The Shift to ZTNA, Why Cyber Insurers Are Moving Away from VPNs

Cyber insurers are changing the rules, and one of the biggest shifts we’re seeing is a move away from traditional IPsec VPNs toward Zero Trust Network Access, ZTNA. This isn’t just a technology preference, it’s a direct response to how modern attacks happen and how insurers evaluate risk.

VPNs were built for a time when the network was the perimeter. Once a user authenticated, they were effectively brought inside the environment, often with broad access to systems and resources. That model worked when environments were centralized, but today’s reality is very different. Users are remote, applications live in the cloud, and access happens from multiple devices and locations.

The problem is that VPNs still operate on that old assumption of trust. Once a connection is established, the level of access is often too broad. If credentials are compromised, through phishing, reused passwords, or endpoint compromise, an attacker can gain a foothold inside the network. From there, lateral movement becomes possible, and that’s how many ransomware incidents escalate from a single user account to a full environment impact.

From an insurer’s perspective, that creates a significant problem. Broad access equals a larger blast radius, and a larger blast radius means higher potential losses. This is why VPNs are increasingly being viewed as a risk factor rather than a strong control.

ZTNA flips that model entirely. Instead of trusting a user once they connect, it operates on continuous verification. Every access request is evaluated in real time, and access is limited to specific applications or resources, not the entire network. Users only get what they need, nothing more.

That shift has a major impact on risk. Even if credentials are compromised, the attacker’s access is constrained. There is no broad network visibility, no easy path for lateral movement, and far less opportunity to escalate privileges. The result is a much smaller blast radius and a more contained incident.

Visibility is another key driver behind this shift. Traditional VPNs often provide limited insight beyond connection logs, making it difficult to understand what actually happened during a session. ZTNA solutions provide detailed audit trails, showing exactly who accessed what, when, from where, and under what conditions. That level of visibility is becoming a baseline expectation for insurers and auditors.

It’s worth noting that ZTNA does introduce more complexity. It requires defining access policies, understanding application dependencies, and putting identity at the center of your security model. But that complexity is also what creates control. It forces organizations to be intentional about who has access to what, and why.

The bottom line is simple. VPN is no longer enough for the way environments operate today or the way insurers evaluate risk. The model of broad, network-level access doesn’t align with modern security expectations.

Zero Trust, and specifically ZTNA, is quickly becoming the standard insurers expect to see. Not because it’s new, but because it reduces risk in a way that is measurable and enforceable.

We’re always available to provide direction when it matters.