Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

VPN fatigue and zero trust: what it means for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: VPNs were built for office-centric access, but in cloud-heavy hybrid environments they create performance bottlenecks, broad trust assumptions, and credential risk, according to eMudhra. Zero Trust shifts access decisions toward continuous verification, least privilege, and device trust, making the old network perimeter less relevant.

NHIMG editorial — based on content published by eMudhra: VPN fatigue and the case for Zero Trust in Malaysia

By the numbers:

Questions worth separating out

Q: How should organisations move away from VPN-first remote access without weakening security?

A: Start by treating VPN as a transport mechanism rather than the trust decision itself.

Q: Why do VPNs create more risk in cloud-heavy environments?

A: Because VPNs assume that connectivity from inside the tunnel implies trust.

Q: What do security teams get wrong about Zero Trust and remote access?

A: Many teams treat Zero Trust as a product replacement for VPNs, when it is actually an access model.

Practitioner guidance

  • Replace perimeter trust with session-level verification Move toward access policies that re-evaluate identity, device posture, and context at the point of use rather than relying on a persistent VPN tunnel.
  • Map non-human identities into remote access paths Inventory service accounts, API credentials, and certificates that depend on remote connectivity so you can see where machine identities inherit the same trust assumptions as users.
  • Constrain privileged reach after authentication Use least privilege, segmented access, and conditional policy enforcement so a valid login does not become unrestricted lateral movement inside the environment.

What's in the full article

eMudhra's full article covers the practical detail this post intentionally leaves for the source:

  • How the vendor positions certificate-based access as an alternative to VPN-based remote connectivity.
  • Where the article connects Zero Trust to PDPA, ISO, GDPR, and HIPAA compliance expectations.
  • The way eMudhra describes its IAM and PKI stack across MFA, SSO, PAM, and adaptive authentication.
  • The business framing used to support hybrid-work security and digital transformation messaging.

👉 Read eMudhra's analysis of VPN fatigue and Zero Trust adoption in Malaysia →

VPN fatigue and zero trust: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

VPN fatigue is really trust-model fatigue. The problem is not only that VPNs are slow or awkward. It is that they preserve a location-based trust assumption in environments where access is now distributed across cloud apps, mobile endpoints, and third-party integrations. The implication is that identity architecture has to become the primary control plane, not the network boundary.

A few things that frame the scale:

  • 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to the Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

A question worth separating out:

Q: How do IAM and PAM teams govern privileged remote access under Zero Trust?

A: They should bind privileged access to session-specific approval, strong authentication, device trust, and narrowly scoped permissions. Privileged accounts should not inherit broad network reach simply because the user connected remotely. The governance objective is to reduce standing exposure before a compromise can move laterally.

👉 Read our full editorial: Zero trust exposes the limits of VPN-first remote access



   
ReplyQuote
Share: