From the Spring 2024 Issue

The Case for Moving Beyond VPNs: Embracing Conditional Access

Alex Haynes
CISO | IBS Software

In the ever-evolving landscape of cybersecurity, traditional tools, and approaches to securing remote access, such as Virtual Private Networks (VPNs), are increasingly seen as inadequate for the complex demands of modern enterprise environments. The shift towards a more dynamic, distributed workforce, along with the proliferation of cloud services and mobile computing, necessitates a re-evaluation of how organizations secure their networks and manage access to sensitive resources. Below you will find some arguments on why it is time for companies to move beyond VPNs in favor of more sophisticated, flexible, and secure solutions, such as Conditional Access systems.

Unlike VPNs, Conditional Access systems do not assume trust based on network presence.

The Limitations of VPNs

The Limitations of VPNs
VPNs have been the cornerstone of remote access security for decades, creating encrypted tunnels between users and corporate networks, ostensibly keeping data safe from interception. However, the VPN model has several fundamental limitations that make it less suitable for today’s digital ecosystem:

Perimeter-based Security Model
VPNs operate on the outdated assumption that once inside the network, users can be trusted. This perimeter-based model fails to account for insider threats and the fact that once a malicious actor gains access, they can move laterally with little impedance.

One-size-fits-all Access
VPNs typically grant access to the entire network or large segments of it, making it difficult to enforce the principle of least privilege and increasing the risk of data breaches.

Poor User Experience
The use of VPNs can significantly degrade network performance and complicate the user experience, particularly when accessing cloud-based resources that are not located within the corporate data center.

Operational Inefficiencies
Managing VPNs can be resource-intensive, requiring significant effort to maintain, update, and ensure compatibility with various devices and operating systems.

Conditional Access

Conditional Access represents a paradigm shift in how organizations approach securing remote access. Unlike VPNs, Conditional Access systems do not assume trust based on network presence. Instead, they dynamically assess the risk of a given access attempt and apply the appropriate access controls based on a set of predefined policies. This approach allows organizations to implement a more granular, context-aware security posture that is better aligned with the realities of the modern workplace.

Key Benefits of Conditional Access

Zero Trust Security Model
Conditional Access is a cornerstone of the Zero Trust framework, which operates on the principle of “never trust, always verify.” Access decisions are made in real-time, based on the user’s identity, device health, location, and the sensitivity of the accessed resources.

Granular Access Controls
Unlike the broad network access granted by VPNs, Conditional Access allows for precise control over who can access what resources, under what conditions. This granularity significantly reduces the attack surface and helps prevent unauthorized access to sensitive data.

Enhanced User Experience
By eliminating the need for users to connect to a VPN, Conditional Access can provide a more seamless and efficient experience, particularly when accessing cloud services directly from the internet.

Adaptive Risk Assessment
Conditional Access systems can integrate with a wide range of signals (such as user behavior analytics, threat intelligence, and real-time security alerts) to dynamically assess the risk of an access attempt and adjust security controls accordingly.

Simplified Management
By leveraging cloud-based services and policies, Conditional Access systems can reduce the operational burden on IT teams, making it easier to deploy, manage, and scale remote access security measures.

Making the Transition
The transition from VPNs to Conditional Access systems is not without its challenges. Organizations must carefully plan and execute this shift, taking into consideration the need for robust identity and device management solutions, the reconfiguration of network architecture, and the training of both IT staff and end-users. However, the benefits of making this transition—enhanced security, improved compliance, better user experience, and operational efficiency—far outweigh the initial hurdles.


The limitations of traditional VPN-based security are becoming increasingly apparent in the face of sophisticated cyber threats and the demands of a modern, mobile workforce. Conditional Access offers a more flexible, secure, and user-friendly alternative that aligns with the principles of Zero Trust and the realities of cloud computing. By adopting Conditional Access, organizations can not only enhance their security posture but also enable a more agile and efficient operational model. It is time for companies to embrace this change, moving beyond the confines of outdated VPN solutions and towards a more secure and dynamic future. lock

Alex Haynes

Leave a Comment