private Networks (VPNs), Zero Trust Network Access (ZTNA), and hybrid overlay architectures — differ substantially in how they establish trust, enforce policy, and expose internal resources. For security practitioners, compliance officers, and IT architects verified in the Information Security Providers, selecting the appropriate model involves regulatory obligations, workforce topology, and threat surface analysis.
Definition and scope
Secure remote access refers to any mechanism that authenticates a remote endpoint, encrypts traffic in transit, and enforces access policy before allowing connection to protected systems. NIST SP 800-77 Rev 1 defines IPsec-based VPN architecture and its role in securing communications across untrusted networks. NIST SP 800-207, the authoritative Zero Trust Architecture publication, extends this scope by defining ZTNA as a paradigm in which no user or device is implicitly trusted based on network location alone (NIST SP 800-207).
The three primary classifications in this sector are:
- VPN (Virtual Private Network) — Creates an encrypted tunnel between a remote device and a network gateway, granting broad access to network segments upon authentication. Subtypes include IPsec, SSL/TLS, and split-tunnel configurations.
- ZTNA (Zero Trust Network Access) — Grants access to specific named applications only, after continuous verification of user identity, device posture, and contextual signals. No implicit lateral movement is permitted.
- SASE (Secure Access Service Edge) — A cloud-delivered architecture defined by Gartner in 2019 that converges ZTNA, SD-WAN, CASB, and firewall-as-a-service into a single policy enforcement plane. NIST acknowledges SASE as an emerging Zero Trust implementation pattern within SP 800-207.
Regulatory scope for remote access extends across multiple federal frameworks. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule at 45 CFR §164.312 requires covered entities to implement technical controls — including encryption and access controls — for electronic protected health information transmitted remotely. The Federal Risk and Authorization Management Program (FedRAMP) mandates that cloud services used by federal agencies meet specific remote access control standards derived from NIST SP 800-53 AC-17.
How it works
Each major model enforces remote access through a distinct trust and enforcement sequence.
VPN operational sequence:
ZTNA operational sequence:
NIST SP 800-207 identifies 3 core logical components in a Zero Trust architecture: the Policy Decision Point (PDP), the Policy Enforcement Point (PEP), and the Policy Information Point (PIP), which feeds real-time device and identity signals into access decisions.
The Cybersecurity and Infrastructure Security Agency (CISA Zero Trust Maturity Model) structures ZTNA adoption across 5 pillars — Identity, Devices, Networks, Applications and Workloads, and Data — each with 4 maturity stages from Traditional to Optimal.
Common scenarios
Enterprise workforce connectivity: Organizations with distributed employees have historically deployed site-to-site IPsec VPNs for branch office connectivity and client VPNs for individuals. This model remains prevalent in environments where legacy applications lack direct internet access capability.
Federal agency remote access: Executive branch agencies governed by the Federal Information Security Modernization Act (FISMA, 44 U.S.C. § 3551 et seq.) must comply with NIST SP 800-53 control AC-17 (Remote Access), which requires documented policies, encrypted channels, and monitoring of remote sessions. CISA's binding operational directives have pushed federal agencies toward ZTNA as part of the Executive Order 14028 implementation roadmap.
Healthcare remote access: Covered entities under HIPAA transmitting ePHI from remote endpoints must satisfy the Transmission Security standard at 45 CFR §164.312(e)(1). A remote clinician accessing an EHR system from a home network triggers both encryption and audit logging requirements, typically satisfied through VPN or ZTNA with session recording.
Industrial control systems (ICS): Remote access to operational technology (OT) environments introduces risks documented in NIST SP 800-82 Rev 3. Direct VPN access into ICS network segments is discouraged; jump-server architectures with application-layer ZTNA proxies reduce attack surface while maintaining operational access.
The describes how these technology categories are classified within the broader cybersecurity service landscape.
Decision boundaries
Selecting between VPN, ZTNA, and SASE depends on 4 primary structural factors:
| Factor | VPN | ZTNA | SASE |
|---|---|---|---|
| Trust model | Network-perimeter | Identity + device + context | Identity + context + edge enforcement |
| Access granularity | Subnet/network level | Application-specific | Application + data + web |
| Lateral movement risk | High (post-authentication) | Minimal (application isolation) | Minimal |
| Legacy application support | Strong | Requires connector or proxy | Requires integration |
| Regulatory fit (FedRAMP, FISMA) | Acceptable (legacy) | Preferred (EO 14028 aligned) | Preferred (cloud-native environments) |
VPN remains appropriate when all of the following apply: the workforce connects from managed, corporate-owned devices; the application portfolio consists of legacy systems that cannot accept proxied connections; and the network segments being accessed are already tightly segmented with firewall policy enforcement.
ZTNA is structurally superior when any of the following apply: users connect from unmanaged or personally-owned devices (BYOD); the organization has adopted SaaS or IaaS workloads that do not reside on a corporate network; or compliance obligations require continuous session verification and least-privilege application access.
SASE is architecturally appropriate at organizational scale where network and security functions must be consolidated for branch offices and cloud workloads simultaneously, and where point solutions create policy fragmentation across 10 or more enforcement points.
The FBI and CISA's joint advisory on VPN vulnerabilities (AA20-073A) documented active exploitation of unpatched VPN appliances as a primary initial access vector — a structural limitation that ZTNA's broker-based architecture eliminates by removing publicly addressable network endpoints. Organizations referencing this sector's professional service providers should consult the Information Security Providers for qualified practitioners operating in this space.