What is a VPN (virtual private network)?
A VPN (virtual private network) creates an encrypted tunnel between an employee's device and the company network, so they can reach internal systems securely from anywhere, without exposing that traffic on the open internet. For decades it was the standard way to work remotely. Today the model is questioned, because once connected, the user usually reaches the whole network, not just what they need.
How a VPN works
A VPN does not make the internet faster or make the user disappear; it creates a closed path where traffic travels encrypted, end to end, between the device and the network. Anyone in the middle sees scrambled traffic, not the data. The delicate part is not the tunnel itself, it is what it opens up once the connection is made.
Authenticates the user
Before opening the tunnel, the VPN confirms who is asking for access. If that check is only a password, a stolen credential is enough to get in.
Establishes the encrypted tunnel
The client and the gateway negotiate keys and raise an encrypted channel, usually with the IPsec protocol. From there, the traffic travels protected across the public internet.
Places the device inside the network
The VPN assigns the device an internal address, as if it were physically in the office. This is where the risk lives: 'inside the network' usually means broad access.
Routes the traffic through the tunnel
What the user reaches travels through the encrypted channel to the company's resources and back. The tunnel protects the path, but does not, on its own, decide what the user can or cannot reach.
Source: N-able Cyber Encyclopedia (VPN gateway, encrypted tunnel, the IPsec protocol, and the pairing with multi-factor authentication).
Signs your VPN has become a risk
- Whoever connects sees the whole network. Without splitting access by application, a single compromised account opens everything at once.
- The VPN asks only for a password, with no second factor. This is the scenario where a stolen credential, today the number-one way in, becomes full access.
- The concentrator or gateway is behind on firmware. Edge devices and VPNs have become the preferred target, and most stay behind on patching.
- Vendors and third parties use the same VPN as employees. A compromised partner comes in through the same broad door, with no limit on what they reach.
The types of VPN
- Remote-access VPN Connects an employee's device to the company network from anywhere. It is the most common corporate use, and the one that concentrates risk when it grants access that is too broad.
- Site-to-site VPN Connects two entire networks, such as headquarters and a branch, through a permanent tunnel. Useful for joining offices, but it widens what one side can reach on the other.
- Browser (SSL) VPN Gives access to specific applications through the browser, with no client to install. Simpler for the user, still dependent on strong authentication so it does not become an open door.
- Personal or consumer VPN Serves privacy and masks an individual's connection on the internet. It is not the same thing as a corporate VPN, and it does not replace a company's defenses.
Why the VPN became attackers' way in
The VPN was designed for a world in which few people reached the network from outside, now and then. That world is gone, and the model showed its fragility. Exploitation of edge devices and VPN gateways jumped from 3% to 22% of vulnerability-based breaches in a single year, roughly an eightfold rise (Verizon DBIR 2025), and most of those flaws went without a full fix. At the same time, the stolen credential is the number-one way in (22% of breaches, Verizon DBIR 2025): on a VPN that grants broad access, a leaked password does not open one application, it opens the whole network. That is why the market is moving: in Gartner's projection, by 2025 more than 70% of new remote access would use a zero-trust model (ZTNA) instead of a VPN, up from less than 10% in 2021. Meanwhile, a data breach still costs, on average, $ 4.44 million (IBM 2025).
How to use a VPN safely (and when to move on)
A VPN is not insecure by nature; it becomes a risk when it is used the way it was decades ago. A few practices cut the exposure, and one of them is knowing when to change models:
- Require a second factor, alwaysA VPN protected only by a password is one stolen credential away from disaster. Multi-factor authentication is the minimum, not the optional add-on.
- Keep the gateway patchedThe VPN concentrator is now one of the most exploited targets. Current firmware stopped being hygiene and became the front line.
- Limit what the VPN reachesApply least privilege and segment: remote access should not open the whole network, only the resources that person needs.
- Separate third-party accessVendors and partners should not come in through the same broad door as employees. Dedicated, restricted access contains the damage of a compromised partner.
- Evaluate zero-trust accessWhere broad access is the problem, the zero-trust model (ZTNA) grants application by application, not the whole network, and reverifies with every access. It is the direction the market is heading.
In practice
If a single employee's VPN password leaked today, what would the attacker reach with it? If the answer is 'almost everything,' the problem is not the password, it is the broad access the VPN grants.
How Zamak handles remote access
Zamak Technologies designs remote access on the zero-trust principle: verified identity, checked device, and access granted per application, with strong authentication, so a stolen credential does not open the whole network, alongside your team. A good starting point is the cybersecurity assessment, which shows where access is still too broad. It is part of Cybersecurity in the Zamak Method.