Traditional enterprise VPNs—once the default for remote access—are rapidly losing credibility. Recent industry research shows a striking shift: the vast majority of organisations now view VPNs as a serious security liability and are actively moving toward Zero Trust Network Access (ZTNA) and other zero-trust models (Enterprise VPNs now). These changes are driven by ransomware risks, third-party access concerns, poor user experience, and the limits of VPNs in cloud-first architectures.
The headline numbers
A major 2025 VPN risk report found that 92% of organisations are worried that VPN vulnerabilities could lead to ransomware incidents, and 65% plan to replace their VPNs within the next year—a large jump from prior years. Additionally, many organisations report VPN-related breaches and operational headaches that make legacy tunnels unsustainable in modern environments. These figures are reshaping procurement and security roadmaps.
Why VPNs are viewed as risky today
Implicit trust model: VPNs typically grant broad network access once authenticated. That “all or nothing” access is exactly what modern attackers exploit—stolen credentials or unpatched VPN appliances can let attackers move laterally across networks.
Unpatched and exposed concentrators: Large numbers of organisations have discovered unpatched VPN devices and public-facing endpoints, increasing the attack surface and the frequency of exploited vulnerabilities.
Third-party and vendor risk: Granting vendors VPN access often means giving them sweeping privileges; reports show a high percentage of organisations fear backdoor vulnerabilities introduced via third parties. ZTNA replaces network-wide trust with per-app, least-privilege access.
What Zero Trust solves (and how it differs)
Zero Trust Network Access doesn’t assume a trusted internal network. Instead it enforces continuous verification, least-privilege access per user and per application, device posture checks, and granular session controls. Practically, ZTNA reduces the blast radius when credentials are stolen and limits what a compromised device or account can do—addressing the core weaknesses of VPNs. Organisations adopting Zero Trust also report better visibility and simpler compliance workflows.
Cost, user experience, and cloud fit
Beyond security, enterprises cite usability and cost issues: many employees complain about slow or unreliable VPN connections, while IT teams must maintain VPN concentrators, appliances, and patch cycles. Zero Trust architectures—especially cloud-delivered ZTNA—tend to scale more naturally with cloud apps and hybrid workforces, lowering operational overhead and improving end-user performance.
Comparisons & practical tradeoffs
Security: ZTNA offers stronger containment and continuous verification; VPNs are prone to lateral movement risks.
Deployment complexity: Migrating to Zero Trust can require identity, device posture, and policy changes—initial investment is higher, but long-term management often becomes simpler.
Legacy app support: VPNs still provide straightforward network-level access to old on-prem apps. Organisations often adopt transitional strategies (ZTNA + app gateways or segmented VPNs) during migration.
Expert perspective
Security researchers and vendors emphasize that VPNs weren’t designed for today’s cloud-native, distributed workplaces. The consensus: “When your remote access tool becomes the primary attack vector, you must change the model.” Many vendors and CISOs now recommend replacing wide-scope VPN access with identity-centric controls and per-session policies.
How organisations should approach the shift
Inventory and risk-prioritise: Identify all VPN endpoints, third-party tunnels, and exposed concentrators.
Phased migration: Start with low-risk applications for ZTNA pilots, then move critical workloads once identity and device posture checks are mature.
Hybrid approaches: For legacy apps, use application gateways or micro-segmentation rather than broad VPN access.
Continuous monitoring: Adopt ongoing telemetry and threat detection to ensure that ZTNA policies are effective and that exceptions don’t create new holes.
Conclusion
The data is clear: many enterprises no longer trust VPNs as adequate protection against modern threats. High concern about ransomware (92%) and broad plans to replace VPNs (65%) show an industry pivot toward Zero Trust models that emphasize identity, least privilege, and continuous verification. Moving off VPNs is not trivial, but for organisations that need to reduce attack surfaces and meet compliance demands in cloud-first environments, Zero Trust is rapidly becoming the new standard.
