Zero Trust vs VPN – Why It’s Time to Rethink Remote Access
For years, the answer to “how do remote users reach internal systems?” was simple: give them a VPN.
But the way we work – and the way attackers operate – has moved on. Hybrid work, SaaS adoption and increasingly sophisticated threats are exposing the limits of legacy VPNs. That’s where Zero Trust access, delivered as part of a Unified SASE platform, comes in.
Macquarie Telecom’s Zero Trust Unified SASE solution, built on Fortinet technology, is designed to modernise how users connect to applications: securely, context‑aware and without the broad network exposure that traditional VPNs create.
Zero Trust starts from one simple premise: never trust, always verify.
Every access request is continuously evaluated based on identity, device posture, location and risk – not just whether a user knows a password or holds a token. Access is granted per application, with the minimum permissions required, and is re‑evaluated as conditions change.
In other words, Zero Trust assumes the network is hostile by default and builds security around users, devices and applications instead.
Why legacy VPNs are no longer enough.
VPNs were built for a world where:
- Most users were in offices
- Most applications lived in a data centre
- The corporate network perimeter was clear and defensible
That world no longer exists. Some key issues we see with VPN‑centric architectures:
- All‑or‑nothing access
Once connected, users often have broad network reach, even if they only need one or two applications. That lateral movement is exactly what attackers exploit. - Inconsistent user experience
Backhauling traffic through a central VPN gateway to reach SaaS and cloud apps adds latency and creates bottlenecks, especially for regional or international users. - Difficult to segment and scale
Applying fine‑grained access controls over a flat VPN can be complex and brittle. Adding more users or sites often means more concentrators, more configs and more risk. - Limited context in decisions
Traditional VPNs typically check user credentials and maybe a device certificate at connection time – not continuously, and rarely including richer device posture, behaviour or threat intel.
As VPN appliances age and remote access demand grows, many organisations find themselves at a crossroads: refresh an old model, or adopt a new one.
Zero Trust vs VPN: what’s different?
Zero Trust access, delivered as part of a Unified SASE platform, changes both how access is granted and what users can reach.
Here’s a simplified comparison:
- Access model
- VPN: Network‑centric – connect user to the internal network segment.
- Zero Trust: App‑centric – connect user to specific applications, never the whole network.
- Trust decision
- VPN: One‑off check at login (credentials, token).
- Zero Trust: Continuous verification of identity, device posture, location, behaviour and risk.
- Exposure
- VPN: Internal IP space and services may be discoverable once connected.
- Zero Trust: Applications are fronted by brokers; internal IPs stay hidden.
- User experience
- VPN: “All work goes through the tunnel” – often slower for SaaS/internet apps.
- Zero Trust: User goes direct to the app, with security applied in line, improving performance.
- Segmentation
- VPN: VLANs, ACLs and firewall rules – high operational overhead.
- Zero Trust: Policy follows user and device, not just network segment.
The goal isn’t to shame VPNs – they were the right tool for their time. The goal is to recognise that today’s distributed, internet‑first environments need a more granular, dynamic approach.
Zero Trust principles within Unified SASE.
Within a Unified SASE architecture, Zero Trust capabilities are applied consistently across users, locations and applications. Key principles include:
- Strong identity at the core
Integrating with identity providers (IdPs) to authenticate users, enforce MFA and map roles to policies. - Device awareness and posture checks
Evaluating whether the device is known, healthy and compliant before granting, and also while maintaining access. - Least‑privilege, per‑app access
Users see and reach only the specific applications they are authorised for, not the underlying network. - Inline inspection and threat protection
Traffic is inspected for threats, sensitive data and risky behaviour as it flows, not just at login. - Continuous monitoring
Sessions are monitored in real time; if risk changes (e.g. suspicious behaviour, posture change), access can be stepped‑up or revoked.
When unified with SD‑WAN and cloud security, these Zero Trust controls become part of a larger platform: one policy framework, one analytics layer, and consistent outcomes across branches, remote users and cloud environments.
Three conversation points for your organisation.
If you’re evaluating your remote access strategy, these prompts can help guide internal discussions:
- “What do our remote users actually need to access?”
Map users to applications rather than networks. You’ll quickly see how much current VPN access is broader than necessary. - “If an attacker compromised a VPN credential today, how far could they move?”
Think about lateral movement: what could be discovered, scanned, or accessed with that tunnel in place? - “How do we balance user experience with stronger security?”
Consider where latency and friction hurt productivity today, and how app‑centric, direct access with inline security could improve that experience.
Questions we hear from customers.
When we speak to organisations about Zero Trust and Unified SASE, a few themes come up again and again:
- “Do we have to get rid of VPNs overnight?”
No. Many customers start by deploying Zero Trust for specific high‑risk apps or user groups, then gradually reduce reliance on VPNs over time. - “Will Zero Trust make life harder for users?”
Done right, it’s the opposite: fewer full‑tunnel VPN sessions, less latency, and access that follows the user, regardless of location. - “How complex is this to run?”
A Unified SASE approach, delivered as part of Macquarie Telecom’s managed service, is designed precisely to reduce operational complexity – centralised policy, unified visibility and 24×7 monitoring handled by specialists.
Moving towards Zero Trust with Unified SASE.
Shifting from VPN‑centric access to a Zero Trust model is a journey, not a single project.
The important part is to start with a clear view of:
- Which users and apps to prioritise
- How Zero Trust access will coexist with existing controls in the short term
- What success looks like in terms of risk reduction, user experience and operational simplicity
Macquarie Telecom’s Zero Trust Unified SASE solution with Fortinet combines:
- Zero Trust Network Access that replaces broad VPN access with per‑app connectivity
- Converged network and security services (SD‑WAN, cloud security, secure web gateway, CASB)
- Australian‑based design, implementation and 24×7 operations
If you’d like to explore how Zero Trust could look in your environment – and where to start – our team can help you map out a practical, staged roadmap.
