Encryption is just the envelope; access control is the lock on the door. A modern remote access stack combines strong authentication (MFA/SSO), fine-grained authorisation (RBAC/ABAC), and device/context checks (Conditional Access) — whether you use a classic VPN gateway or a ZTNA broker.
Need a refresher on tunnels, encryption, DNS leaks and kill switches? Start with VPN Security Basics.
From VPN to Zero Trust (ZTNA)
Rollout tip: For real-world deployment patterns, combine this guide with VPN for Enterprise and a user-focused playbook from VPN for Remote Access (plus VPN for Remote Work if you manage hybrid teams).
Classic VPNs solved a 2000s problem: put a remote user “inside the network” securely. The 2026 threat model is different — ransomware, credential stuffing, supply-chain compromise, and a workforce of contractors, BYOD laptops, and SaaS identities.
That’s why many organisations move towards Zero Trust Network Access (ZTNA): instead of “network access by default”, you grant app-specific access after checking identity, device health, and context.
Auditor’s framing
If your remote access design relies on a single shared credential + “once connected, everything is reachable”, you do not have access control — you have a tunnel. The tunnel can be perfectly encrypted and still be operationally unsafe.
Related: Site-to-Site VPN (how gateways connect offices/VPCs).
The building blocks: authentication, authorisation, and policy
Think in three layers. Each layer reduces a different class of risk:
- Authentication (AuthN) — proving who a user is (passwordless, certificates, FIDO2, MFA).
- Authorisation (AuthZ) — defining what they are allowed to reach (roles, groups, policies, time windows).
- Policy & context — deciding when access should be granted (device posture, location, anomaly signals).
MFA: the new minimum
For teams above ~5 people, MFA is no longer a “nice extra” — it is the primary defence against credential reuse and phishing. If you’re not enforcing MFA on VPN/SSO, your incident response plan is doing the heavy lifting instead.
The Denys Shchur Verdict
Verdict: If your team is over five people, MFA is not optional — it is your baseline control for remote access in 2026.
RBAC vs ABAC (and why it matters)
Role-Based Access Control (RBAC) is the workhorse: map users to roles (e.g., Finance, IT Admin), then map roles to resources. Attribute-Based Access Control (ABAC) adds richer policy logic (device type, managed status, risk score, location, time).
Most organisations start with RBAC for centralisation and predictability, then add ABAC-style conditions via Conditional Access or ZTNA policies.
Security Risk Calculator (2026)
Answer 5 questions to estimate whether your remote access setup meets modern standards. The tool provides a risk rating and a “fix next” recommendation.
This assessment is intentionally conservative. If you’re unsure about an answer, treat it as “No”.
SSO in practice: Entra ID (Azure AD) and Okta
SSO is not only convenience — it is centralised control. In 2026, the standard is to broker VPN/remote access through an identity provider so you can enforce MFA, disable access instantly, and apply risk-based rules.
- Microsoft Entra ID (Azure AD) — common in Microsoft 365 organisations; integrates tightly with Conditional Access.
- Okta — widely used for cross-platform SaaS estates; strong lifecycle and policy tooling.
From an audit perspective, SSO reduces the “shadow admin” risk: local accounts everywhere, inconsistent offboarding, and “we forgot this VPN user still exists”.
The Denys Shchur Verdict
Verdict: SSO is the cheapest way to improve revocation speed — when someone leaves, your authorisation chain should break in one place.
Conditional Access and device posture
Security teams: you’ll usually want central logging and policy baselines. See VPN for IT Security and keep VPN Troubleshooting bookmarked for client-side failures.
Conditional Access is the difference between “valid credentials” and “valid credentials from a trusted context”. Typical policies include:
- Block sign-in from high-risk geographies or impossible travel patterns.
- Require a managed device (MDM), disk encryption, and a minimum OS patch level.
- Step-up authentication for sensitive apps (finance/admin consoles).
This is where ZTNA shines: you can authorise access per application and re-check context continuously, rather than trusting a tunnel for hours.
RADIUS & LDAP (legacy, still relevant)
Even in 2026, many networks still authenticate VPN gateways using RADIUS (often backed by Active Directory) and authorise access using LDAP-driven group membership. It’s not trendy, but it’s operationally common — especially in mixed on-prem estates.
If you’re modernising, treat these as integration points: keep compatibility while moving policy decisions to a centralised identity layer.
Controls comparison table
| Control | Stops | Effort to implement | Cost of breach impact if missing | 2026 fit |
|---|---|---|---|---|
| MFA | Password reuse, basic phishing success, credential stuffing | Low → Medium | High (account takeover → lateral movement) | Baseline |
| RBAC | Over-privileged users, accidental admin access | Medium | High (privilege escalation becomes easy) | Baseline |
| Conditional Access | Credential use from risky locations/devices | Medium → High | High (stolen creds remain valid everywhere) | Strongly advised |
| ZTNA (app-level) | Broad network exposure, flat trust zones | High | Very High (one foothold → entire network) | Best practice |
| Segmentation (VLANs) | Guest/BYOD pivot into server networks | Medium | High (ransomware spread) | Strongly advised |
| Logging & alerting | Silent compromise, delayed response | Medium | High (you pay in downtime and forensics) | Baseline |
Implementation checklist (sysadmin-ready)
If you need a pragmatic sequence that works in real organisations, here’s a defensible order:
- Enforce MFA on VPN/SSO logins (start with admins and contractors, then expand).
- Centralise identity with SSO (Entra ID/Okta) and standardise offboarding.
- Define roles (RBAC) and remove broad “any to any” access where possible.
- Add Conditional Access for device posture and anomaly controls.
- Segment networks (guest VLAN, contractor VLAN, server subnet protections).
- Consider ZTNA for sensitive apps and third-party access patterns.
- Instrument logs and alert on suspicious remote access events.
Before you change protocols or gateways
Do a baseline check first: run our Privacy Leak Test and document what DNS/WebRTC/IPv6 exposure looks like today. Then changes (WireGuard/OpenVPN/IKEv2, new gateway, new policies) become measurable instead of emotional.
Related: Types of VPN Protocols and VPN Encryption.
A quick 2026 explainer (fast YouTube facade)
Tip: this embed uses a click-to-load facade so the page stays fast for business readers.
FAQ
Is a VPN “enough” for business in 2026?
A tunnel alone is rarely enough. If you don’t have strong authentication, authorisation, segmentation, and monitoring, the VPN simply makes compromise quieter. The modern direction is VPN + ZTNA-style policy controls.
What’s the fastest upgrade that actually reduces risk?
Enforce MFA and centralise identity. Those two changes dramatically shorten the “time-to-revoke” when credentials are compromised or staff leave.
Does Site-to-Site VPN need access control too?
Yes — Site-to-Site secures traffic between gateways, but access control decides which users, services, and subnets are reachable. If you connect offices or VPCs, you need segmentation and identity controls to prevent lateral movement. See: Site-to-Site VPN.
Denys Shchur writes practical security guides and builds lightweight privacy tools for SmartAdvisorOnline. Follow on LinkedIn.
Disclosure: links to VPN providers may be affiliate links. They help support this independent service about privacy, security, and practical VPN use.