The three real options, not just one
1. Traditional VPN (site-to-site or client-server)
A VPN creates an encrypted tunnel between a remote user (or branch office) and your network, making remote resources behave as if the user were physically on-site. This remains the right call when your team needs access to internal, non-cloud resources — file servers, internal applications, printers, legacy line-of-business systems that were never designed to be internet-facing.
2. Direct cloud access
If your business has genuinely moved to cloud-hosted SaaS and cloud infrastructure (Google Workspace, cloud-hosted applications, cloud databases with proper access controls), a VPN to a physical office network may not be doing anything useful — your team can authenticate directly to the cloud services they need, with no need to "tunnel into the office" at all.
3. Zero-trust / identity-based access (e.g. Headscale/WireGuard-based mesh)
A middle path: instead of granting broad network access once connected (the traditional VPN model), each user or device is individually authenticated and granted access only to the specific resources they need — not the whole network. This significantly reduces the blast radius if one device or credential is compromised.
| Traditional VPN | Direct Cloud Access | Zero-Trust Mesh | |
|---|---|---|---|
| Best for | On-prem resources, legacy apps | Fully cloud-native businesses | Hybrid teams, sensitive access |
| Setup complexity | Moderate | Low (per-app) | Moderate–High |
| Breach blast radius | Whole network exposed | Per-app only | Per-resource only |
| Works without internet to HQ | No | Yes | Yes |
Why "just use a VPN" is increasingly the wrong default
The traditional VPN model grants broad network access once a connection is established — which made sense when "the network" was a tightly bounded office LAN. For hybrid teams accessing a mix of cloud services and on-prem resources from personal devices, home networks, and coffee shops, that broad-access model is a bigger security exposure than it needs to be. A compromised laptop with full VPN access is a much bigger problem than a compromised laptop with access to two specific internal services.
A practical decision framework
- All-cloud, no internal resources left → direct access, skip the VPN entirely
- Mostly cloud, a few internal legacy systems → zero-trust mesh scoped to just those systems
- Significant on-prem infrastructure, branch offices → traditional site-to-site VPN remains the right tool, properly configured with strong encryption and access logging
What we actually deploy
We support all three models and most of our clients end up with a mix — site-to-site VPN between offices, direct access to cloud SaaS, and a zero-trust layer (we typically use Headscale, a self-hosted WireGuard-based coordination server) for remote staff who need scoped access to specific internal systems without full network exposure.
Not sure which model fits your team?
We'll map your actual access requirements and recommend the simplest setup that's still genuinely secure.
