Article

Zero Trust VPN (ZT-VPN): A Systematic Literature Review and

Cybersecurity Framework for Hybrid and Remote Work
Syed Muhammad Zohaib 1 , Syed Muhammad Sajjad 2 , Zafar Iqbal 3 , Muhammad Yousaf 4 , Muhammad Haseeb 5
and Zia Muhammad 6,7, *

1 Department of Cyber Security, Air University, Islamabad 44230, Pakistan; [email protected]

2 Department of Computer Science and Cyber Security, Air University, Kharian 50090, Pakistan;
[email protected]
3 Department of Cyber Security, National University of Computer & Emerging Sciences (NUCES),
Islamabad 44230, Pakistan; [email protected]
4 Department of National CERT, Islamabad 44230, Pakistan; [email protected]
5 Department of Information Security, National University of Science and Technology, Islamabad 44000,
Pakistan; [email protected]
6 Department of Computer Science, North Dakota State University, Fargo, ND 58102, USA
7 Department of Computer Science and Technology, University of Jamestown, Jamestown, ND 58405, USA
* Correspondence: [email protected]

Abstract: Modern organizations have migrated from localized physical offices to work-from-home
environments. This surge in remote work culture has exponentially increased the demand for and
usage of Virtual Private Networks (VPNs), which permit remote employees to access corporate offices
effectively. However, the technology raises concerns, including security threats, latency, throughput,
and scalability, among others. These newer-generation threats are more complex and frequent,
which makes the legacy approach to security ineffective. This research paper gives an overview
of contemporary technologies used across enterprises, including the VPNs, Zero Trust Network
Access (ZTNA), proxy servers, Secure Shell (SSH) tunnels, the software-defined wide area network
(SD-WAN), and Secure Access Service Edge (SASE). This paper also presents a comprehensive
cybersecurity framework named Zero Trust VPN (ZT-VPN), which is a VPN solution based on Zero
Citation: Zohaib, S.M.; Sajjad, S.M.; Trust principles. The proposed framework aims to enhance IT security and privacy for modern
Iqbal, Z.; Yousaf, M.; Haseeb, M.; enterprises in remote work environments and address concerns of latency, throughput, scalability,
Muhammad, Z. Zero Trust VPN and security. Finally, this paper demonstrates the effectiveness of the proposed framework in various
(ZT-VPN): A Systematic Literature enterprise scenarios, highlighting its ability to prevent data leaks, manage access permissions, and
Review and Cybersecurity provide seamless security transitions. The findings underscore the importance of adopting ZT-VPN
Framework for Hybrid and Remote to fortify cybersecurity frameworks, offering an effective protection tool against contemporary cyber
Work. Information 2024, 15, 734.
threats. This research serves as a valuable reference for organizations aiming to enhance their security
https://doi.org/10.3390/info15110734
posture in an increasingly hostile threat landscape.
Academic Editor: Willy Susilo
Keywords: zero trust architecture (ZTA); virtual private network (VPN); security and privacy;
Received: 30 September 2024
enterprise security; security services; secure remote access
Revised: 11 November 2024
Accepted: 12 November 2024
Published: 17 November 2024

1. Introduction
Network infrastructures serve as the backbone of communication and information
Copyright: © 2024 by the authors.
exchange. They facilitate the seamless flow of data, enabling organizations and individuals
Licensee MDPI, Basel, Switzerland.
to access resources, collaborate, and conduct business efficiently [1,2]. However, the
This article is an open access article
increasing reliance on networks has also attracted malicious actors who seek to exploit
distributed under the terms and
vulnerabilities and disrupt operations for various purposes, ranging from financial gain
conditions of the Creative Commons
to espionage or activism [3]. As a result, understanding network attacks and developing
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
effective defense mechanisms has become paramount in maintaining the security and
4.0/).
integrity of network infrastructures [4].

Information 2024, 15, 734. https://doi.org/10.3390/info15110734 https://www.mdpi.com/journal/information

Information 2024, 15, 734 2 of 25

Even with advancements in technology, there are many scams targeting businesses;
for example, phishing remains the most common form of cyberattack, accounting for 90%
of data breaches [5]. In 2023, 343,338,964 people were the targets of 2365 cyberattacks.
Data breaches increased by 72% in 2023 compared to the previous record-holding year,
2021 [6,7]. Surprisingly, 96% of these phishing attacks were delivered via email. In 2023,
a staggering 72.7% of organizations experienced a phishing attack [8]. Similarly, another
major cyberattack is ransomware [9]. The costs associated with ransomware are expected
to climb to USD 265 billion annually by 2031. In 2023, the average cost of a data breach
saw a 15% rise over the previous three years, reaching USD 4.45 million on a worldwide
scale [10,11]. Pay-outs were greatest in the US, at USD 5.09 million per breach [12–14].
Cyber insurance premiums in the US saw a 50% hike in 2022, with premiums collected
amounting to USD 7.2 billion [15]. Over 75% of targeted attacks initiate from an email,
with 94% of malware being delivered through this channel. Cybercrime costs are on a
steep rise, expected to reach USD 10.5 trillion annually by 2025, marking a 15% yearly
increase [16,17]. Cybercrime rates increased by 600% during the COVID-19 pandemic,
illustrating how dangers have adjusted to new global circumstances [18]. On average,
a data breach costs about USD 4.45 million. Approximately 35% of malware in 2023
was sent by email, making it the most frequent vector for malware [19,20]. Protecting
an organization and understanding the motives behind these attacks is important; these
help in assessing the potential impact on network security and identifying appropriate
mitigation strategies [21]. It is also equally important to access the network’s devices
and perform a security assessment of IT products [22]. Attacks like Denial of Service
(DoS) try to block legitimate users from accessing resources or services on a network by
overwhelming them [23,24]. These attacks can sabotage an organization and affect network
availability [25].
Nowadays, organizations rely on remote work technology and use a variety of tech-
nologies to access their organizational networks [26]. For example, a VPN allows for the
safe transfer of data and other types of information between remote locations. One or more
VPN devices that the user connects to via their web browser make up an SSL VPN [27]. It
uses encryption for data transfer and operates at the application layer [28]. Cryptography
ensures transport-level secrecy, whereas SSL offers encrypted public keys for key manage-
ment and authentication [29,30]. By encrypting data in transit, it protects the connection
between the client and the resource. No data are sent over the internet or internal networks
in plain text when end-to-end security is used. Every step, from the customer to the vendor,
is encrypted and verified for security [31].
Despite this enormous and ubiquitous usage, VPNs come with various security chal-
lenges and performance-related issues, thereby hindering users from taking maximum
advantage of this technology [32,33]. One potential downside of relying only on VPNs is
that they treat all users as trustworthy and give them unrestricted access to the network. To
address this concern, VPN users must choose the most secure and perfect VPN solution for
the smooth functioning of daily activities [34,35]. Similarly, the traditional “castle and moat
approach” of security is insufficient in light of the new age of evolving attacks along with
the growing trend of working from home [36]. Therefore, VPNs are becoming fundamental
in defending today’s network architectures and allowing remote access [37,38].
For a long time, VPNs have been employed to create safe and exclusive communica-
tions in a generally accessible network. VPNs comprise encryption and tunneling protocols,
therefore forming a more secure virtual network overlaying an insecure network infras-
tructure [39,40]. VPNs can be used for access privilege, confidential data integrity, and
authentication when connecting remote and geographically disjointed networks [41,42]. On
the other hand, conventional telecom architecture and, particularly, physically configured
and hard-wired networks, accompanied by typical perimeters of protection, have failed to
cope with ever-changing cyber threats.
Nonetheless, the old paradigm of perimetral security has been replaced with Zero
Trust Network Access (ZTNA) due to the dynamics of threat and the necessity of a more
Information 2024, 15, 734 3 of 25

