VPNs and identity trust gaps: are your controls keeping up?

TL;DR: VPNs hide IP addresses and encrypt traffic, but they do not eliminate tracking, endpoint risk, or the broader trust assumptions built into remote access, according to DigiCert. For identity teams, the real question is how VPN use fits into access governance, device trust, and zero-trust control design.

NHIMG editorial — based on content published by DigiCert: What is a VPN?

Questions worth separating out

Q: How should security teams govern VPN access in a zero-trust model?

A: Security teams should treat VPNs as one transport control inside a broader zero-trust design, not as the trust decision itself.

Q: When does VPN use create more risk than it reduces?

A: VPN use creates more risk when it becomes a shortcut to broad internal access, especially for users, contractors, or admins who do not need full network reach.

Q: What do security teams get wrong about VPN privacy?

A: Teams often overstate what VPN privacy actually delivers.

Practitioner guidance

• Classify VPNs as a transport layer control Document VPNs in your access architecture as encrypted transit, not as proof of user or device trust.
• Retire weak or legacy tunnelling protocols Inventory PPTP and any similar legacy configurations, then create a deprecation path to modern protocols with stronger cryptography and supportability.
• Separate privacy claims from security guarantees Update user guidance so VPN communications explain what is protected in transit and what still remains visible through browser history, cookies, and application logs.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Protocol-by-protocol explanation of PPTP, L2TP, and OpenVPN setup choices
• Consumer-facing privacy and browsing use cases for home users and casual remote access
• Practical notes on free versus paid VPN services and where each tends to fit
• A short comparison between VPNs and Tor for users who want anonymity rather than private transport

👉 Read DigiCert's guide to VPNs, protocols, and privacy trade-offs →

VPNs and identity trust gaps: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →