A Virtual Private Network (VPN) creates an encrypted tunnel between a remote device and the organization's network, ensuring that data transmitted over public or untrusted networks is protected from interception. For organizations with remote or hybrid workforces, VPN (or equivalent secure remote access technology) is essential for maintaining confidentiality when employees access corporate resources from home, hotels, airports, or other locations.
Traditional VPNs route all traffic through the corporate network, while split-tunnel VPNs route only corporate-destined traffic through the tunnel, allowing personal browsing to go directly to the internet. Full-tunnel VPNs provide better security oversight but can create bandwidth bottlenecks. Split-tunnel configurations are more performant but require that the endpoint has adequate security controls (EDR, DNS filtering) to protect the direct internet connection.
Zero Trust Network Access (ZTNA) is emerging as the next evolution of remote access, providing application-level access rather than full network access. ZTNA solutions verify the user's identity, device posture, and context before granting access to specific applications, reducing the risk of lateral movement that exists with traditional VPNs. For organizations evaluating new remote access solutions, ZTNA is worth considering.
Regardless of the technology chosen, remote access must be secured with MFA, restricted to managed or compliant devices, and monitored for suspicious activity. VPN accounts should be included in the offboarding process to ensure that former employees cannot connect remotely. Logging all remote access sessions provides the visibility needed for both security monitoring and compliance.
Secure remote access is a critical focus area for cyber insurers, especially since the shift to remote work dramatically expanded attack surfaces. Applications ask whether the organization uses a VPN or equivalent for remote access and whether MFA is required for remote connections. Unsecured remote access is frequently cited as the entry point in ransomware claims.
Organizations that can demonstrate VPN with MFA, device compliance checks, and logging of remote access sessions are viewed as lower-risk. Insurers increasingly ask about the specific remote access technology, including whether the organization uses always-on VPN or ZTNA.
Healthcare workers who access EHR systems and patient data remotely must do so over encrypted connections. HIPAA's transmission security requirements under 45 CFR 164.312(e)(1) support VPN usage for remote access to ePHI. Telehealth expansion has increased the number of remote access points that must be secured.
Attorneys frequently work remotely and need secure access to case files, email, and client communications. The ABA Formal Opinion 477R emphasizes the need for encryption when transmitting client information. VPN with MFA is the baseline expectation for remote access to firm resources.
Financial institutions must secure all remote access to customer information systems. FFIEC guidance requires encrypted connections and strong authentication for remote access. PCI-DSS Requirement 8.3 mandates MFA for all remote network access to the cardholder data environment.
Retail corporate staff who remotely manage POS systems, inventory databases, and e-commerce platforms must use secure connections. PCI-DSS requires encrypted remote access to the cardholder data environment with MFA. Multi-location retailers should ensure that all remote management tools are routed through secure channels.
NIST 800-171 controls AC.L2-3.1.12 and SC.L2-3.13.8 require encrypted remote access sessions. CMMC assessors verify that remote access is authenticated, encrypted, and monitored. Government contractors must ensure that remote access to CUI-containing systems meets FIPS 140-2 encryption standards.
Deploy a VPN or ZTNA solution that provides encrypted remote access to corporate resources
Require MFA for all remote access connections without exception
Implement device compliance checks to ensure only managed, up-to-date devices can connect
Enable logging of all remote access sessions, including connection times, source IPs, and accessed resources
Include VPN accounts in the employee offboarding checklist for immediate deprovisioning
Want to know how your organization measures up on this control?
Take the free assessment →