accurate and dynamic security model [43,44]. It is a security model that verifies users
and devices before granting access to applications or resources. ZTNA is based on the
principle of “never trust, always verify” and is designed to reduce the attack surface area
and improve security posture [45]. Some assumptions are made by pneumonic; firstly,
the model narrows down its view in the network and regards each user and device both
within and outside the network as hostile; therefore, each one has to be and should be
authentically and authoritatively authorized by the network each time it wants to access
the network’s products [46–48]. This shift in mentality is important in combating newer
and more advanced attacks that use vulnerabilities and lateral movement in the network.
The use of both VPNs and ZTNA could provide a robust solution for the remote access
problem and the protection of networks [49,50].
The possibility of merging VPN and ZTNA technology can give promising solutions
to industrial security accorded by end-device identity, context, and, most importantly,
the principle of least privilege to use the network resources. This integration allows
organizations to apply tighter security measures to limit the attack vector and safeguard
the data. Hence, the purpose of this article is to discuss and identify how to use VPNs
to establish Zero Trust Network Access. Thus, the goal of familiarizing ourselves with
the concepts and principles is to create patterns, standards, and recommendations for
organizations that are trying to implement a safe and efficient remote access solution.
Furthermore, we discuss the issues, implications, and possible drawbacks of combining
and offering case study analyses. Taken in their entirety, these two approaches present a
clear promise, in terms of conceptual development, of effectively conquering the security
vulnerabilities that threaten organizations at present. Hence, this article endeavors to
offer some insights and real-life best practices for organizations that are aspiring to have
strong and fortified network security that incorporates the use of VPNs and ZTNA for the
attainment of secure remote access. This article discusses and analyzes various categories
of network attacks, their features, and the impact they could have on current networks.
We hope that by the end of this research, we will be in a position to add to the body of
knowledge on how VPNs and ZTNA can complement each other, thus reinforcing network
security and offering secure access to remote resources. The key contributions of the
research are as follows:
1. This research paper gives an overview of contemporary technologies used across
enterprises, including VPNs and ZTNA, proxy servers, Secure Shell (SSH) tunnels,
the software-defined wide area network (SD-WAN), and Secure Access Service Edge
(SASE), among others.
2. This paper identifies critical concerns associated with traditional technologies, in-
cluding latency, throughput, scalability, and cyber threats, and identifies the gap to
overcome these challenges.
3. This paper presents a novel Zero Trust VPN (ZT-VPN) framework that integrates Zero
Trust Network Access with virtual private networks to create a robust cybersecurity
framework for remote work environments, aiming to fortify modern enterprises’
cybersecurity and privacy.
4. Finally, this paper demonstrates the effectiveness of the ZT-VPN framework through
various enterprise scenarios, highlighting its ability to prevent data leaks, manage
access permissions, and provide seamless security transitions, thereby fortifying
cybersecurity frameworks against contemporary cyber threats.
The organization of this paper is structured as follows: The Introduction (Section 1)
provides an overview of the shift to remote work environments and the associated cyber-
security challenges. The Background—Related Work and Systematic Literature Review—
Methodology (Sections 2 and 3) review contemporary technologies and existing research in
the field. The Proposed Framework (Section 4) details the design and architecture of the
Zero Trust VPN (ZT-VPN) framework, including examples of implementation case stud-
ies. The Results and Evaluation (Section 5) presents the findings from various enterprise
scenarios, accompanied by a discussion of the results and acknowledgment of limitations.
Information 2024, 15, 734 4 of 25

Finally, the Conclusion and Future Work (Section 6) summarizes the key contributions of
the research and outlines potential directions for future studies.

2. Background—Related Work
The purpose of this section is to provide a comprehensive review of existing tech-
nologies and research relevant to the topic of this paper. This section sets the context for
the proposed framework by discussing contemporary technologies. It also highlights the
limitations and challenges of current approaches, thereby establishing the need for the
proposed ZT-VPN framework. By reviewing related work, this section helps to position
the research within the broader field of cybersecurity and demonstrates how the proposed
framework builds upon and advances existing knowledge.

2.1. Virtual Private Network (VPN)

This is a technology that creates a secure and encrypted connection over a less secure
network. It allows users to send and receive data across shared or public networks as
if their computing devices were directly connected to the private network [51]. VPNs
are commonly used by businesses to allow employees to access the company’s internal
network from remote locations securely. This is particularly useful for remote work,
enabling employees to access files, applications, and other resources as if they were in
the office. VPNs provide a secure connection, protecting your data from hackers and
cybercriminals, especially when using public Wi-Fi networks. The encryption ensures that
even if the data are intercepted, they cannot be read [52,53]. By masking your IP address, a
VPN helps protect your online privacy. It prevents websites, advertisers, and even your
internet service provider (ISP) from tracking your online activities. VPNs allow you to
bypass geographic restrictions and access content that may be blocked in your region. For
example, you can access streaming services, websites, and online services that are only
available in certain countries.
Detailed working explanation of VPN is explained in Figure 1. It shows that, on a
border level, when you connect to a VPN, it encrypts your internet traffic. This means
that the data you send and receive are converted into a secure code that is difficult for
unauthorized parties to decipher. This encryption ensures that sensitive information, like
passwords and personal data, is protected from eavesdropping. The internet traffic is
routed through a VPN server. This server acts as an intermediary between your device
and the internet. When you access a website or online service, your request is first sent to
the VPN server, which then forwards it to the destination. The response from the website
is sent back to the VPN server, which then forwards it to your device. Importantly, by
routing the traffic through a VPN server, your real IP address is hidden, and you appear to
be accessing the internet from the location of the VPN server. This helps protect identity
and location, providing a layer of anonymity.

2.2. Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is a security framework that operates on the
principle of “never trust, always verify.” Unlike traditional security models that assume
everything inside an organization’s network can be trusted, ZTNA assumes that threats
can exist both inside and outside the network [54]. Therefore, strict verification is required
for every user and device attempting to access resources. Figure 2 provides a detailed
explanation of how a ZTNA works. The figure shows that it is a security framework
that assumes no inherent trust in any user or device seeking access to network resources.
It emphasizes the verification of user identities, strict access control, and continuous
monitoring. ZTNA relies on technologies like multi-factor authentication (MFA), identity
and access management (IAM), network segmentation, and micro-segmentation to enforce
security controls [55].
Information 2024, 15, 734 5 of 25

Figure 1. Illustration of VPN functionality, demonstrating encrypted traffic flow for enhanced data
security and user privacy across public networks.

Figure 2. Zero Trust Network Access (ZTNA) framework, showing the continuous verification
process that ensures secure access based on identity, context, and device compliance.

Table 1 provides an overview of and shows the differences between the VPN and
ZTNA. As we can see from the table, ZTNA is well suited for modern, dynamic envi-
ronments, including remote work and cloud-based applications. It can easily scale to
accommodate growing and changing organizational needs. ZTNA’s micro-segmentation
and least-privilege access policies help contain potential breaches, preventing attackers
from moving laterally within the network and accessing sensitive data [56,57]. By re-
quiring continuous verification and limiting access based on identity and context, ZTNA
Information 2024, 15, 734 6 of 25

significantly reduces the attack surface and improves the overall security posture. ZTNA
provides detailed insights into user and device activity, allowing organizations to detect
and respond to threats more effectively. This visibility also helps ensure compliance with
regulatory requirements.

Table 1. Comparative analysis of the VPN and ZTNA, highlighting differences in trust models, access
security, performance, and deployment complexity.

Checklist VPN ZTNA

Creates an encrypted tunnel for data transfer
Provides customizable access control settings with
between the user’s device and the company’s
a more granular security approach, including
Security features network. However, it may be vulnerable to
micro-segmentation and adaptive trust, which
attacks if misconfigured or if outdated encryption
minimizes lateral movement within the network.
standards are used.
Employs a Zero Trust model, verifying identity
Trust is established once when the user connects
and access permissions continuously, ensuring
Trust model to the network, after which they have access to all
that only authorized users can access specific
resources.
resources.
Users can only access specific applications or data
After authentication, users have broad access to as defined by granular policies. Access is
Access security model the network, potentially increasing the risk if determined based on factors of, for instance,
credentials are compromised. identity, device posture, and application
sensitivity.
Can introduce latency as all traffic is routed
Traffic is routed directly to the application or
through a central server, creating a single point of
service, reducing latency and avoiding
Performance congestion, especially under heavy load.
bottlenecks. It also allows local breakout, which
Performance can degrade with increased distance
improves user experience.
from the server.
Typically uses basic methods like username and Enforces robust authentication methods,
password. Additional security layers like MFA including MFA, device identity verification, and
Authentication
(multi-factor authentication) are optional and may contextual factors like geolocation and time of
not be consistently enforced. access.
Generally straightforward to deploy, especially for Deployment can be complex, requiring
small- to medium-sized networks. It requires the integration with identity providers, defining
Deployment complexity
configuration of VPN servers and client software granular policies, and ensuring compatibility with
on user devices. existing applications and network infrastructure.
Scalability can be challenging as VPN servers Designed for scalability, as it does not route all
need to handle all traffic, which may require traffic through a central point. Easily supports a
Scalability
significant infrastructure investment as the user growing user base and can integrate with cloud
base grows. services seamlessly.
Suitable for remote access to internal resources, Ideal for secure access to cloud applications,
secure communication over public networks, and enforcing least-privilege principles and protecting
Use cases
when centralized control over network traffic is against insider threats by restricting lateral
needed. movement.

2.3. Proxy Servers

A proxy server is an intermediary server that sits between a client and the internet.
It acts as a gateway, handling requests from clients seeking resources from other servers.
Proxy servers can provide an additional layer of security by filtering out malicious content
and blocking access to harmful websites [58]. They can also protect against certain types
of cyberattacks. Proxy servers help protect the client’s privacy and prevent tracking by
websites and advertisers. Proxy servers can bypass geographic restrictions and allow
clients to access content that may be blocked in their region [59,60]. Proxy servers can
cache frequently accessed content, reducing the load on the target servers and improving
response times for clients. Proxy servers work as follows:
Information 2024, 15, 734 7 of 25

1. When a client requests a resource, the request is first sent to the proxy server. The
proxy server then forwards the request to the target server on behalf of the client.
Once the target server responds, the proxy server sends the response back to the client.
This process adds a layer of separation between the client and the target server.
2. Proxy servers can hide the client’s IP address by replacing it with their own. This
helps protect the client’s identity and location, providing a layer of anonymity.
3. Proxy servers can cache frequently requested resources. When a client requests
a resource that is already cached, the proxy server can deliver it directly from its
cache, reducing the time and bandwidth required to retrieve the resource from the
target server.

