Techie Tonic: SSL VPNs are fading, but is ZTNA just an added cost?

Many insights and many arguments in our cyber leader’s communities, as organisations reassess their cybersecurity posture, the steady decline of traditional SSL VPNs is fuelling a growing debate, is the industry’s shift toward modern security models enhancing protection or quietly transferring the cost burden to customers?

In that context, we had a long conversation with two chief information security officers (CISO), Munish Jain, CISO of Sobha Realty and Faisal Khan, Associate Director Information Security and Compliance, Dubai World Trade Centre, and they are active members of GulfNews Many CXOs community, noted that while the transition may initially appear to introduce additional financial burdens, it is fundamentally driven by evolving risk dynamics rather than vendor pressure.

For years, SSL VPNs have been the backbone of remote access, allowing employees to securely connect to corporate networks. However, their core design, granting broad network-level access once a user is authenticated and that has become a growing liability in today’s threat landscape.

“That model assumes trust after login,” Munish explained further. “And that assumption no longer holds.”

Modern cybersecurity strategies are increasingly built around Zero Trust Architecture, which rejects the idea of implicit trust inside a network. Instead, access is continuously verified based on identity, device health, and context. This shift has fuelled the rise of Zero Trust Network Access, a framework that grants users access only to specific applications / assets rather than entire networks.

The appeal of ZTNA lies in its precision. By limiting access to what is strictly necessary, it reduces the risk of lateral movement, where attackers, once inside a system, move across networks to access sensitive data.

Yet the transition comes at a cost. Organizations adopting ZTNA often face new expenses, including licensing fees, system integration, and operational changes. For many, especially smaller firms, this can feel like an unwelcome financial burden.

“There’s no denying it, there is an upfront investment,” Munish acknowledged. “You’re not just swapping one tool for another. You’re rethinking how access works across the organization.”

However, he cautioned against viewing ZTNA purely as an added expense. In many cases, the shift represents a reallocation of resources rather than a simple increase in spending.

“Organisations have historically invested heavily in perimeter security, firewalls, VPN appliances, network segmentation,” Faisal said. “ZTNA moves that investment toward identity, endpoints, and continuous verification.”

This shift can also reduce certain long-term costs. Maintaining legacy VPN infrastructure, managing complex network segmentation, and responding to breaches can be both expensive and resource intensive.

Faisal added, “A single breach can cost far more than the transition to a stronger access model, and that’s the calculation many organizations are making.”

Still, skepticism remains. Some critics argue that the cybersecurity industry is repackaging existing technologies under new labels, forcing customers into continuous upgrade cycles.

“There is some truth to that, but not every product marketed as ZTNA truly delivers zero-trust principles. Some are essentially VPNs with a modern interface.”

This has made it essential for organizations to carefully evaluate solutions rather than adopting them at face value.

Beyond cost considerations, Munish emphasized that the real driver of change is the evolving threat environment. Cyberattacks have grown more sophisticated, with attackers increasingly targeting remote access systems and exploiting stolen credentials.

“Credential-based attacks, phishing, compromised devices, these are everyday realities now,” he said. “Traditional VPNs were not designed to handle that level of complexity.”

Regulatory expectations are also shifting. Many industry guidelines now emphasize zero-trust principles, further pushing organizations toward more advanced access control models.

Despite the momentum behind ZTNA, both stressed that it is not a one-size-fits-all solution. For some organizations, particularly smaller ones with limited exposure, a well-secured VPN combined with multi-factor authentication and device checks may still be sufficient.

Both added further “It’s not about chasing trends, but It’s about understanding your risk and choosing the right controls.”

The shift away from SSL VPNs marks a broader cybersecurity reset, toward granular, identity-driven access built for today’s hybrid world.

The real question isn’t whether ZTNA costs more, but it’s whether organizations can afford the risk of clinging to an outdated model.

For many, that answer is already redefining security investments. More insights to follow as CXOs and vendors explore ways to make this transition cost-effective, seamless, and secure.