Your VPN Was Never a Security Architecture

| 4 min read |
vpn zero-trust infrastructure remote-work

COVID broke everyone's VPN. Good. It was a terrible security model to begin with. The answer isn't scaling your VPN — it's replacing the mental model entirely.

Your VPN is on fire. I know because mine was too, and so was every other company’s that treated VPN as its entire remote access strategy.

Here’s what happened: organizations sized their VPN for maybe 20% concurrent usage. Sales people on the road. The odd remote day. Then overnight, 100% of the workforce went remote and stayed there. Five times the sessions, five times the bandwidth, encryption overhead pegging every CPU on the gateway. Licensing servers falling over because nobody ever imagined needing that many concurrent seats.

I’m not going to pretend this was some unforeseeable event. It wasn’t. We all knew these VPN setups were fragile. We just got away with it because the failure condition never arrived. Until it did.

Everything broke at once

The fun part about VPN failures is how they cascade. It’s never just one thing.

License checks hit a ceiling first. Then the gateway CPU maxes out from encryption overhead. Then someone notices that all SaaS traffic — Teams, Slack, Google Workspace, everything — is hairpinning through the data center because full-tunnel was the default. So now your WAN link is saturated too. Then RADIUS or your directory service starts timing out because it was never load-tested for this volume. Then MFA starts queuing.

Meanwhile, you have one gateway and one ISP, because “we’ll add redundancy next quarter” has been on the roadmap for three years.

The help desk tickets pile up. Leadership asks why people can’t work. You explain that the VPN was designed for a different world. Nobody wants to hear that.

“Just scale the VPN” is the wrong answer

This is where I get annoyed. The knee-jerk response I keep seeing is: buy more licenses, add more gateways, throw bandwidth at it. And yes, that stops the bleeding. I did it too. But if your takeaway from this crisis is “we need a bigger VPN,” you’ve missed the point entirely.

VPNs grant network-level access. You connect, you’re on the network, you can reach things. The implicit trust model is insane if you think about it for more than thirty seconds. An employee’s compromised laptop gets VPN access and now it’s sitting on your corporate network with lateral movement potential. That was always the problem. COVID just made it impossible to ignore because now every employee’s home network is your attack surface.

The “just scale it” crowd is essentially saying: let’s take this fundamentally flawed security model and make it bigger. No thanks.

Split tunneling buys time, nothing more

I’ll give split tunneling credit for being the single most impactful quick fix. Stop routing SaaS traffic through your data center. Keep internal resources on the tunnel, let everything else go direct. VPN load drops dramatically.

But let’s be honest about what you’re doing. You’re acknowledging that the VPN was never needed for half the traffic flowing through it. Which should make you ask: what else doesn’t actually need to be on the VPN?

The answer, for most organizations, is almost everything. Most of your apps are already SaaS or could be accessed through an identity-aware proxy. The VPN is protecting a shrinking set of truly internal resources while adding overhead and fragility to everything else.

Where this actually needs to go

Zero trust. Identity-based access. Whatever you want to call it — the model where you authenticate and authorize at the application layer, not the network layer. Where a compromised device doesn’t get you lateral movement because there’s no implicit network trust to exploit.

I realize I sound like a vendor pitch right now, and I hate that. But the principle is sound even if the marketing around it’s insufferable. Stop granting network access. Start granting application access. Verify the device, verify the identity, verify the context, grant access to exactly what’s needed.

You don’t have to rip out VPN tomorrow. That’s unrealistic. But you should be moving your most critical applications behind identity-aware access right now, and treating VPN as the legacy fallback for the stuff you haven’t migrated yet. Not the other way around.

What I actually did

Honestly? Short term, the same ugly stuff everyone else did. Activated emergency licenses. Deployed additional gateways. Enabled split tunneling with endpoint posture checks. Added a second ISP. Staggered login windows to smooth the peaks.

None of it was elegant. All of it was necessary.

But the real work started after the fires were out. Moving applications behind identity-based access. Treating VPN as a shrinking perimeter, not an expanding one. Setting up monitoring that actually warns you before users start complaining — session counts trending up, auth failure rates, gateway CPU — instead of post-mortem log analysis.

The goal is simple: every month, fewer things should require VPN. If that number isn’t going down, you’re just waiting for the next crisis to expose the same structural weakness all over again.