As businesses migrate to cloud-based SaaS platforms and adopt Zero-Trust Architecture, the traditional client VPN is starting to look like a relic of the past. Yet, many HR policies still strictly mandate them. Let’s explore whether encapsulating all off-network traffic is actually necessary in 2026.
Recently, a systems administrator shared a highly relatable frustration on an IT community forum. Their company had successfully modernized its infrastructure—removing the clunky client VPN in favor of a robust Zero-Trust model and replacing legacy on-premise servers with modern SaaS (Software as a Service) applications.
From a technical standpoint, the transition was flawless. However, they hit an unexpected administrative wall. The HR department was drafting a new remote work policy with a rigid stipulation: “If the user cannot connect to the VPN, they cannot work remotely.”
The IT admin pushed back, arguing that since all web traffic is already encrypted (HTTPS) and they no longer host infrastructure that requires tunneling, a mandatory VPN was an unnecessary, obsolete step. But are they right? Let’s dissect the Zero Trust vs VPN debate and figure out if a VPN is still an absolute necessity for remote employees.
The IT vs. HR Disconnect
Non-technical departments often view the VPN as a magical “security switch.” Without it toggled “ON,” they assume the employee is unprotected on the public internet. Educating policy-makers on modern cloud security is crucial to securely set up remote workers without causing bottleneck frustrations.
Why the Corporate VPN Was the Gold Standard
To understand why HR departments cling to VPN policies, we have to look back at how corporate networks were originally designed. The traditional model was built like a medieval castle. Everything valuable—file servers, internal databases, ERP software, and intranets—lived inside the corporate headquarters (the castle).
The firewall acted as the moat. If you were inside the building, you were trusted. If you were working from home, you needed a secure bridge to cross the moat. That bridge was the Virtual Private Network (VPN).
- Network Access: It provided an IP address native to the corporate network, tricking local servers into thinking the remote laptop was sitting in the office.
- Traffic Encapsulation: It wrapped the remote worker’s internet traffic in a secure encrypted tunnel, protecting data from snoops on home routers or public Wi-Fi.
However, the modern workplace has moved out of the castle. You don’t host an Exchange server in the closet anymore; you use Microsoft 365. You don’t use custom CRM software hosted on an aging Dell server; you use Salesforce. The perimeter has dissolved.
Enter Zero-Trust Architecture (ZTA)
As the IT admin in the forum correctly pointed out, their company shifted to a Zero-Trust framework. But what exactly does that mean for remote work security?
The core philosophy of Zero-Trust is: “Never Trust, Always Verify.”
Instead of granting broad access to the entire network just because someone flipped on a VPN, a Zero-Trust Network Access (ZTNA) protocol authenticates the user, the device’s health, and the context of the request every single time they try to access an application.
The Problem with VPNs
If a hacker steals an employee’s VPN credentials, they get full access to the corporate network. It allows for “lateral movement”—hopping from a compromised remote laptop directly to sensitive company servers.
The Zero-Trust Solution
Zero-Trust connects users to specific applications, not the network. If an attacker breaches an employee’s Slack account, they are walled off from the financial databases because each app requires independent, continuous verification.
If your company has implemented Single Sign-On (SSO), Multi-Factor Authentication (MFA), and strictly uses SaaS, you have effectively replaced the need for the legacy VPN. For more details on this transition, read our analysis on The Future of VPNs and the shift to Zero-Trust.
“But Isn’t a VPN Needed to Encrypt Web Traffic?”
This is the most common counter-argument. HR or management will say, “We need the VPN so our employees’ traffic is encrypted when they work from Starbucks.”
The IT admin from our Reddit example noted: “…since all web traffic is already encrypted now, it feels like an unnecessary step.” And they are largely correct.
- The Ubiquity of HTTPS: Over 95% of all web traffic today is encrypted via HTTPS (TLS/SSL). Whether you are logging into Google Workspace, Salesforce, or your bank, the connection between your browser and the server is encrypted end-to-end.
- The ISP Limitation: Without a VPN, the local network administrator (or the Starbucks Wi-Fi provider) can see *which* websites you are visiting (e.g., they know you went to `salesforce.com`), but they cannot see the data you are sending, the passwords you type, or the client files you are downloading.
⚠️ The Public Wi-Fi Exception
While HTTPS secures the data payload, sophisticated man-in-the-middle attacks, DNS spoofing, or rogue hotspots can still pose a threat to employees on public networks. If your team frequently travels, consider reading our Guide to Secure Public Wi-Fi to understand when an encapsulating tunnel is still beneficial.
When Do You STILL Require a VPN?
So, was the IT admin entirely justified in calling the HR policy crazy? Mostly yes, but there are still specific use cases where a VPN remains a strict operational requirement for remote teams:
- Legacy On-Premise Software: If your company still relies on older software hosted on physical servers in the office that cannot be exposed to the public internet securely, a VPN tunnel is mandatory.
- Strict Compliance & Dedicated IPs: Certain platforms lock access based on IP addresses. If your SaaS vendor requires all traffic to originate from a single, static IP, a managed business VPN is the easiest way to route remote workers through that approved gateway.
- Bypassing Geo-Restrictions: If you have remote workers traveling internationally to regions with strict firewalls, a VPN is necessary to ensure continuous access to essential cloud apps.
Updating Your HR & IT Remote Work Policy
The conflict highlighted in the forum is a classic example of policy lagging behind technology. Writing “Must use VPN” into an employee handbook in 2026 is often a symptom of treating cybersecurity as a checkbox rather than a dynamic strategy.
Instead of forcing a blanket VPN requirement, modern IT policies should focus on:
| Outdated Policy Language | Modern Zero-Trust Policy Language |
|---|---|
| “Employees must connect to the corporate VPN before beginning work.” | “Employees must access corporate resources exclusively through the company’s approved Identity Provider (IdP) using Multi-Factor Authentication.” |
| “Never use public Wi-Fi without the VPN enabled.” | “Devices must maintain active Endpoint Detection and Response (EDR) agents, and all company data must remain within approved SaaS environments.” |
Remember, a well-configured device connecting directly to a SaaS platform via a robust Identity Management tool is far more secure than a compromised personal laptop connecting to the core network via a legacy VPN. This paradigm shift makes continuous cybersecurity training critical for remote teams, as the human element becomes the primary defense layer.
Frequently Asked Questions
Generally, no. If your infrastructure is entirely cloud-based (SaaS) and utilizes modern identity and access management (IAM) like a Zero-Trust model, a traditional client VPN is largely unnecessary. Modern web traffic is already secured via HTTPS/TLS encryption.
Many HR and compliance policies are built on legacy IT frameworks. They often view the VPN as a blanket ‘security toggle.’ Updating these policies requires IT leaders to educate non-technical departments on how Zero-Trust Architecture provides superior, granular security without needing a network-wide VPN tunnel.
A VPN connects a user to a corporate network, essentially granting them access to the entire internal infrastructure once they authenticate. Zero-Trust operates on the principle of ‘never trust, always verify,’ granting access only to specific applications on a per-session basis. This minimizes the risk of lateral movement if a remote device is compromised.
View similar discussions on the r/sysadmin community.