2.4. Secure Shell (SH) Tunnels

SSH tunneling, also known as SSH port forwarding, is a method of transporting data
over an encrypted SSH connection. This technique allows secure communication between
a client and a server, even over an unsecured network [61]. SSH tunneling begins with
establishing an SSH connection between a client and an SSH server. This connection is
encrypted, ensuring that any data transmitted between the client and the server are secure
and protected from eavesdropping. It uses strong encryption algorithms to secure the
data transmitted through the tunnel [62]. It also employs authentication mechanisms, for
instance, passwords, public keys, or multi-factor authentication, to verify the identity of
the client and the server.
SSH tunnels can be used to bypass firewalls and network restrictions. For example,
if a firewall blocks access to a specific service, an SSH tunnel can be used to route the
traffic through an allowed port. SSH tunnels enable secure remote access to services and
applications. This is particularly useful for system administrators who need to manage
servers and devices from remote locations.

2.5. Software-Defined Wide Area Network (SD-WAN)

A software-defined wide area network (SD-WAN) is a virtual WAN architecture that
leverages software-defined networking (SDN) technology to manage and optimize the
performance of a wide area network (WAN) [63]. It allows enterprises to use a combina-
tion of transport services, like MPLS, LTE, and broadband internet, to connect users to
applications securely.
An SD-WAN separates the control plane from the data plane. The control plane is
responsible for making decisions about where traffic should be sent, while the data plane
is responsible for forwarding the traffic [64,65]. This separation allows for centralized
management and control of the network. An SD-WAN provides a centralized management
interface that allows network administrators to configure and manage the entire WAN
from a single location. This simplifies network operations and reduces the complexity
associated with traditional WAN architectures. An SD-WAN can dynamically select the
best path for traffic based on real-time network conditions. It can route traffic over multiple
transport links, like MPLS, LTE, and broadband, to optimize performance and ensure
high availability. An SD-WAN is application-aware, meaning it can identify and prioritize
traffic based on the application. This ensures that critical applications receive the necessary
bandwidth and low latency, while less critical applications are given lower priority. An
SD-WAN includes built-in security features including encryption, firewall, and intrusion
prevention. It can also integrate with existing security solutions to provide end-to-end
protection for the network.

2.6. Secure Access Service Edge (SASE)

This is a cloud-based architecture model that combines wide area networking (WAN)
and network security services into a single, unified framework. It is designed to securely
connect users, systems, endpoints, and remote networks to applications and resources,
regardless of their location [66]. Here is a detailed explanation of how SASE works:
Information 2024, 15, 734 8 of 25

1. SASE integrates networking functions, like a software-defined wide area network (SD-
WAN), with security services, including Secure Web Gateway (SWG), Cloud Access
Security Broker (CASB), Firewall as a Service (FWaaS), and Zero Trust Network Access
(ZTNA). This convergence allows for a more streamlined and efficient approach to
managing and securing network traffic [67].
2. SASE is built on a cloud-native architecture, meaning that both the networking and
security functions are delivered as cloud services. This allows for greater scalability,
flexibility, and ease of deployment compared to traditional on-premises solutions.
3. SASE grants access based on the identity of users and devices rather than relying on the
traditional perimeter-based security model. This ensures that only authenticated and
authorized users can access specific applications and resources, enhancing security.
4. SASE solutions are globally distributed, meaning that they have points of presence
(PoPs) around the world. This ensures that users can securely access applications and
resources with low latency, regardless of their geographic location.
Table 2 provides a comparison of different network security and access technologies.
We can see that a VPN creates a secure and encrypted connection over the internet, allowing
users to access corporate networks remotely. However, traditional VPNs grant broad access
to the entire network once authenticated, which can pose security risks. In contrast, ZTNA
operates on the principle of “never trust, always verify,” continuously verifying every
user and device attempting to access resources. ZTNA provides granular access control,
granting users access only to specific applications and resources based on their identity
and context, thereby reducing the attack surface and enhancing security.
Proxy servers act as intermediaries between clients and the internet, masking the
client’s IP address and providing anonymity. They can cache frequently requested content
to improve performance but do not offer the same level of encryption and security as
VPNs or ZTNA. SSH tunnels provide secure communication for specific applications
by transporting data over an encrypted SSH connection, ensuring data protection even
over unsecured networks. An SD-WAN optimizes network performance by dynamically
selecting the best path for traffic and providing centralized management. Each technology
has its unique strengths and uses cases, making each suitable for different network and
security requirements. VPNs and ZTNA focus on secure remote access, with ZTNA
providing more granular control. Proxy servers offer anonymity and content filtering,
while SSH tunnels secure specific application communications. An SD-WAN enhances
network performance and scalability, and SASE provides a comprehensive, cloud-based
solution for modern enterprises.
Information 2024, 15, 734 9 of 25

Table 2. Overview of various network security and access technologies, comparing attributes of
scalability, use case suitability, and security models across VPN, ZTNA, proxy servers, SSH tunnels,
SD-WAN, and SASE.

Technology Security Trust Model Performance Use Case Scalability

Encrypted Secure Limited
Trust Latency due
tunnel, risk remote access scalability
VPN established to centralized
of broad to internal due to server
once routing
access resources capacity
Highly
Granular Securing
Direct scalable,
access, Zero Trust, cloud and
ZTNA routing, low supports
continuous continuous hybrid envi-
latency cloud
verification ronments
integration
Scales for
Basic
Basic May Content web traffic,
credentials,
Proxy servers anonymity, introduce filtering, not for
no internal
web filtering latency anonymity internal
security
security
Strong Secure
Single- Not scalable
encryption, Minimal remote
SSH tunnels session for large user
secure impact management,
access bases
remote access tunneling
Integrated Scales for
Dynamic Connecting
security large
Secure routing, branches,
SD-WAN options, networks,
site-to-site optimized performance
optimized complex
traffic optimization
routing deployment
Cloud-native, Highly
Comprehensive
Zero Trust, Optimized, remote scalable,
SASE security, Zero
granular low latency workforce complex im-
Trust
security plementation

3. Systematic Literature Review—Methodology

The systematic literature review (SLR) process followed in this study involved a series
of rigorous steps to ensure that only high-quality and relevant studies were included in the
final analysis. Figure 3 illustrates the multi-phase process used to filter, evaluate, and select
the most relevant research articles.
1. Identification phase: The review began with the identification phase, where an initial
search was conducted using the query “Zero Trust VPN” OR “ZTNA” OR “Zero Trust
Network Access” to capture the literature related to Zero Trust and VPN concepts.
Two major academic databases, Google Scholar and Web of Science, were used to
gather a comprehensive set of articles. This search returned 1090 results from Google
Scholar and 406 from Web of Science, resulting in a total of 1496 papers.
2. Screening phase: In the screening phase, the initial set of papers was reviewed to
remove irrelevant studies. The first screening involved filtering by title, abstract, and
keywords. Articles that were duplicates, gray literature, out-of-scope publications,
book chapters, and editorial letters were excluded, reducing the pool to 608 papers.
This step alone excluded 888 papers. A second screening was conducted based
on a detailed reading of titles and abstracts. Articles that lacked relevance, were
metadata-only or were otherwise irrelevant to this study were excluded. After this
step, 426 more articles were removed, leaving 182 papers for further assessment.
3. Eligibility phase: The eligibility phase involved two levels of in-depth evaluation to
further ensure the relevance and quality of the remaining studies. In the first eligibility
check, both abstracts and main bodies of the papers were skim-read to exclude those
Information 2024, 15, 734 10 of 25

that did not meet the criteria for Methodological Evaluation Score (MES) assessment.
This step excluded 65 papers, narrowing down the selection to 117. The second
eligibility check involved a closer reading of the main bodies of the remaining articles,
with an emphasis on applying MES assessment criteria. This step led to the exclusion
of an additional 31 articles, resulting in 86 studies that met all eligibility requirements.
4. Inclusion phase: Finally, in the inclusion phase, the remaining 86 studies were in-
cluded in the final MES analysis, representing the highest-quality and most relevant
articles for this systematic literature review. These studies formed the basis for the
in-depth analysis and synthesis presented in this paper.

Figure 3. Systematic literature review (SLR) methodology for selecting and filtering articles related to
Zero Trust VPN and cybersecurity frameworks.

