1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Business VPN should be dead by now. So why is it still thriving?

    From TechnologyDaily@1337:1/100 to All on Thursday, August 28, 2025 10:00:08
    Business VPN should be dead by now. So why is it still thriving?

    Date:
    Thu, 28 Aug 2025 08:56:47 +0000

    Description:
    Zero trust promised more. VPNs won anyway.

    FULL STORY ======================================================================

    If Zero Trust actually worked like the industry said it would, VPNs wouldve disappeared years ago. Instead, theyre booming. Weve all heard the warnings, seen the vendor pitches, and read enough LinkedIn posts to fill several lifetimes: Zero trust is supposed to be here.

    And yet, despite all that hype, the business VPN market isnt just alive it's thriving, projected to nearly double from $5.7 billion in 2024 to well over $10 billion by 2033. The Comfort of the Familiar

    I wrote my first VPN Tunnel Vision back in 1998, for the first customer of my first startup . Later we replaced it with an IPsec key manager. Then I wrote sshuttle, a sort of VPN built on top of SSH. At Google, I ended up writing a multicast VPN tool we called "frobnicast" (dont ask). And finally,
    I co-founded yet another VPN company to try fixing this once and for all.
    That makes it five VPNs so far. As the meme goes, we have become exceedingly efficient at it.

    Why do we keep writing new VPNs? Because the old ones suck. But honestly,
    it's not just VPNs that suck its TCP/IP that sucks. If IPv4 had been encrypted by default and access-controlled from the beginning and didn't run out of IP addresses and IPv6 had successfully rolled out, we wouldnt need VPNs. Every generation of these tools has been a workaround for something broken further down the stack.

    Still, businesses dont let go of familiar tools easily. I once wrote that not changing stuff is amazingly powerful as a product strategy. VPNs are dependable. Or at least, theyre the devil we know. Theyre built into enterprise security bundles, theyre in the onboarding checklist, and theyve been good enough for long enough that most teams have figured out how to live with them.

    But when a tool sticks around long after its design goals are obsolete like my old dialer program WvDial, still popular decades after modems became irrelevant its worth asking why. In WvDials case, the answer was simple: everything else was worse. That story still applies to VPNs. When Security Gets in the Way

    According to recent research, this comfort comes at a cost. Over 83% of engineers admit to bypassing their company's security controls simply to get work done. Worse yet, 68% retain access to internal systems after leaving their employers, exposing critical gaps in the security lifecycle. Yet, despite these clear risks, only 10% of professionals feel their current VPN "works well."

    So, VPNs linger not because they're ideal, but because migrating fully to
    zero trust isnt trivial. Its not a product you can buy; its a shift in how
    you think. Continuous verification, least privilege access, and
    identity-first networking sound simple until you try to retrofit them into a sprawling, 20-year-old IT architecture. The VPN Misconception

    Theres a common belief that VPNs are fundamentally insecure. Theyre not. But the traditional enterprise VPN model, the one that drops you inside the perimeter and lets you wander freely, is dangerous. Thats like giving
    everyone a master key to your office building.

    A better model grants access one step at a time, based on who you are, what you need right now, and where youre coming from. Microsegmentation. Its not about banning tunnels its about more, smaller tunnels, each with its own control valve. Where Zero Trust Really Begins

    The most secure approach is one where identity management is everything. Not where you are, not what subnet youre on, not whether youre in the office. Identity. Strong authentication, hardware-backed keys, just-in-time access.

    But identity isnt easy. Our survey found only 29% of organizations have adopted identity-based access control at scale. Even fewer use automation. Many still rely on spreadsheets and service account credentials that outlive the employees who set them up.

    So security becomes a tax. It slows people down. And when security gets in
    the way, people route around it. Thats why VPN fatigue is real and growing.

    Yet, there's hope. Nearly half of surveyed companies are consolidating fragmented tools, embracing automation , and experimenting with adaptive policies. But more interestingly, they're starting to rethink their whole approach.

    Security and engineering teams are collaborating instead of clashing.
    They're designing systems that work with people, not against them. AI tools are emerging not to replace humans, but to help notice the things humans miss: a sudden pattern change, a weird login time, an unexpected access request.

    More companies are adopting modular, policy-driven systems. Instead of
    writing 50 firewall rules, they define intent: "this kind of app talks to
    that kind, under these conditions." Thats not Zero Trust as a checklist its Zero Trust as infrastructure. A Pragmatic Path Forward

    Zero trust isnt a product you install. Its a direction you walk in.

    Start by reducing implicit trust wherever you find it. Use strong identity through encryption , not IP addresses. Make credentials short-lived. Assume the worst. Break your network into zones. Shrink the blast radius.

    But do it gradually. Nobody rips out all their networking in a day. Choose
    one high-value system and zero-trustify it. Learn. Repeat.

    VPNs will stick around a while, not because theyre good, but because everything else is hard or immature. But as weve seen with tools like WvDial, still in use long after its time, familiarity isnt the same as fitness. The future belongs to systems that embrace the complexity of real-world access and make it feel simple.

    I don't want to write VPNs, I don't want to deploy VPNs, I just want to solve real problems. But we can't solve the real problems without a working
    network. So here I am with a $1.5B company still selling VPNs. Sure it's
    maybe the best VPN. But it looks like I'll be continuing to do it for years, so that other people can finally solve real problems.

    And if we finally get it right this time, maybe we can stop reinventing the same broken tunnel one VPN at a time.

    We've listed the best VPN deals .

    This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro



    ======================================================================
    Link to news story: https://www.techradar.com/pro/business-vpn-should-be-dead-by-now-so-why-is-it- still-thriving


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)