No VPN, Better Security: The Counterintuitive Truth

The Security Paradox

Tell a traditional security professional that you're removing the VPN and they'll look at you like you suggested removing the locks from the front door. VPNs are security infrastructure. Removing security infrastructure makes you less secure. QED.

Except it doesn't. And here's why the intuition is wrong.

The VPN Security Model Is Fundamentally Flawed

VPNs implement what's called a perimeter security model: define a boundary, protect the boundary, trust everything inside the boundary.

This model has three fatal assumptions:

Assumption 1: The perimeter is meaningful. When your applications are in AWS, Azure, GCP, Salesforce, GitHub, and a data center in New Jersey, what exactly is the "perimeter"? The VPN draws an artificial boundary that doesn't correspond to any real security domain. It's a line on a diagram, not a line of defense.

Assumption 2: Everything inside the perimeter is trustworthy. Once a user connects to the VPN, they're "inside." The VPN doesn't distinguish between a legitimate employee checking their email and an attacker who phished that employee's credentials. Inside is inside.

Assumption 3: Threats come from outside. Modern attacks don't breach the perimeter — they walk through it. Phished credentials, compromised endpoints, malicious insiders — these are all "inside" the VPN from the moment they connect.

What Happens When You Remove the VPN

Removing the VPN forces you to adopt a model that doesn't rely on these broken assumptions. Here's what that looks like:

Every application gets its own access policy. Instead of "you're on the network, so you can reach anything," every app has explicit rules: which users, which groups, which device conditions, which authentication methods. An accountant can reach the finance portal but not the engineering CI/CD system — not because of network segmentation, but because the policy says so.

Authentication is continuous, not one-time. VPN authenticates at connection time. Zero Trust authenticates on every request (or at minimum, validates the session on every request). If a session is compromised mid-day, it can be detected and revoked. With a VPN, a compromised session rides until the tunnel drops.

Device posture becomes enforceable. VPNs treat every connected device the same — a fully patched, encrypted corporate laptop and a jailbroken phone from 2019 both get the same network access. Cloudflare Access can check disk encryption, OS patch level, endpoint protection status, and more on every request.

Lateral movement becomes structurally impossible. This is the big one. In a VPN world, an attacker who compromises any machine on the VPN subnet can scan, probe, and move to other machines on the same subnet. This is how almost every major breach escalates.

Without a VPN, there is no shared network. Each application is reached through an independent, authenticated connection. Compromising one application gives you access to one application. There's no subnet to scan, no adjacent machines to probe, no network to move through.

The Evidence

NIST 800-207 (Zero Trust Architecture): The US government's framework for Zero Trust explicitly calls out VPN limitations: "An enterprise should not solely rely on the network perimeter for security." NIST recommends per-resource access control — exactly what replacing the VPN achieves.

The Verizon DBIR: Year after year, the Verizon Data Breach Investigations Report shows that stolen credentials and phishing are the top attack vectors. VPNs are specifically vulnerable to both because VPN credentials grant broad access and are typically protected by phishable authentication methods.

CISA's Zero Trust Maturity Model: The US Cybersecurity and Infrastructure Security Agency's maturity model places "network-centric" access (i.e., VPNs) at the lowest maturity level. The highest maturity levels require per-request, identity-aware access control.

Google's BeyondCorp: Google eliminated their corporate VPN over a decade ago with BeyondCorp. The result? Improved security posture, better user experience, and full access auditability. Google published the papers — it's not a secret.

Specific Attack Vectors That VPN Removal Mitigates

Credential stuffing: VPN login portals are high-value targets for credential stuffing attacks. Remove the VPN, remove the target. Cloudflare Access uses your IdP's authentication, which already has its own brute-force protections.

VPN vulnerability exploitation: VPN software has a track record of critical vulnerabilities. Pulse Secure, Fortinet, Citrix — all have had remotely exploitable bugs in their VPN products. No VPN software means no VPN vulnerabilities.

Session hijacking: VPN sessions are long-lived (often hours). Zero Trust sessions can be short-lived and continuously validated. Shorter sessions mean a smaller window for hijacking.

Insider threat scope: A malicious insider with VPN access can reach everything the VPN allows — often far more than their job requires. With per-application access policies, an insider can only reach what their role explicitly permits.

The Objection: "But Encryption!"

"Without a VPN, traffic isn't encrypted!"

This objection made sense in 2005. Today, virtually all web traffic is TLS-encrypted by default. HTTPS is the baseline, not the exception. Your traffic to Cloudflare's edge is encrypted. Traffic from Cloudflare to your application through the Tunnel is encrypted. There's no unencrypted gap.

The VPN's encryption was never the point — it was the "private network" part. And that's precisely what creates the security problem.

The Bottom Line

VPNs provide a false sense of security by creating an "inside" that feels safe but isn't. Removing the VPN and replacing it with Zero Trust access doesn't remove a security layer — it replaces a weak, fundamentally flawed security layer with a strong, architecturally sound one.

The most secure networks in the world — Google, Cloudflare, the US DoD — have all moved to Zero Trust. They didn't do it because it's trendy. They did it because VPNs couldn't protect them.