But you can combine VPNs with SSO and limited permissions. Real networks all work that way these days. Logging into the VPN doesn't get you very far, you'll need to be provisioned with specific apps and permissions too.
- You must "VPN in" to access any corporate resources of any type, even ones on the corporate network when you're sourcing from the corporate network
- The client forms a separate "VPN connection" (can be clientless, but same concept) per app you access, rather than assuming a single parent VPN server can get them to any resource
- Every default ruleset started with deny all and only specific allow rules were added over time
Then you've got enough to call it a zero trust implementation. You can also take things the other way, i.e. you could "deconfigure" a zero trust setup to look and function almost exactly as a normal corporate VPN tunnel.
Rather than go through this whole thread each time, people just refer to all of this as "zero trust networking".
