Why It’s Time to Retire Traditional VPNs, Part 1

Imagine you’re a CIO or IT admin, sipping your morning coffee, and an urgent security bulletin flashes across your screen — it’s yet another critical vulnerability in your company’s virtual private network (VPN). Attackers are already exploiting it in the wild, so you face the familiar scramble to patch systems as quickly as possible.

It’s a story that many enterprises know all too well: Legacy VPNs, once the tried-and-true access control for remote work, have become a liability in today’s threat landscape. In fact, the past few years have been full of high-profile exploits of VPN vulnerabilities, causing many organizations to rethink their reliance on traditional VPNs.

In this blog post, we’ll explore why traditional VPNs are showing their age and how a Zero Trust approach with Akamai Enterprise Application Access can rescue your organization from the cycle of VPN headaches.

VPN technology hasn’t changed fundamentally in more than 25 years — it still essentially provides a tunnel with full access to the corporate network. When a user (or an intruder who steals VPN credentials) connects through a legacy VPN, they often get access to internal systems that is far beyond what they actually need.

This implicit trust model is like giving someone a master key to every door in your building. One misconfiguration in complex VPN access control policies can accidentally grant overly broad privileges, allowing an attacker who slips in to roam freely. It’s no surprise that many major breaches originate from VPN credentials being abused to gain network-level access and enable lateral movement through an organization.

Beyond posing access concerns, VPNs also poke holes in your firewall. To let users in, you must keep inbound ports open on the perimeter — typically placing the VPN appliance in a DMZ and trusting it to vet traffic. But every open port enlarges your attack surface. If the VPN itself has a vulnerability, that doorway can be flung wide open for attackers.

Unfortunately, this isn’t a hypothetical risk — recent events have proven it. In early 2024, one popular VPN platform had to disclose multiple severe CVEs in its on-premises appliances within a single month. Two of the flaws were so dangerous that, when used together, exploitation did not require authentication. 

As the vendor explained, “[This] enables a threat actor to craft malicious requests and execute arbitrary commands on the system.” In other words, attackers could break in without valid credentials and run code on the VPN box; it was effectively an open door into the entire network.

Attackers wasted no time before jumping on such flaws. Security researchers observed mass exploitation of VPN vulnerabilities within days of disclosure as attackers rushed to take advantage. 

The situation became so dire that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued its first emergency directive of 2024, ordering federal agencies to temporarily disconnect the vulnerable VPN devices from their networks because of active attacks by state-sponsored actors. 

If you’ve ever found yourself frantically patching your VPN and double-checking that no one slipped in during the chaos, you’re not alone.

And that is just one example.These issues span multiple vendors and platforms:

• In 2023, 133 VPN vulnerabilities were reported — a 47% increase from 2022. 

• Another major VPN solution revealed an authentication bypass zero-day that attackers had been exploiting since at least November 2024, allowing them to hijack VPN appliances with full administrative control. 

• In early 2025, researchers uncovered yet another critical VPN flaw — this one allowing remote attackers to hijack active VPN sessions without any valid credentials. 

This constant drumbeat of VPN vulnerabilities across the industry highlights just how fragile legacy network security can be. The burden falls on your team to vigilantly track and patch each one — an endless game of Whac-A-Mole that overworked security teams find daunting.

There is a better way forward, and it starts with rethinking the assumption that anyone using a VPN should have access to everything inside. 

Zero Trust Network Access (ZTNA) is an approach that says no to implicit trust. Enterprise Application Access, part of Akamai’s Zero Trust portfolio, flips the VPN model on its head. 

Instead of opening a broad tunnel into your network, Enterprise Application Access provides secure, segmented, application-level access. Think of it as giving each user a valet key that only starts the one car that they’re allowed to drive (in this case, a specific application) and nothing else.

How does Enterprise Application Access achieve this? It uses a fundamentally different cybersecurity model built on Zero Trust principles, including:

• No more inbound firewall holes
• Application-layer access, not network access
• Strong identity at the core
• Shouldering the patch burden
• No appliances, easier ops

With Enterprise Application Access, you can close those VPN ports for good. Your on-premises applications remain hidden behind your firewall, and a lightweight Enterprise Application Access connector inside your environment initiates outbound, cloud-based connections to Akamai Cloud.

Since all traffic from your data center to Akamai is outbound, an external attacker can’t see or hit your internal apps. Your attack surface shrinks dramatically — essentially to zero for inbound attack paths.

Users connecting through Enterprise Application Access never access your corporate network. Their connection terminates at Akamai Cloud, and Enterprise Application Access’s cloud proxy then safely connects them only to the specific application or resource they need. They can’t scan your internal network or perform lateral movement because they’re never on the network to begin with. 

In essence, Enterprise Application Access enforces least-privilege access — each user is explicitly allowed to reach only the apps and resources their role requires. This per-app, per-session isolation means even if an account is compromised, the potential blast radius is minimal and contained. Contrast that with a VPN, where one employee's compromised credentials could potentially unlock broad swaths of your network.

Every user access attempt via Enterprise Application Access is gated by identity verification and context. Enterprise Application Access integrates with your single sign-on (SSO) and identity providers — or you can use its built-in cloud directory for third parties — to ensure users are who they claim to be. 

It also offers phish-proof multi-factor authentication (MFA) without the need for physical FIDO2 hardware keys as an option for an extra layer of security at login. This means that even stolen passwords won’t easily grant access. It’s a sharp contrast to legacy VPNs, in which a single password (or a stolen token) could open the gates without additional verification.

With Enterprise Application Access’s cloud-based security service, security patching of the access infrastructure is handled by Akamai. If a new vulnerability is found in the Enterprise Application Access platform or connectors, Akamai addresses it in the cloud-based service or issues updates, sparing your team the usual emergency patch drills. 

CVEs in the Enterprise Application Access service are “the responsibility of Akamai,” so no more staying up late to urgently patch your VPN appliances — Akamai has you covered. This hands-off model reinforces the benefits of a modern security model grounded in the Zero Trust security approach by removing maintenance overhead — a major pain point for security teams — and improving your overall security posture.

Enterprise Application Access is delivered as a service from Akamai Cloud, so there are no physical or virtual VPN appliances for you to deploy, scale, and maintain. You simply deploy the lightweight connectors, and they dial out to Akamai. All the heavy lifting — capacity, global availability, updates — is managed for you. 

This cloud native approach means that rolling out secure access to a new app is a simple configuration change. One large enterprise that adopted Enterprise Application Access appreciated that it can be quickly scaled to add new apps or accommodate additional users on demand — a testament to its scalability and operational efficiency.

In short, Akamai Enterprise Application Access’s Zero Trust model eliminates the biggest risks of legacy VPNs; it has no exposed inbound ports, no automatic network-wide trust, and no appliance maintenance headaches. It also requires strong authentication on every session. 

But it doesn’t stop there — Enterprise Application Access actually improves the experience for users and admins alike by delivering streamlined functionality, simplified operations, and secure application access that scales with your needs. The result is a more adaptive, user-focused security model that works with your existing identity infrastructure.