Secure Remote Access: VPN, ZTNA, and Modern Solutions

Secure remote access encompasses the protocols, architectures, and control frameworks that govern how authenticated users and devices connect to organizational resources from locations outside the enterprise perimeter. The discipline spans legacy tunnel-based technologies, identity-centric zero trust models, and hybrid approaches that bridge both paradigms. Regulatory frameworks including NIST SP 800-207 and CISA guidance on zero trust maturity formally address these architectures as foundational components of federal and critical infrastructure security posture.

Definition and scope

Secure remote access refers to the controlled extension of network or application access to endpoints and users operating outside a defined trust boundary. This scope includes remote employees, contractors, third-party vendors, and automated system integrations that must reach internal resources across public or untrusted networks.

The category is formally bounded by two distinct architectural philosophies. The first, perimeter-based access, treats the network boundary as the primary security control and grants broad internal access once a user clears that boundary. The second, zero trust architecture, treats every access request as untrusted regardless of origin, enforcing continuous verification at the application or resource layer rather than at the network edge.

NIST Special Publication 800-207, "Zero Trust Architecture," formally defines zero trust as a set of guiding principles that move network defenses from static, network-based perimeters to focus on users, assets, and resources. This publication is the primary federal reference for both agencies and contractors structuring remote access policy.

Secure remote access intersects directly with identity and access management, multi-factor authentication, and privileged access management — all of which supply the authentication and authorization signals that remote access controls depend on.

How it works

VPN (Virtual Private Network)

A VPN creates an encrypted tunnel between a remote endpoint and a concentrator device at the network perimeter. Traffic traverses a public network inside that tunnel and emerges on the internal network with the same logical position as an on-premises device. The three dominant VPN protocol families are:

1. IPsec-based VPNs — Operate at Layer 3, encrypting IP packets. Commonly used for site-to-site connections between branch offices and data centers.
2. SSL/TLS VPNs — Operate over port 443, making them firewall-friendly. Typical for end-user remote access clients and clientless browser-based access portals.
3. Split-tunnel VPNs — Route only traffic destined for internal resources through the tunnel; all other traffic exits directly to the internet, reducing bandwidth load on concentrators.

The structural weakness of VPN architecture is the implicit trust granted after authentication. A successfully authenticated session receives broad network access, which threat actors exploit through credential compromise. The Cybersecurity and Infrastructure Security Agency (CISA) has published specific hardening guidance for VPN products, noting that unpatched VPN appliances represent a recurring exploitation vector in federal and critical infrastructure incidents.

ZTNA (Zero Trust Network Access)

ZTNA replaces tunnel-based access with per-application, policy-enforced connectivity. A ZTNA control plane evaluates at least 4 distinct signals before granting access: user identity, device health posture, application context, and behavioral baseline. No lateral network access is granted; the user connects only to the specific application authorized by policy.

ZTNA architectures divide into two deployment models:

• Agent-initiated ZTNA — A software agent on the endpoint communicates with a cloud or on-premises broker, which enforces policy and proxies the connection.
• Service-initiated ZTNA — A connector installed in the application environment establishes an outbound connection to a cloud broker; no inbound firewall ports are required, eliminating exposed attack surface.

NIST SP 800-207 identifies the policy decision point (PDP) and policy enforcement point (PEP) as the two core logical components of any zero trust access architecture, providing the structural vocabulary that procurement specifications and audit frameworks reference.

Common scenarios

Secure remote access architectures apply across distinct operational contexts, each carrying different risk profiles:

• Remote workforce access to SaaS and cloud applications — ZTNA or identity-aware proxies provide per-application control without requiring network-level access. This scenario aligns with cloud security posture requirements under frameworks like FedRAMP.
• Contractor and third-party access — Vendors connecting to operational systems represent elevated risk due to limited device control. Third-party risk management programs typically require just-in-time provisioning and session recording for these accounts.
• Operational technology and industrial control system access — Remote maintenance of OT environments requires strict segmentation. OT/ICS security guidance from the ICS-CERT program under CISA specifies that remote access to control systems must use jump servers or privileged remote access tooling rather than direct VPN tunnels into OT networks.
• Privileged administrator access — System administrators connecting to servers or infrastructure must traverse privileged access management controls, with session monitoring and time-bound credential issuance.
• Emergency incident response access — During active incidents, forensic teams and IR retainer personnel require rapid, auditable access that does not persist after the engagement concludes.

Decision boundaries

The selection between VPN, ZTNA, and hybrid models depends on four structural criteria rather than preference:

1. Resource location — Applications hosted in on-premises data centers may still warrant IPsec tunnels for site-to-site connectivity, while cloud-hosted workloads are better served by identity-aware proxies that do not backhaul traffic through a corporate network.
2. Device trust posture — Organizations that cannot enforce endpoint compliance — such as those permitting unmanaged contractor devices — face significant risk with VPN architectures that grant broad network access. ZTNA's posture-checking requirement limits this exposure.
3. Regulatory compliance requirements — The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, 45 CFR § 164.312(e), requires encryption of PHI in transit; both VPN and ZTNA can satisfy this control, but audit evidence requirements may favor ZTNA's per-session logging. Federal contractors subject to CMMC Level 2 or Level 3 must implement access controls consistent with NIST SP 800-171, which maps directly to least-privilege access principles that ZTNA enforces architecturally.
4. Scalability and performance — VPN concentrators represent capacity-bounded choke points. Organizations with more than 5,000 concurrent remote users frequently encounter throughput limitations that ZTNA's distributed broker model avoids by keeping application traffic local to the user and application rather than routing it through a central appliance.

The transition from VPN to ZTNA is not binary; hybrid deployments that maintain VPN for legacy on-premises systems while introducing ZTNA for cloud applications represent the modal enterprise posture during phased modernization. CISA's Zero Trust Maturity Model defines five pillars — identity, devices, networks, applications/workloads, and data — and assigns maturity stages (Traditional, Initial, Advanced, Optimal) that provide a structured framework for assessing where legacy VPN access controls fit within a broader modernization roadmap.

Network security fundamentals and firewall and perimeter security practices remain relevant alongside secure remote access architecture, since external-facing concentrators, brokers, and proxies all require perimeter hardening regardless of the access model deployed.

References

• NIST SP 800-207: Zero Trust Architecture — National Institute of Standards and Technology
• CISA Zero Trust Maturity Model — Cybersecurity and Infrastructure Security Agency
• CISA VPN Security Guidance — Cybersecurity and Infrastructure Security Agency
• CISA ICS-CERT Remote Access Guidance — Cybersecurity and Infrastructure Security Agency
• HIPAA Security Rule, 45 CFR § 164.312(e) — U.S. Department of Health and Human Services via eCFR
• NIST SP 800-171: Protecting Controlled Unclassified Information — National Institute of Standards and Technology
• CMMC (Cybersecurity Maturity Model Certification) — Office of the Under Secretary of Defense for Acquisition and Sustainment
• NIST National Vulnerability Database — National Institute of Standards and Technology