This article focuses on VPNs when used only for accessing private, internal networks, not those also used as a secure web gateway including filter/logging internet traffic.

Many companies talk about moving away from their VPN: a deliberate, planned project involving architecture reviews and modern zero-trust frameworks. That’s often a big undertaking.

But this article isn’t about those big transitions.

It’s about the quieter story of the smaller group of companies where the VPN has become irrelevant almost by accident.

The question is has anyone noticed?

• The number of SaaS tools we use have been growing over the years. The result is simple: fewer people need access to the internal network.
• The risk from VPN vulnerabilities has changed also. We know that new, serious vulnerabilities are exploited faster today than a few years ago.
• Endpoint agents, like Intune, EDR and other management tools, connect directly to the internet. They do not need the VPN to get updates or send alerts.
  
  

Many of you are hardening your VPN. Geo-blocking, good rules, device certs. For some of you this might be solution for a risk that does not need to exist. 

So, look at your VPN logs. But be careful, as an auto-connect setting can create false positives, so it is important also asking users about their actual needs.

Is anyone really using it? Is it just five people? Is it only for one old internal application?

If it is just for a few web applications, remember there are many products that can publish this to the internet in a safe and restricted manner. You do not need a full VPN for just that.

If the usage is very low, you must ask: is the small need worth the big risk? For the few admins that need emergency access, you can use other solutions. Or you can lower the risk by making the user group much smaller and the IP allow list very strict.

The point is, the risk of a “VPN for everyone”  is maybe too high now if the usage is low. For some of you, it is time to turn it off.