The End of VPNs — Part 2: Beyond the Buzz of Zero Trust

[Part 2 of 2 – Based on an interview with Zscaler CSO Deepen Desai]

By Holger Schulze, Cybersecurity Insiders

“Zero Trust isn’t a feature,” Deepen Desai told me during our RSA Conference interview. “It’s an architectural decision to stop trusting the network. You’re either enforcing that by design—or you’re pretending.”

In Part 1 of this series, we explored the failure of VPNs—how attackers exploit them, how they collapse under patching pressure, and how they expand risk instead of containing it. But our conversation in San Francisco didn’t stop at diagnosis. It turned toward what comes next.

The answer is Zero Trust. But not the watered-down, checkbox version.

“If your users connect and get placed on the network—even in the cloud—you’re not doing Zero Trust,” Desai said. “You’ve just moved your VPN to a new address.”

This isn’t about branding. It’s about architecture. And at Zscaler, that architecture is built on one foundational idea: attack surface reduction in the first place.

The Invisible Attack Surface

If the core flaw of VPNs is that they make applications reachable, then Zero Trust flips that completely. Desai described it as eliminating network presence altogether.

With Zscaler Private Access (ZPA), users never access the network. There is no IP assignment. No shared subnet. No inbound access to anything.

Instead, both users and applications establish outbound-only connections to the Zscaler Zero Trust Exchange. If identity, policy, and posture align, Zscaler stitches the user and app connections together.

“If you can scan the network, you’re on the network,” Desai said. “And if you’re on the network, the attacker can be too.”

This approach removes the need for VPN concentrators, inbound firewall rules, or exposed IPs. Applications go dark. And attackers can’t target what they can’t see.

The Philosophy That Replaces the Perimeter

At its core, Zero Trust is a framework built on three non-negotiable principles, defined by NIST and echoed in Zscaler’s architecture:

Never trust, always verify
Every user, device, and workload must be authenticated and validated continuously—not just at login. Trust is not a location or a certificate. It’s earned, and it expires.
Enforce least-privilege access
Users don’t need broad network access—they need specific access to specific applications, at specific times. Permissions should be as narrow as possible, always.
Assume breach
Compromise is inevitable. The architecture must contain and isolate it. Lateral movement should not just be blocked—it should be impossible by design.

“Every one of those ideas breaks the legacy model,” Desai told me. “That’s why you can’t just rebrand your VPN and call it Zero Trust. It either enforces these tenets—or it doesn’t.”

At Zscaler, these principles are enforced not by firewalls, not by segmentation rules, but by the architecture itself. With ZPA, applications aren’t directly reachable, users aren’t on the network, and policies are enforced every time a connection is made.

From this foundation, the rollout begins.

The Four-Stage Shift to Zero Trust

Zscaler doesn’t advocate a forklift replacement of legacy systems. Instead, Desai laid out a four-stage adoption path—one that starts where the risk is highest and compounds benefit over time.

Secure Internet Egress with ZIA

Before private apps, start with outbound traffic. Zscaler Internet Access (ZIA) enforces consistent policy and TLS inspection across all users—without backhauling traffic to a central datacenter.

This removes the need for on-prem proxies and applies protection close to the user. It’s the foundation that makes the rest of Zero Trust scalable.

Replace Inbound VPN with ZPA

The next move is to eliminate VPN tunnels altogether. ZPA makes private applications invisible to the internet—no public IPs, no exposed services, no inbound firewall rules.

“It’s not just blocking access,” Desai said. “It’s removing the ability to even knock on the door.”

Access is determined by who the user is, what device they’re using, and what policy allows. Not where they’re connecting from or what network they’re on.

Segment User to Application Access

This is where most organizations truly begin to understand the power of Zero Trust.

Instead of segmenting by subnet, VLAN, or NAC, Zscaler segments by user-to-app relationships. Policies are built around identity, not infrastructure. And Zscaler’s machine learning engine can detect real access patterns to suggest adaptive policies over time.

Desai shared one example where a customer believed they had 300 internal applications. Zscaler discovered over 10,000.

“You can’t segment what you don’t know exists,” he said. “But you also don’t have to do it all at once. Start with your crown jewels. Then isolate your riskiest users.”

That might include employees who routinely fail phishing simulations, users on unmanaged devices, or accounts showing anomalous behavior.

Trap the Attacker Before the Damage Spreads

Even with segmentation in place, breaches happen. But Zero Trust doesn’t stop at prevention—it extends into containment.

Zscaler integrates deception directly into the access layer: decoy applications, seeded with breadcrumbs, are presented to users just like real apps. If touched, access to the real environment is immediately revoked—and the attacker is isolated.

“They don’t even know they’ve been shut out,” Desai said. “But they’ve already lost.”

This eliminates the lateral movement that VPNs so often enable—and turns the attacker’s playbook against them.

This is what makes Zero Trust more than prevention. It’s containment by design.

What Doesn’t Work: NAC and Cloud VPNs

Desai was unequivocal about what Zero Trust is not.

“Putting a VPN in the cloud doesn’t change what it does,” he told me. “If users still get placed on the network, you’ve changed the address, not the architecture.”

Network Access Control (NAC) solutions are equally limited. They may inspect device posture at the edge, but they can’t prevent what happens inside a session—especially if the attacker has valid credentials. They can’t block data exfiltration from within an approved connection. And they certainly can’t make applications invisible.

The Real Benefit: Simplicity That Scales

While the security benefits are clear, Desai pointed out that Zero Trust is also an operations win—especially for organizations struggling with VPN overhead.

According to the VPN Risk Report:

54% of security teams say VPNs cause recurring incidents
41% say they drain resources from higher-value projects
ManpowerGroup cut 97% of remote access support tickets after moving to ZPA

“It’s not just your security team that benefits,” Desai said. “It’s your IT team. It’s your users. It’s your CFO who doesn’t want to keep buying concentrators or renewing patching contracts.”

When infrastructure goes away, complexity and resulting cost follows it out the door.

Making the Case to the Board

Desai wrapped our conversation with advice for CISOs working to bring Zero Trust to the boardroom. His recommendation: don’t talk about controls. Talk about containment.

“The question isn’t whether you’ll be breached,” he said. “It’s what happens next. VPNs let that breach spread. Zero Trust stops it where it starts.”

With VPNs, the breach spreads. With Zero Trust, the breach is contained—access is limited by default, and even successful compromise can’t move laterally.

Desai advises CISOs to lead with these three points:

Zero Trust shrinks breach impact
It scales with distributed users and cloud adoption
It replaces assumptions with proof—every time a connection is made

In a security climate where prevention is imperfect, containment is king.

A Shift That’s Already Happening

According to the 2025 VPN Risk Report, the transition is already happening. 65% of organizations are moving away from VPNs. 81% are investing in Zero Trust architecture.

This isn’t about buzzwords. It’s about control.

“VPNs make you reachable,” Desai said as we stood to leave. “Zero Trust makes your network and applications invisible to attackers. That’s the future.”