Literature Review
Our literature review focused on existing research on Zero Trust security frameworks,
VPN, and ZTNA. The focus was on scalability, access control, performance, and iden-
tity verification across various network settings. To ensure a robust and comprehensive
understanding, we defined a focused scope, prioritizing academic articles, industry re-
Information 2024, 15, 734 11 of 25

ports, and foundational frameworks that engage directly with Zero Trust principles, their
implementation challenges, and their efficacy.
The search process involved Google Scholar databases. The search query was com-
posed of terms including “Zero Trust Network Access (ZTNA)”, “VPN security challenges”,
“Zero Trust architecture”, “data-centric security”, and “identity-based access control”. We concen-
trated on works from the last decade to capture the most relevant contemporary cybersecu-
rity articles, with some exceptions for foundational studies. Our inclusion criteria targeted
studies covering one or more of the following areas: Zero Trust frameworks across environ-
ments, ZTNA and VPN comparisons (in terms of performance, scalability, and usability),
and Zero Trust implementations with a focus on access control, identity verification, and
continuous monitoring. Studies focused solely on general network security without Zero
Trust concepts or theoretical models lacking practical applications were excluded.
In analyzing the literature, we categorized studies by key themes, including access
control mechanisms, scalability, hybrid network challenges, data-centric security, usability,
and continuous monitoring. We organized each study’s main contributions using a com-
parative framework to maintain consistency in our analysis. Key findings, methodologies,
and challenges from each study were extracted, particularly regarding their applicability to
the ZT-VPN framework. Zero trust is a security architecture that safeguards on-premises
resources by eradicating unidentified users and uncontrolled devices and restricting any
lateral movement [68]. The research work by Cherrueau et al. [69] discusses the potential
risks and mitigations, emphasizing the importance of secure configuration, encryption, and
identity-based access controls. The study identifies the challenges of scaling ZTNA VPN
solutions and provides recommendations for addressing security concerns.
In the research work by S et al. [70], “Security issues with Virtual Private Network
(VPN) and proxy services: Performance and Usability”, usability and performance are
crucial factors when implementing ZTNA and VPN solutions. The study also suggests
that bad VPN configuration and execution, rather than, say, inadequate cryptography,
are the key issues. The research work by Wang et al. [71] evaluates the performance of
ZTNA VPN solutions. considering factors of latency, throughput, and scalability. The study
emphasizes the need for efficient protocols and optimized configurations to maintain a
balance between security and performance. According to Da Silva et al. [72,73], smart home
security should include Zero Trust access control that takes context into account and uses
behavior-based continuous authentication. There is a proposal for a zero-aware smart home
system that would regulate access to the smart home system by continually verifying the
user’s authenticity using Zero Trust continuous identity verification. Powering it is edge
computing, which gets rid of unreliable service providers and any access. The correctness
is not guaranteed, and there has been no testing of the effect of latency and concurrency in
a real context.
The research work by Hunt et al. [74] proposes a ZTNA VPN model. The research
highlights the benefits of this integration, like enhanced visibility and control over network
traffic. This states that incoming requests from users or devices should be accepted after
authentication. Running both ZTNA and VPN simultaneously may introduce additional
latency and performance overhead. This can impact the user experience, particularly for
latency-sensitive applications. He et al. [75] conducted research comparing common trust
assessment techniques and outlining the benefits and drawbacks of various access control
regimes and authentication procedures. The emphasis of the study is also on protocols
for network authentication and access control. Syed et al. [29] broadened the design’s
scope to include software-defined perimeters and micro-segmentation and talked about the
difficulties of such an architecture. The research work survey by Pittman et al. [76] showed
data objects, rather than user-accessible paths, that are subject to Zero Trust concepts and
tenets. Trust computation in a dynamic system like a network is, according to their findings,
an issue of categorization and regression. In their research, Buck et al. [77] used a search
model to distinguish between academic material and gray literature while evaluating
Information 2024, 15, 734 12 of 25

articles published on ZTNA. Any piece of writing that does not originate from an academic
setting, like a private or commercial enterprise, is considered gray literature.
To some extent, the methods outlined here are comparable to Google’s ZTN approach
to access control [78,79]. However, the execution of decision continuity, risk management,
and policy wording has been vague. NIST [45] provides a vendor-agnostic framework for
ZT implementation. It focuses on the continuous verification of user and device identities.
Policy enforcement is based on context, like user identity, device health, and location;
micro-segmentation and least-privilege access; and comprehensive and detailed guidance
applicable to a wide range of organizations. It encourages continuous monitoring and
verification, allowing for flexible implementation.
It may be seen as overly complex due to detailed and broad guidelines. Implementa-
tion requires a thorough understanding and careful planning. The Forrester model [80,81],
popularized by Forrester Research, emphasizes the need to eliminate trust from the net-
work. It includes continuous monitoring and validation of all users and devices; micro-
segmentation to limit lateral movement within networks; data-centric security, ensuring
data protection regardless of location; and a strong focus on data protection and reducing
attack surfaces. It is a practical approach that can be adapted to various environments. Sig-
nificant changes may be required to the existing network and security infrastructure. The
broad approach might be challenging for smaller organizations to implement fully. Some
of the concepts presented here are similar to Dynfire, an AC policy management frame-
work for ZTN put into practice on a college campus, as described by Vensmer et al. [82].
Problematically, neither risk management nor decision continuity are part of it. A ZTN AC
solution for cloud computing, AL-SAFE, is described by Giannoku et al. [83]. However, it
is missing policy language, risk management, and decision continuity features.
From Table 3, we can see that scaling both ZTNA and VPN solutions to accommodate
the increased number of users and devices can be effective. Ensuring seamless scalability
while maintaining security can be a complex task. In today’s computing and mobile device
settings, when dynamic characteristics make the idea of a conventional DMZ [84] outdated,
this comparatively static approach to security, focused on physical or virtual perimeters,
fails. As the new network edge, an implicit trust strategy cannot sufficiently protect the
cloud. Regarding the idea of protecting information systems [74], changes were made to
accomplish the required IP security based on a review of the company’s policy, the SSL
encryption technique, and the software utilized in the business. These steps will enable the
information system for manufacturing locations to gain the appropriate security. Given the
context of prior research and the underlying hypotheses, the authors delve into the data
and their potential interpretation. Conversations on the results and their implications need
to have a wide view. It is also possible to emphasize potential avenues for future science.
The manner in which companies work has changed over the last many years. Working
remotely and other trends like bring your device (BYOD) [85] are driving the demand for
flexible access to company data and apps from devices outside of the company’s internal
network. This tendency is being exacerbated by the rising number of remote workers and
the coronavirus epidemic. Additionally, problems arise for the organization’s network
architecture due to external connections, the incorporation of partners and service providers,
or the mutual sharing of assets. To date, the majority of companies have provided external
users or services with encrypted connections to their internal networks so that they may
access internal resources. When a user or service is considered trustworthy, they are
granted access to the network’s resources. The problem is that most existing solutions rely
on inflexible components like subnetworks, firewalls, and rule sets, making it impossible to
adapt to these kinds of ever-changing conditions. Because of this design, there are major
security holes. One issue is that the internal network is not segmented or controlled. Once
an outsider or malevolent employee breaches an organization’s network defense, they may
access almost every part of the system. A large number of organizational resources are,
therefore, vulnerable to reading, modification, and harm.
Information 2024, 15, 734 13 of 25

Table 3. Comparison of models and scholarly contributions. This table show a comparison of industry
Zero Trust models, outlining implementation complexity, device management, data protection, and
monitoring frameworks in Google BeyondCorp, NIST, and Forrester models.

NIST Zero Trust

Google Forrester Zero Trust
Criteria Architecture
BeyondCorp [78,79] Model [80]
(SP 800-207) [45]
Continuous Data-centric security
Device and user
Primary focus verification and and continuous
authentication
micro-segmentation monitoring
High, complex High, due to Moderate, adaptable,
Implementation
outside of Google comprehensive but requires
complexity
ecosystem guidelines significant changes
Moderate, adaptable
Limited, tailored to
Flexibility High, vendor-neutral to various
Google infrastructure
environments
Centralized control,
Focus on endpoint
Device management strong device Device posture checks
security
verification
Strong emphasis on Multi-factor Continuous identity
User authentication
SSO and MFA authentication verification
No inherent trust, Micro-segmentation,
Micro-segmentation,
Network access direct access to no trust within
network isolation
applications network
Focus on securing
access to data through Policy-based data Strong emphasis on
Data protection
identity and device protection data protection
state
Centralized
Continuous
Monitoring and monitoring, Continuous
monitoring and
logging comprehensive monitoring
incident response
logging
High, well established
High, comprehensive, High, influential in
Maturity in large-scale
and widely accepted industry standards
environments
Extensive support Detailed guidelines Extensive industry
Support and
and documentation and government literature and best
documentation
from Google backing practices
Enterprises
Large enterprises,
Government agencies, prioritizing data
Best suited for especially those using
large enterprises security and
Google infrastructure
adaptable solutions

According to Zero Trust techniques, which aim to fix the problems with existing
networking solutions, the fundamental premise is that no one on the network can be
trusted and that any access to company resources might be a security risk. This means that
all accesses are checked and confirmed. The approval of a request is contingent upon its
verification. Either complete access to the service or access to just the allowed operations or
data may be provided. When verifying a user’s identity, it is important to take into account
not only their password but also their device, location, time, and access rights. In addition,
resource access is limited to what is necessary for carrying out tasks in accordance with the
concept of least privilege. This highlights the need to establish and rigorously follow access
rules. The access regulations in question, however, are dynamic. It is possible to include the
behavior patterns of the network participants in the verification process by continuously
monitoring and recording network traffic. Zero trust is more of a strategy than a technology;
Information 2024, 15, 734 14 of 25

it is an umbrella term for a set of guiding principles. This article discusses and analyzes
various categories of network attacks, their features, and the impact they could have on
current networks. We hope that by the end of this research, we will be in a position to
add to the body of knowledge on how VPN and ZTNA can complement each other, thus
reinforcing network security and offering secure access to remote resources.

