The pain points of VPNs in enterprise IT

VPNs are great at providing users with remote access into a private network. However, they do face challenges with outdated trust models in a modern world where resources are dynamic. This blog will explore some of the common challenges enterprise organizations face when using VPNs to secure access to infrastructure resources, and how modern access management technologies can help secure and improve experiences for both administrators and end users.

»What are VPNs

Virtual private networks (VPNs) have traditionally been considered the standard for most organizations when it comes to providing remote access into private networks and datacenters. And it's for good reason, because VPNs provide security and protection against multitudes of cyber threats on the internet. When users connect to their organization’s network with a VPN, their traffic is encrypted and routed through protected pathways, shielding sensitive data from external threats while minimizing the organization's attack surface.

VPNs have also evolved over many decades to be more accessible to everyone. What used to be a tool used by more technical roles, like developers and engineers, is now used by all individuals with varying levels of technical skill. The usage of VPNs for remote work has become more prominent, especially with the shift to hybrid workforces. And similarly, with the increase of cloud-based applications and services, VPNs are used by many individuals accessing resources residing in the public cloud.

»Pain point #1: Enforcing least-privilege access

Despite the undeniable benefits VPNs bring, they don’t solve all the issues related to remote access. Let’s look at an analogy:

Imagine renting a vacation home in an exclusive gated community. When you arrive, the first thing you typically encounter is a security guard at the gate entrance. In order to pass the gate, you provide identification proving you are a temporary guest. Once admitted, you can proceed to the rental home, provided you have the address. But at the same time, you are also free to navigate anywhere within the gates.

What if you were an individual with malicious intent? You could potentially stake out and try to access other homes in the community.

This is very similar to the challenges that organizations face with VPNs.

Once users are connected through the VPN…

• How do enterprises limit developers from potentially accessing systems that belong to other teams?
• How do they limit temporary contract workers to a subset of systems on a network?
• How do they limit access to a certain number of hours?

The role of the VPN is to provide secure access into the network. But adding these fine-grained controls listed above to each user session in a VPN requires a significant amount of time and manual effort. Those controls are also cumbersome to configure, update, and maintain on a VPN over time.

This is especially challenging in modern environments where IP addresses are ephemeral and cannot be relied upon as a unit for enforcement. Firewalls can limit access between systems within a network, but these methods also determine user access based on IP addresses rather than identity.

Consequently, most organizations either invest a substantial amount of money and effort into maintaining multiple tools to enforce user access or risk granting users indiscriminate access to other systems within the network. The latter option gives a potential threat actor the ability to move laterally across the network without being detected.

»Pain point #2: Credential protection

Let’s revisit the earlier analogy. The owner of the home gave you access to a lockbox with the key to the house. Now you can get in and out of the house until your stay completes. But what if you were not very honest and decided to extend your stay? And what if you decided to share the key with a crew of thieves? Until the key is changed, you and your crew can come and go as you please.

Similarly, while VPNs grant authenticated users access to a network, protecting credentials to the hundreds or thousands of resources in the network is not a capability offered by a VPN. Stolen credentials have proven to be responsible for a sizable number of attacks.

According to a 2025 Verizon Data Breach report, approximately one-third of breaches over the last ten years were due to stolen credentials. In addition, 77% of web application attacks in 2024 used stolen credentials to gain a foothold in an organization's environment. A Coalition Cyber Threat Index 2025 report also identified stolen credentials as the initial access vectors (IAVs) across 47% of ransomware claims.

So how are credentials falling into the wrong hands? Since VPNs do not protect credentials, the responsibility falls elsewhere. Many times, end users are tasked to properly store and manage credentials for each resource they access.

Some users turn to other tools or platforms to store credentials. In many cases, credentials are stored as plaintext in insecure locations, including local laptops/desktops, directly in application code, or in code repositories that are shared between team members or even to the public. Furthermore, these credentials are usually not rotated frequently enough (i.e. “static”) due to the level of effort required. This increases the risk of a breach if credentials are leaked or stolen.

»Pain point #3: Centralized control and insights

VPNs also lack controls after a user session is established:

• VPNs can’t limit how long a user can stay connected within a given SSH or RDP session.
• VPNs do not allow administrators to centrally monitor or terminate active connections made by unauthorized users.

As a result, organizations have less control to limit malicious users once they’ve gained access into the network.

It’s true that your cybersecurity team’s initial focus should be on prevention, but cyber-resilience is equally important. A large number of enterprises will experience a cybersecurity breach. When breaches occur, organizations often need detailed information to perform a thorough investigation, including validating any extortion attempts and plans for remediation.

VPNs help with this process by providing logs that include the users who have accessed the VPN, dates of access, and their source IP addresses. While this does help, it doesn’t give enough information on the various systems that were affected and the detailed actions performed. VPN logs provide little to no insight into the commands and actions executed during the breach. There is also no insight into whether malicious software was downloaded or how data was deleted, stolen, or encrypted.

Without this crucial information, it becomes more challenging for organizations to formulate a remediation plan, especially when there are time-sensitive deadlines involved with ransomware or other extortion techniques.

