If Not Now, When? Reflections on Retiring the VPN in a Zero Trust World

I found myself standing in the middle of a small group over coffee at The‑C2, listening in as someone asked, “Has anyone actually turned off their VPN yet?” It wasn’t a challenge, just a genuine question, everyone leaned in. Heads nodded. A few chuckled knowingly. No one rushed to answer. It was one of those honest, off-the-record conversations that happens in between the official sessions, but tells you far more about where organisations really are on their security journey.

Almost everyone in that circle had made serious headway into zero trust. They’d rolled out identity-based access, tightened control over devices, and reduced reliance on network perimeters. But the VPN? It was still there. Not because it was actively relied upon, but because no one quite felt ready to turn it off.

The Zero Trust Transition: So Much Progress, Yet One Final Hurdle

For most of us, the move towards zero trust hasn’t been a revolution. It’s been gradual. Logical. We’ve shifted from trusting networks to trusting identity. We’ve introduced MFA, begun validating devices before granting access, and applied context-aware controls to critical apps.

But the VPN has hung around – less like a core control, and more like an old security blanket no one’s ready to throw away.

As the conversation continued, it became clear that the reluctance wasn’t really technical. It was about confidence. Confidence in the new model. Confidence in our visibility. Confidence that nothing vital was still hidden behind that old encrypted tunnel.

And understandably so.

Mapping the Maze Before Making the Move

The businesses that had successfully retired their VPNs didn’t start by disabling anything. They started by getting a proper grip on what the VPN was still being used for, not just officially, but in practice.

They mapped out who was still logging in, which services were only accessible that way, and whether there were any lingering system-to-system dependencies no one had touched in years. As one CISO said, “It was less like turning something off and more like unpicking a decade of assumptions.”

That unpicking process mattered. Because it revealed where zero trust access hadn’t yet reached. It also clarified which business processes still depended on the VPN, and whether that dependency was meaningful or just historic.

Policies That Reflect Reality, Not Hope

Once that access landscape was understood, the next step was about tightening and tuning policies. Identity alone wasn’t enough. Context had to play a bigger role: where the user was coming from, what device they were on, what they were trying to do, and whether it was consistent with normal behaviour.

It wasn’t just about authenticating users. It was about authorising them, intelligently. Adapting based on risk, device posture, and sensitivity.

This kind of policy-building takes time. But it’s the real heart of zero trust. Because once your policies reflect what people actually should be able to do, the VPN becomes irrelevant by design.

When Trust Isn’t Static, And Shouldn’t Be

The other subtle shift these organisations had made was around how they thought about trust itself.

In the old model, trust was granted once you logged in, and that was that. In the zero trust model, trust is dynamic. It’s continuously evaluated. Change device? Recheck. Unusual location? Challenge. Elevated request? Step-up authentication.

This shift only works if you’re confident in your trust signals: your identity platform, your device management, your risk scoring. And importantly, it only works if users understand what’s happening and why.

Why Some Staff Still Reach for the VPN Button

Interestingly, several people admitted they’d rolled out robust zero trust infrastructure, only to find staff still using the VPN out of habit.

In some cases, users believed it was more secure. In others, the VPN was simply muscle memory. A couple of teams had even quietly kept it in use “just in case.”

That’s where communication and culture come in. The move away from VPN isn’t just a technical transition, it’s a behavioural one. Users need to understand that what feels safer isn’t always actually safer. And they need the reassurance that the new model is designed for resilience, not convenience.

Measuring Trustworthiness Before Pulling the Plug

Before anyone switched their VPN off, they tested. And not just surface checks.

They ran comparisons between VPN usage and ZTNA logs. They simulated outages. They monitored error rates, checked fallback scenarios, and verified that key services remained accessible through zero trust alone.

They also ran live scenarios: shadowing users, watching access patterns, ensuring there were no surprises hiding in the infrastructure.

Confidence didn’t come from belief. It came from data.

The VPN as Latent Risk, Not Backup

One of the more interesting points raised was that leaving the VPN in place might create more risk than it mitigates.

A system you no longer actively maintain, that still has privileged access to large parts of your infrastructure, can quickly become an attack path – especially if it’s not getting the same scrutiny as your newer, shinier controls.

You’re not reducing risk by keeping it. You may simply be masking it.

Final Thought: Be Honest About Why It’s Still There

What stuck with me most from that chat over coffee wasn’t the technical detail. It was the honesty.

Some organisations had removed the VPN. Others were on the brink. A few were still figuring it out. But across the board, the feeling was the same: this isn’t just a question of readiness. It’s a question of certainty.

If your business is still using its VPN, ask yourself: is it truly necessary, or is it just familiar? Are you keeping it because you need it, or because you haven’t tested whether you still do?

If your answer is “I’m not sure,” then now’s the time to find out.

Because the goal isn’t just to build something new. It’s to trust it enough to move on from the old.