4. Design and Architecture

The detailed architecture of the Zero Trust VPN (ZT-VPN) is illustrated in the provided
diagram and comprises three main modules: Policy Enforcement Point (PEP), Identity
Enforcement Point (IEP), and Security Enforcement Point (SEP). The PEP module handles
the initial access flow, encrypts traffic, and validates interactions between the subject and
the resource. This involves certificate-based authentication, where both the client and
server use SSL/TLS certificates to establish a secure connection, and username/password
authentication, which adds a layer of security by requiring clients to provide valid creden-
tials. The combination of these authentication methods ensures that only authorized clients
can establish a VPN tunnel with the server.
Once connected to the VPN, the IEP module validates the user’s identity through login
credentials and a one-time password (OTP) sent to the registered device. It also verifies
the device’s health, operating system settings, and the user’s location before granting
role-based access to organizational resources. The SEP module monitors session time and
grants time-bound access, logging user activities and monitoring access to organizational
resources. This comprehensive approach enhances the overall security and access control
of the organization’s network, ensuring that only authenticated and authorized users can
access sensitive resources.
A detailed architecture diagram of the ZT-VPN is illustrated in Figure 4. It has three
modules, namely, Policy Enforcement Point (PEP), Identity Enforcement Point (IEP), and
Security Enforcement Point (SEP). In the first form, the subject or person uses the resource
on behalf of a requester or as a requester. The access flow is blocked by the PEP, which
encrypts the traffic once the subject interacts with the resource and validation is successful,
which is shown in Algorithm 1. Details are provided below:
• Certificate-based authentication: OpenVPN creates an encrypted connection between
the client and server based on SSL/TLS. Certificates are employed to ensure that both
the client and the server are genuine. The process is as follows:
– The VPN server has an independent SSL/TLS certificate and private key.
– Every client gives out a distinct SSL/TLS certificate and a private key.
– During the SSL/TLS negotiation, when a client connects to the server, it has to
send its certificate to the server.
– The server checks the client’s certificate against the list of the trusted certificates
the server possesses. If the client’s certificate is valid and recognized as trust-
worthy by the server, then the SSL/TLS negotiation is accomplished, and the
connection is established.
• Username/password authentication: Apart from the certificate, the VPN can also use
the names and secret codes for other recognition in addition to the use of certificates.
This is particularly useful when multiple clients use the same certificate, for instance,
in road warrior configurations. The process is as follows:
– Every client has a username and a password created on the VPN server.
– If the client attempts a connection, it presents a certificate as mentioned above,
and then the server is asked for a username and password.
– It then has to verify the username and the password of the client against the list
of clients and the password with which it has been configured.
– If the credentials match those of the authenticated client, the client will be logged
in and connected to the VPN.
Information 2024, 15, 734 15 of 25

• Combining certificate and username/password authentication: Besides the certifi-

cates, OpenVPN also has options for the username and password in the second level
of the authentication. This is especially useful when several clients have the same
certificate (for example, for the road warriors). The process is as follows:
– Users obtain an account on the VPN server, which has their unique username
and password.
– When a client attempts to connect, it sends its certificate, as mentioned above,
and the VPN server then asks for a username and password.
– The server compares the given username and password with the client list and
the necessary password.
– If the username and password are correct, the client is authorized, and phase 2 of
the VPN connection is initiated.
• Combining certificate and username/password authentication: In practice, a VPN can
be configured to require both certificate-based authentication and username/password
authentication for enhanced security. This ensures that clients possess the correct
certificate and valid credentials to connect to the VPN server. In this, the clients go
through both certificate-based authentication and username/password authentication
before being granted access to the VPN server.

Algorithm 1 : Policy Enforcement Point (PEP)

Require: VPN client, VPN configuration file (.ovpn), credentials (username and password)
1: Module 1: Enforcement Point (EP)
2: Submodule 1: Install VPN Client
3: 1.1 Download the appropriate OpenVPN client for your operating system.
4: 1.2 Follow the installation instructions to install the OpenVPN client on your device.
5: —————————————————————————————————————–
6: Submodule 2: Obtain OpenVPN Configuration File
7: 2.1 Obtain the .ovpn configuration file from your network administrator or VPN service
provider.
8: 2.2 Ensure you have the necessary credentials (username and password), if required.
9: —————————————————————————————————————–
10: Submodule 3: Configure OpenVPN Client
11: 3.1 Place the .ovpn configuration file in the appropriate directory:
12: Windows: C:\Program Files\OpenVPN\config\
13: 3.2 If needed, open the .ovpn file in a text editor and modify any settings as per your
requirements.
14: —————————————————————————————————————–
15: Submodule 4: Connect to OpenVPN Server
16: 4.1 Launch the OpenVPN client application.
17: 4.2 Select the appropriate .ovpn configuration file.
18: 4.3 Enter your credentials (username and password) if prompted.
19: 4.4 Click on the Connect button to establish the VPN connection.
20: —————————————————————————————————————–
21: Submodule 5: Verify the Connection
22: 5.1 Once connected, verify the VPN connection:
23: 5.1.1 Check the OpenVPN client status window for connection details.
24: 5.1.2 Verify your IP address has changed to the VPN server’s IP address using an
online service like whatismyip.com.
25: 5.1.3 Ensure you can access network resources that require a VPN connection.

The server verifies the certificates and then checks the provided username and pass-
word against its client credentials database. Only after successful validation are the clients
allowed to establish the VPN tunnel with the server. After successful validation of creden-
tials, the IP address is assigned to the client from a predefined IP pool managed by the VPN
Information 2024, 15, 734 16 of 25

server. Each time a client connects, it receives an available IP address from the pool. This
approach is more scalable and useful when you have a large number of clients connecting
intermittently. If a client disconnects, its assigned IP address becomes available for future
connections. This allows efficient use of the address space as clients come and go.

Figure 4. Detailed architecture of the Zero Trust VPN (ZT-VPN) framework, depicting the Pol-
icy Enforcement Point, Identity Enforcement Point, and Security Enforcement Point modules for
comprehensive security management.

In the second module, after the user connects to the VPN, IEP will act and validate its
identity through user login credentials. OTP is sent to the given device through which the
device is verified. Afterward, the device health, OS settings, and person location is verified.
Then, role-based access is granted to that person for organizational resources, as can be
seen in Algorithm 2 from lines 1 to 22. In the SEP module, session time is monitored, and
limited time-based access is granted to every user. It is a time-bound session; once the user
logs in, the session time is collected from the log’s server, and the counter starts with it.
Then, the user profile and activities are also monitored through server logs. When the user
tries to access any organizational resources or tries to access any link, it can be logged and
monitored as well, which can be seen in Algorithm 2, and 2 from lines 24 to 49.
This implementation can enhance the overall security and access control of an organi-
zation’s network. In a VPN, client credentials are typically validated through a combination
of certificate-based authentication and username/password authentication. Let us explore
how this validation process works, along with a diagram.
These are the steps through which we can achieve our goal:
• The user has to input their credentials into the VPN client, and then it will validate
with the server, and then traffic goes to the internet.
• Then the person can access the web application; if VPN credentials are not validated,
then it will not permit access to the web application.
• Now, the user has to put their credentials in the web app; at this point, the user is vali-
dated with a password, and it also receives the OTP on its registered mobile number.
• In the next step, the user device OS, settings, and device health are monitored, and
user logs are generated every time it performs any activity.
• There is also access management; the user is restricted to the privileges that are allowed
by the admin.
Information 2024, 15, 734 17 of 25

Algorithm 2 : ZTNA Policy Enforcement Point (ZPE)

Require: resources, userRoles, accessPolicies, ztnaConfig
1: Module 2: Identity Enforcement Point (IEP)
2: Submodule 1: Define Access Policies
3: defineResources(resources)
4: defineUserRoles(userRoles)
5: createAccessPolicies(accessPolicies)
6: Submodule 2: Set Up ZTNA Infrastructure
7: selectZTNASolution(ztnaConfig.solution)
8: deployZTNAController(ztnaConfig.controller)
9: installZTNAAgents(ztnaConfig.agents)
10: Submodule 3: Implement Authentication Mechanisms configureAuthentica-
tion(ztnaConfig.authMechanisms)
11: Submodule 4: Enforce Zero Trust Principles
12: for user in users do
13: if authenticate(user, ztnaConfig.auth) then
14: session = establishZTNASession(user)
15: if assessAccess(session, ztnaConfig.policies) then
16: grantAccess(session, user)
17: else
18: denyAccess(session, user)
19: end if
20: else
21: denyAccess(user)
22: end if
23: end for
24: Module 3: Security Enforcement Point (SEP)
25: Submodule 1: Monitoring and Logging
26: setupActivityLogging()
27: enableRealTimeMonitoring()
28: configureAlertsAndReports()
29: Submodule 2: Continuous Improvement
30: while True do
31: updateZTNASoftware(ztnaConfig)
32: reviewPolicies(accessPolicies)
33: conductUserTraining()
34: end while
35: function grantAccess(session, user)
36: function allowAccess(session, user)
37: allowAccess(session, user)
38: end function
39: function denyAccess(session, user)
40: blockAccess(session, user)
41: end function
42: function setupActivityLogging()
43: configureLogging()
44: end function
45: function enableRealTimeMonitoring()
46: startMonitoring()
47: end function
48: function configureAlertsAndReports()
49: setupAlerts()
50: generateReports()
51: end function
Information 2024, 15, 734 18 of 25

4.1. Review of Case Study Findings Derived from the Literature

Enterprises can vary widely in size, structure, and scope, from small businesses to
multinational corporations. Within an enterprise, there are various roles that individuals
may assume, each with distinct responsibilities and contributions to the organization’s suc-
cess. The structure and specific roles can vary depending on the assigned tasks and skills,
and giving role-based access and monitoring the activity is the need of the hour due to the
increasing number of security breach incidents. As network infrastructures become more
complex and the threat landscape evolves, traditional security models and perimeter-based
approaches are no longer enough to secure delicate data and resources. The emergence of
ZTNA has gained attention as a security framework that focuses on substantiating every
access request, irrespective of the user’s place or network context. However, there is a
need to explore our integration of ZTNA principles with VPNs, which have long been used
to secure network communications. The problem lies in understanding how VPNs can
be effectively employed to achieve ZTNA, addressing challenges including trust bound-
aries, user authentication, access control mechanisms, and data protection. This research
aims to investigate the design, implementation, and evaluation of ZT-VPN to provide a
comprehensive understanding of the potential benefits; through this, we look at how an
organizational network can be secure from insider and outside attacks and the limitations
of this integration, and we propose recommendations for successful deployments.