»Pain point #4: End user experience

In the earlier analogy, I’ve mostly highlighted the security aspects, but let’s also look at it from the guest’s point of view. Once they’ve entered the gate, it is up to them to know the address and rely on a map or a navigation app to get them to the final destination.

This is true for VPNs too. Users need to understand the network's layout and know the correct IP address when accessing a system behind a VPN, otherwise they’ll be lost.

Prior to the advent of the public cloud, private datacenter infrastructure was predominantly static, with IP addresses that rarely changed. This allowed users to repeatedly connect to the same resources with ease. Some VPNs offer hostname association with IP addresses, enabling users to connect via human-readable names instead of IPs.

However, as I mentioned before, modern cloud environments are dynamic and ephemeral, making IP-based connections unreliable. Users must often rely on additional tools to retrieve up-to-date endpoint details, complicating workflows. If hostnames are used, administrators face the ongoing task of updating them as IPs change and resources are created or removed.

As mentioned before, VPNs do not manage credentials for target systems, so users have to spend more time manually authenticating. This also creates potential security risks and results in a fragmented user experience as developers and non-technical users must turn to other tools to store, retrieve, and manage varying credentials across environments. The resulting credential sprawl can potentially lead to insecure storage locations, such as spreadsheets, collaboration platforms, or version control systems (like GitHub). Furthermore, the need for manual credential rotation further strains user productivity.

»Improve security and user experience with HashiCorp Boundary

So how can you better secure the imaginary home rental situation? Ideally, the entire process of guest entry, home access, and key management should be combined into a full-service experience provided by a single unified entity, rather than splitting responsibilities between different parties.

When a guest arrives at the gate entrance, they are first validated with their identity. Then, rather than allowing the guest to find the rental home themselves, a concierge service would escort them directly to their destination. This improves the overall experience while also protecting the rest of the community from unexpected guests.

To enter the house, the concierge handles keys and unlocks the door for them during their stay. Surveillance cameras would track, monitor, and record everything for the safety of the community, allowing owners to dispatch security personnel if needed or review footage from an incident that wasn’t identified until later. Once the stay completes, the concierge would lock the door and change the keys. This whole approach would make the community safer and more secure, reduce the burden on the owners, and most importantly, provide a pleasant experience for the guests.

This is the kind of experience that a modern secure access management solution like HashiCorp Boundary offers. It provides full-service remote access using identity to connect users directly to their target resource. This includes access to:

• Linux hosts over SSH
• Windows hosts over RDP
• Databases
• Kubernetes clusters
• Web applications over HTTP/HTTPS
• and other TCP-based endpoints

Boundary helps enterprises strengthen remote access security while also streamlining the user experience. Enforcing least-privilege access prevents users from connecting to additional systems unless authorized.

Tight integration with HashiCorp Vault allows the generation of dynamic, short-lived credentials that expire and are rendered useless if leaked or stolen. When users initiate a session, Boundary will fetch credentials for the user. For SSH sessions, credentials can be injected directly into the session, eliminating the potential of leaked or stolen SSH credentials. These security measures ultimately help enterprises reduce the risks of breaches due to exposed credentials.

End users of Boundary won’t even know that they’re using it, once it’s set up and configured by system administrators. The underlying network topology is abstracted from users, eliminating the need to track or consult other tools for IP addresses. Users can use the tools they’re comfortable with, and Boundary will work with them behind the scenes.

For example, when connecting to a Linux host over SSH, users only need to authenticate to Boundary with the option to use single sign-on through a trusted identity provider like Okta or Azure Entra ID. Once authenticated, they connect using existing SSH client tools (e.g. SSH client terminal, Putty, secureCRT, etc.) and human-readable hostnames. Behind the scenes, Boundary will send the connection through a Boundary proxy and pass corresponding credentials to the Linux host on behalf of the users, resulting in a passwordless connection.

Ultimately, this seamless experience fosters more widespread user adoption, which helps strengthen the enterprise’s security posture.

»Learn more about Boundary

While VPNs have served as IT’s foundational remote access solution for a long time, enterprises are moving on. VPNs struggle to meet the evolving demands of today’s dynamic, cloud-first environments. From outdated trust models and weak credential protections to limited visibility and disjointed user experience, VPNs have security and operational gaps that modern enterprises should not ignore.

By adopting identity-based access solutions like HashiCorp Boundary, organizations can enforce granular, least-privilege access, eliminate credential exposure, and deliver a streamlined, secure experience for end users and administrators. It’s time to rethink remote access — not just for better security, but for a better way of working.

To learn more about Boundary, please visit:

• The Boundary page where you can download Boundary locally, try out Boundary using our self-paced tutorials, and view detailed documentation.
• The HashiCorp YouTube channel where you can view Boundary demo videos in the Demos section.
• The HashiCorp Cloud Platform (HCP) where you can create an account for free and deploy a cloud-managed HCP Boundary cluster to test.

Boundary is just one piece of a larger transformational strategy many enterprises are adopting. If your organization is interested in a more modern, holistic approach to security, governance, and compliance, share our solution brief with your colleagues: Securing and governing hybrid and multi-cloud at scale.