4.2. Case—Implementing ZT-VPN in a Mid-Sized Financial Services Company

To provide a clearer picture of the practical application of the ZT-VPN framework, this
article lists a hypothetical case study demonstrating how an organization might implement
and benefit from this approach. Imagine a mid-sized financial services company, “Secure-
Bank,” which manages sensitive customer data and has a significant number of employees
working remotely. SecureBank faces common cybersecurity challenges, including secure
access control for remote employees, protection of sensitive financial data, and the need for
scalability to handle fluctuating access demands.
1. Application of the ZT-VPN framework:
SecureBank begins by implementing the ZT-VPN framework as part of its remote
access and data security strategy. Key stages in this implementation are as follows:
• Initial access control and identity verification: The Policy Enforcement Point (PEP) is con-
figured to require both certificate-based authentication and multi-factor authentication
(MFA) before granting access. Each employee is provided with unique certificates
and login credentials, ensuring that only authorized users with verified identities can
connect to the company’s network.
• Contextual security measures: The Identity Enforcement Point (IEP) checks not only user
credentials but also device health, operating system settings, and geographic location
for each access attempt. For example, if an employee tries to access the system from
an unrecognized location, additional verification is required. This added layer helps
prevent unauthorized access due to credential theft.
• Continuous monitoring and limited access control: Using the Security Enforcement Point
(SEP), SecureBank restricts access to specific resources based on employee roles and
limits session times. Access logs are continuously monitored, and alerts are gener-
ated for any unusual behavior, like attempts to access restricted data or repeated
login failures.
2. Anticipated outcomes: By implementing the ZT-VPN framework, SecureBank is
expected to experience several key benefits:
• Enhanced security with reduced attack surface: ZT-VPN’s multi-layered authentication
and context-based access verification greatly reduce the risk of unauthorized access,
protecting sensitive financial data from both external and insider threats.
Information 2024, 15, 734 19 of 25

• Scalability and flexibility: The framework’s inherent scalability allows SecureBank to

accommodate additional users or adjust access privileges dynamically. This flexibility
is essential for the organization as it grows or adjusts to new regulatory requirements.
• Improved access control and monitoring: With continuous monitoring through SEP, Se-
cureBank’s IT team has enhanced visibility of user behavior, enabling them to detect
and respond quickly to potential threats. Additionally, role-based and time-bound
access control ensures that employees can only access the data they need, reducing
the risk of lateral movement within the network.
• Increased confidence in remote work security: The ZT-VPN framework instills confidence
in SecureBank’s remote access protocols, as employees can securely access neces-
sary resources without compromising data protection. This reliability supports the
organization’s long-term goals of flexible, secure remote work.
This hypothetical case study illustrates how an organization utilizes the ZT-VPN
framework to enhance its cybersecurity posture effectively. While further empirical valida-
tion is necessary to confirm these outcomes across different organizational contexts, this
example highlights the potential benefits of ZT-VPN in a modern hybrid work environment.

5. Results and Evaluation

The evaluation of the 86 selected studies has reinforced the potential of ZT-VPN as a
comprehensive solution that addresses both cybersecurity and performance challenges in
remote and hybrid work environments. The reviewed studies emphasize the importance of
integrating Zero Trust principles with VPN to provide granular access control, scalability,
and continuous verification, which are essential for protecting against contemporary threats.
Furthermore, the adoption of role-based and context-aware access policies significantly
reduces the risk of unauthorized access and lateral movement within networks. The
findings show that ZT-VPN frameworks effectively balance security and user experience,
especially by reducing latency through optimized traffic routing. This enhanced approach
not only strengthens the security posture but also supports scalability, making ZT-VPN
an adaptable solution for organizations of varying sizes and industries. These insights
underscore the growing relevance of ZT-VPN frameworks in fortifying enterprise networks
amidst evolving cybersecurity demands.
The proposed ZT-VPN framework has been evaluated in various enterprise scenarios
to assess its effectiveness and advantages over traditional VPNs, ZTNA, and other security
solutions. The results demonstrate that ZT-VPN offers significant improvements in terms
of security, performance, and scalability. When integrating a VPN and ZTNA, the result is
a comprehensive remote access solution that combines the benefits of both technologies to
enhance security and access control. Here is a discussion regarding the integration:
• Improved security: VPNs traditionally provide a secure tunnel for remote users to
access corporate resources.
• Enhanced user experience: Integrating VPN and ZTNA allows organizations to strike
a balance between security and user experience.
• Scalability and flexibility: VPNs are typically designed to accommodate a fixed
number of concurrent connections, which can be a limitation for organizations with
dynamic workforces or fluctuating access demands.
• Granular access control: This solution enables organizations to implement granular
access controls based on user roles, device types, and other contextual factors.
• Centralized management and visibility: ZTNA solutions often provide centralized
management consoles and comprehensive visibility of user access and activity.
Table 4 provides a comparative summary of key contributions in existing Zero Trust
research, highlighting specific features and limitations addressed by prior studies. This
comparison emphasizes how the proposed ZT-VPN framework builds on these works
by addressing critical gaps in access control, device health assessment, and contextual
identification. ZT-VPN enables enterprises to implement granular access policies based
on a variety of contextual factors, significantly reducing the risk of unauthorized access
Information 2024, 15, 734 20 of 25

and data breaches while ensuring seamless access to necessary resources. Additionally, its
scalability and adaptability allow organizations to adjust to evolving access needs. The
centralized control feature further enhances security, enabling effective monitoring of user
activity across both on-site and remote environments.

Table 4. Summary of the previous literature on Zero Trust and related technologies. Column
definitions: Category A—classification approach used in reviewed works; Category B—comparison
of individual statistics across works; Category C—model analysis of variable features; Category
D—hybrid network challenges discussed. Notation: Y = yes (characteristic is present), X = no
(characteristic is absent), P = partially present.

Author(s) Key Findings from Previous Studies A B C D

Review of technologies supporting the Zero Trust frame-
He et al. [75] Y Y Y X
work.
Examines the impact of Zero Trust on access control and
Syed et al. [29] Y Y P P
authentication mechanisms.
Analysis of Zero Trust as applied to data objects instead
Pittman et al. [76] Y X X P
of access pathways.
Identification of industry and academic gaps and an
Buck et al. [77] Y X X P
overview of Zero Trust principles in various contexts.
Highlights Zero Trust scaling challenges and provides
Cherrueau et al. [69] secure configuration guidelines, emphasizing encryp- Y X Y X
tion and identity controls.
Analyzes security and usability issues in VPN and
S et al. [70] ZTNA, with emphasis on the effects of poor configu- P Y X Y
ration.
Assesses performance aspects of ZTNA and VPN, focus-
Wang et al. [71] Y Y Y P
ing on latency, scalability, and protocol optimization.
Proposes Zero Trust for smart home environments, with
Da Silva et al. [72] behavior-based authentication; includes edge comput- Y X P Y
ing considerations.
Proposes a ZTNA VPN model that discusses enhanced
Hunt et al. [74] visibility, with potential latency impacts for real-time Y Y P Y
applications.
Describes Google’s ZTN framework for secure access
Google [78,79] Y X Y X
control; limited to Google’s infrastructure.
Vendor-neutral Zero Trust framework with continuous
NIST [45] Y Y Y P
user/device verification and context-based policies.
Focuses on data-centric security, continuous monitoring,
Forrester model [80] Y Y X P
and reducing lateral network movement.
Explores Dynfire, a ZTN access control framework ap-
Vensmer et al. [82] plied in academic settings, lacking risk management Y X Y P
features.
Proposes AL-SAFE, a ZTN model for cloud environ-
Giannoku et al. [83] Y P Y P
ments, missing policy language and risk management.
Evaluation of Zero Trust VPN (ZT-VPN) and ZTNA with
This article Y Y Y Y
vendor-supported adoption in open-source contexts.

Discussion and Limitations

The ZT-VPN is a complete solution for enterprises as it secures the network as well
as organizational resources. The framework combines the strengths of both VPNs and
ZTNA by integrating certificate-based authentication, username/password authentication,
and continuous monitoring of user and device credentials. This multi-layered approach
Information 2024, 15, 734 21 of 25

ensures that only authenticated and authorized users can access organizational resources.
Unlike traditional VPNs, which grant broad access to the entire network once authenticated,
ZT-VPN provides granular access control, reducing the attack surface and preventing unau-
thorized lateral movement within the network. Additionally, the continuous verification of
user and device health, operating system settings, and location further enhances security,
making it more robust than standalone ZTNA solutions.
The ZT-VPN framework addresses common performance issues associated with tradi-
tional VPNs, including latency and throughput. By dynamically selecting the best path for
traffic and optimizing network performance, ZT-VPN ensures that critical applications re-
ceive the necessary bandwidth and low latency. This results in a better user experience and
increased productivity. The integration of software-defined wide area network (SD-WAN)
technology within the ZT-VPN framework further enhances performance by providing cen-
tralized management and dynamic path selection based on real-time network conditions.
The cloud-native architecture of the ZT-VPN framework allows for easy scalability
and flexibility. Organizations can quickly adapt to changing business needs and deploy
new services without the need for extensive hardware investments. The framework’s
ability to integrate with existing security solutions, like Secure Web Gateway (SWG), Cloud
Access Security Broker (CASB), and Firewall as a Service (FWaaS), ensures comprehensive
protection and seamless security transitions. This makes ZT-VPN a more scalable and
adaptable solution compared to traditional VPNs and standalone ZTNA implementations.
The framework provides a unified approach to access control by combining the princi-
ples of Zero Trust with the secure connectivity of VPNs. This ensures that users are granted
access based on their identity, role, and context rather than relying on the traditional
perimeter-based security model. The role-based access control and time-bound sessions
further enhance security by limiting access to only the necessary resources for a specific
duration. This comprehensive access control mechanism is more effective than the broad
access granted by traditional VPNs and the application-specific access provided by ZTNA.

6. Conclusions and Future Work

The rapid shift to remote work environments has necessitated the development of
robust cybersecurity frameworks to protect organizational resources and ensure seamless
operations. This paper presented a comprehensive overview of contemporary technologies
employed in enterprises. Among these, the proposed ZT-VPN framework stands out as
a highly effective solution for enhancing IT security and privacy in modern enterprises.
The ZT-VPN framework integrates Zero Trust principles with VPN technology, addressing
critical concerns, for instance, security threats, latency, throughput, and scalability. By
continuously verifying every user and device attempting to access corporate resources, ZT-
VPN ensures a robust security posture, preventing data leaks, managing access permissions,
and providing seamless security transitions. The effectiveness of the ZT-VPN framework
was demonstrated through various enterprise scenarios, highlighting its potential to fortify
cybersecurity frameworks against contemporary cyber threats.
In addition to developing the theoretical framework, future work will focus on empir-
ically validating the effectiveness of the ZT-VPN model. We plan to conduct real-world
case studies and pilot implementations within various organizational contexts to assess the
model’s practical impact. We aim to collect data on the reduction of unauthorized access in-
cidents, successful implementation of access control policies, and improved data protection.
Future studies will examine how well the ZT-VPN framework scales in environments with
growing or dynamic access demands, particularly in hybrid and cloud-based networks.
Through these empirical studies, we aim to provide comprehensive evidence of ZT-VPN’s
effectiveness and address any limitations or refinements needed to optimize its deployment
in diverse organizational settings.
Despite the promising results, there are several other areas for future research and
development. One potential direction is the exploration of advanced cryptographic tech-
niques to enhance the security and performance of the ZT-VPN framework further so it
Information 2024, 15, 734 22 of 25

can resist post-quantum cryptography cyberattacks. Additionally, the integration of artifi-

cial intelligence can provide real-time threat detection and response capabilities, further
strengthening the security posture of enterprises. Another possible future work direction
is the evaluation of the ZT-VPN framework in diverse organizational contexts, including
small and medium-sized enterprises (SMEs) and large multinational corporations.

Author Contributions: Writing—original draft preparation, S.M.Z.; supervision, S.M.S.; validation,

S.M.S.; writing—review and editing, Z.I. and M.Y.; visualization, M.H.; project administration,
Z.M.; funding acquisition, Z.M. All authors have read and agreed to the published version of
the manuscript.
Funding: This research received no external funding.
Institutional Review Board Statement: Not applicable.
Informed Consent Statement: Not applicable.
Data Availability Statement: Data is contained within the article.
Conflicts of Interest: The authors declare no conflicts of interest.

Abbreviations
Abbreviation key for technical terms used throughout this document, providing definitions for
essential terms:

BYOD Bring your own device

DHCP Dynamic Host Configuration Protocol
DoS Denial of Service
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
IAM Identity and access management
IEP Identity Enforcement Point
IP Internet Protocol
MFA Multi-factor authentication
PEP Policy Enforcement Point
PoP Point of presence
SASE Secure Access Service Edge
SD-WAN Software-defined wide area network
SSH Secure Shell
SEP Security Enforcement Point
SSL Secure Sockets Layer
TLS Transport Layer Security
VPN Virtual private network
ZT-VPN Zero Trust VPN
ZTNA Zero Trust Network Access

References
1. Hodge, R. VPN Use Surges During the Coronavirus Lockdown, But So Do Security Risks; CNET: San Francisco, CA, USA, 2020;
Volume 23.
2. Singer, P.W.; Friedman, A. Cybersecurity: What Everyone Needs to Know; Oxford University Press: New York, NY, USA, 2014.
3. Deibert, R.J. Subversion Inc: The age of private espionage. J. Democr. 2022, 33, 28–44. [CrossRef]
4. Zhang, Z.; Zhang, Y.Q.; Chu, X.; Li, B. An overview of virtual private network (VPN): IP VPN and optical VPN. Photonic Netw.
Commun. 2004, 7, 213–225. [CrossRef]
5. Baykara, M.; Gürel, Z.Z. Detection of phishing attacks. In Proceedings of the 2018 6th International Symposium on Digital
Forensic and Security (ISDFS), Antalya, Turkey, 22–25 March 2018; pp. 1–5.
6. Kaur, J.; Ramkumar, K. The recent trends in cyber security: A review. J. King Saud Univ. Comput. Inf. Sci. 2022, 34, 5766–5781.
[CrossRef]
7. Ghelani, D. Cyber Security, Cyber Threats, Implications and Future Perspectives: A Review. Authorea Preprints 2022. Available
online: https://www.techrxiv.org/doi/full/10.22541/au.166385207.73483369 (accessed on 30 September 2024).
Information 2024, 15, 734 23 of 25

8. Alkhalil, Z.; Hewage, C.; Nawaf, L.; Khan, I. Phishing attacks: A recent comprehensive study and a new anatomy. Front. Comput.
Sci. 2021, 3, 563060. [CrossRef]
9. O’Kane, P.; Sezer, S.; Carlin, D. Evolution of ransomware. IET Networks 2018, 7, 321–327. [CrossRef]
10. McIntosh, T.; Kayes, A.; Chen, Y.P.P.; Ng, A.; Watters, P. Ransomware mitigation in the modern era: A comprehensive review,
research challenges, and future directions. Acm Comput. Surv. 2021, 54, 1–36. [CrossRef]
11. Dutkowska-Zuk, A.; Hounsel, A.; Xiong, A.; Roberts, M.; Stewart, B.; Chetty, M.; Feamster, N. Understanding how and why
university students use virtual private networks. arXiv 2020. [CrossRef]
12. Jegede, A.; Fadele, A.; Onoja, M.; Aimufua, G.; Mazadu, I.J. Trends and future directions in automated ransomware detection. J.
Comput. Soc. Inform. 2022, 1, 17–41. [CrossRef]
13. Khan, E.; Sperotto, A.; van der Ham, J.; van Rijswijk-Deij, R. Stranger VPNs: Investigating the Geo-Unblocking Capabilities
of Commercial VPN Providers. In Proceedings of the International Conference on Passive and Active Network Measurement,
Virtual Event, 21–23 March 2023; pp. 46–68.
14. Santhanamahalingam, S.; Alagarsamy, S.; Subramanian, K. A study of cloud-based VPN establishment using network function
virtualization technique. In Proceedings of the 2022 3rd International Conference on Smart Electronics and Communication
(ICOSEC), Trichy, India, 20–22 October 2022; pp. 627–631.
15. Li, Y.; Liu, Q. A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments.
Energy Rep. 2021, 7, 8176–8186. [CrossRef]
16. Zhang, Z.; Al Hamadi, H.; Damiani, E.; Yeun, C.Y.; Taher, F. Explainable artificial intelligence applications in cyber security:
State-of-the-art in research. IEEE Access 2022, 10, 93104–93139. [CrossRef]
17. Furnell, S. The cybersecurity workforce and skills. Comput. Secur. 2021, 100, 102080. [CrossRef]
18. Rajasekharaiah, K.; Dule, C.S.; Sudarshan, E. Cyber security challenges and its emerging trends on latest technologies. In IOP
Conference Series: Materials Science and Engineering; IOP Publishing: Philadelphia, PA, USA, 2020; Volume 981, p. 022062.
19. AL-Hawamleh, A.M. Predictions of cybersecurity experts on future cyber-attacks and related cybersecurity measures. Momentum
2023, 3, 15. [CrossRef]
20. Shaukat, K.; Luo, S.; Varadharajan, V.; Hameed, I.A.; Xu, M. A survey on machine learning techniques for cyber security in the
last decade. IEEE Access 2020, 8, 222310–222354. [CrossRef]
21. Secure Remote Access Best Practices-Check Point Software—checkpoint.com. Available online: https://www.checkpoint.com/
cyber-hub/network-security/what-is-vpn/covid-19-and-secure-remote-access-best-practices/ (accessed on 26 August 2024).
22. Fatima, M.; Abbas, H.; Yaqoob, T.; Shafqat, N.; Ahmad, Z.; Zeeshan, R.; Muhammad, Z.; Rana, T.; Mussiraliyeva, S. A survey on
common criteria (CC) evaluating schemes for security assessment of IT products. PeerJ Comput. Sci. 2021, 7, e701. [CrossRef]
[PubMed]
23. Streun, F.; Wanner, J.; Perrig, A. Evaluating susceptibility of VPN implementations to DoS attacks using adversarial testing. In
Proceedings of the Network and Distributed Systems Security Symposium 2022 (NDSS’22), San Diego, CA, USA, 24–28 April
2022.
24. Zhou, Y.; Zhang, K. Dos vulnerability verification of ipsec vpn. In Proceedings of the 2020 IEEE International Conference on
Artificial Intelligence and Computer Applications (ICAICA), Dalian, China, 27–29 June 2020; pp. 698–702.
25. Ginty, S. Discover the Anatomy of an External Cyberattack Surface with New RiskIQ Report|Microsoft Security Blog—
microsoft.com. Available online: https://www.microsoft.com/en-us/security/blog/2022/04/21/discover-the-anatomy-of-
an-external-cyberattack-surface-with-new-riskiq-report/?msockid=355668c01f696b823ed97c6f1e6f6a0f (accessed on 26 August
2024).
26. Singh, K.K.V.; Gupta, H. A New Approach for the Security of VPN. In Proceedings of the Second International Conference on
Information and Communication Technology for Competitive Strategies, Jaipur, India, 19–21 December 2016; pp. 1–5.
27. Frahim, J.; Huang, Q. Ssl Remote Access Vpns (Network Security); Cisco Press: Indianapolis, IN, USA, 2008.
28. Shut the Front Door: Analyzing VPN Vulnerability Exploits—mandiant.com. Available online: https://www.mandiant.com/
resources/webinars/mandiant-intelligence-briefing-stories-directly-frontline (accessed on 26 August 2024).
29. Syed, N.F.; Shah, S.W.; Shaghaghi, A.; Anwar, A.; Baig, Z.; Doss, R. Zero trust architecture (zta): A comprehensive survey. IEEE
Access 2022, 10, 57143–57179. [CrossRef]
30. Arshad, J.; Talha, M.; Saleem, B.; Shah, Z.; Zaman, H.; Muhammad, Z. A Survey of Bug Bounty Programs in Strengthening
Cybersecurity and Privacy in the Blockchain Industry. Blockchains 2024, 2, 195–216. [CrossRef]
31. Nagmote, S.U.; Soni, P.D. An Overview of Network Security Model Using Cryptography, Firewall and Vpn for Social Organization
with There Benifits. Int. J. Eng. Res. Technol. (IJERT) 2013, 2. [CrossRef]
32. Adeyinka, O. Analysis of problems associated with IPSec VPN Technology. In Proceedings of the 2008 Canadian Conference on
Electrical and Computer Engineering, Niagara Falls, ON, Canada, 5–8 May 2008; pp. 001903–001908.
33. Sombatruang, N.; Omiya, T.; Miyamoto, D.; Sasse, M.A.; Kadobayashi, Y.; Baddeley, M. Attributes affecting user decision to
adopt a Virtual Private Network (VPN) app. In Proceedings of the Information and Communications Security: 22nd International
Conference (ICICS 2020), Copenhagen, Denmark, 24–26 August 2020; pp. 223–242.
34. Rothvoß, T.; Sanita, L. On the complexity of the asymmetric VPN problem. In Proceedings of the International Workshop on
Approximation Algorithms for Combinatorial Optimization, Virtual, 16–18 August 2009; pp. 326–338.
Information 2024, 15, 734 24 of 25

35. Dutkowska-Zuk, A.; Hounsel, A.; Morrill, A.; Xiong, A.; Chetty, M.; Feamster, N. How and why people use virtual private
networks. In Proceedings of the 31st USENIX Security Symposium (USENIX Security 22), Boston, MA, USA, 10–12 August 2022;
pp. 3451–3465.
36. Sawalmeh, H.; Malayshi, M.; Ahmad, S.; Awad, A. VPN remote access OSPF-based VPN security vulnerabilities and counter
measurements. In Proceedings of the 2021 International Conference on Innovation and Intelligence for Informatics, Computing,
and Technologies (3ICT), Virtual Conference, 29–30 September 2021; pp. 236–241.
37. Cheung, K.H.; Mišić, J. On virtual private networks security design issues. Comput. Netw. 2002, 38, 165–179. [CrossRef]
38. Bansode, R.; Girdhar, A. Common vulnerabilities exposed in VPN–A survey. J. Phys. Conf. Ser. 2021, 1714, 012045. [CrossRef]
39. With Everyone Working from Home, VPN Security is Now Paramount—zdnet.com. Available online: https://www.zdnet.com/
article/covid-19-with-everyone-working-from-home-vpn-security-has-now-become-paramount/ (accessed on 26 August 2024).
40. Einler Larsson, L.; Qollakaj, K. Cybersecurity of Remote Work Migration: A Study on the VPN Security Landscape Post COVID-19
Outbreak. 2023. Available online: https://www.diva-portal.org/smash/get/diva2:1778036/FULLTEXT03.pdf (accessed on 30
September 2024).
41. VPN Access and Activity Monitoring, Sans, 2020. - Bing—bing.com. Available online: https://www.bing.com/search?q=VPN+
Access+and+Activity+Monitoring%2C"+Sans%2C+2020.&qs=n&form=QBRE&sp=-1&lq=1&pq=vpn+access+and+activity+
monitoring%2C"+sans%2C+2020.&sc=1-48&sk=&cvid=167E379FC8C341CCB182FAC4A95D10D3&ghsh=0&ghacc=0&ghpl=.
(accessed on 26 August 2024).
42. Ikram, M.; Vallina-Rodriguez, N.; Seneviratne, S.; Kaafar, M.A.; Paxson, V. An analysis of the privacy and security risks of
android vpn permission-enabled apps. In Proceedings of the 2016 Internet Measurement Conference, Monica, CA, USA, 14–16
November 2016; pp. 349–364.
43. Yoo, S.J. A Study on the Improvement of Security Enhancement for ZTNA. Converg. Secur. J. 2024, 24, 21–26. [CrossRef]
44. Nazir, A.; Iqbal, Z.; Muhammad, Z. ZTA: A Novel Zero Trust Framework for Detection and Prevention of Malicious Android
Applications. Preprints 2024. [CrossRef]
45. Stafford, V. Zero trust architecture. NIST Spec. Publ. 2020, 800, 207.
46. Developing a Framework to Improve Critical Infrastructure Cybersecurity. Available online: https://www.nist.gov/system/
files/documents/2017/06/01/040513_cgi.pdf (accessed on 26 August 2024).
47. NIST. Framework for Improving Critical Infrastructure Cybersecurity. Available online: https://nvlpubs.nist.gov/nistpubs/
CSWP/NIST.CSWP.04162018.pdf (accessed on 30 September 2024).
48. Malatji, M.; Marnewick, A.L.; Von Solms, S. Cybersecurity capabilities for critical infrastructure resilience. Inf. Comput. Secur.
2022, 30, 255–279. [CrossRef]
49. Zscaler’s 2022 VPN Report: As VPN Exploits Grow, 80 Percent of Organizations Shift Towards Zero Trust Security—zscaler.com.
Available online: https://www.zscaler.com/press/ (accessed on 26 August 2024).
50. A VPN Security Brief from AmZetta Technologies, LLC. Available online: https://amzetta.com/wp-content/uploads/2021/05/
AmZetta-Remote-AccessSecurity-Going-Beyond-VPN-Security-Brief.pdf (accessed on 26 August 2024).
51. Pavlicek, A.; Sudzina, F. Use of virtual private networks (VPN) and proxy servers: Impact of personality and demographics. In
Proceedings of the 2018 Thirteenth International Conference on Digital Information Management (ICDIM), Berlin, Germany,
24–26 September 2018; pp. 108–111.
52. Hurkens, C.A.; Keijsper, J.C.M.; Stougie, L. Virtual private network design: A proof of the tree routing conjecture on ring
networks. SIAM J. Discret. Math. 2007, 21, 482–503. [CrossRef]
53. Javed, M.S.; Sajjad, S.M.; Mehmood, D.; Mansoor, K.; Iqbal, Z.; Kazim, M.; Muhammad, Z. Analyzing Tor Browser Artifacts
for Enhanced Web Forensics, Anonymity, Cybersecurity, and Privacy in Windows-Based Systems. Information 2024, 15, 495.
[CrossRef]
54. Talan, A. Zero Trust Network Access with Cybersecurity Challenges and Potential Solutions. Ph.D. Thesis, National College of
Ireland, Dublin, Ireland, 2022.
55. Campbell, M. Beyond zero trust: Trust is a vulnerability. Computer 2020, 53, 110–113. [CrossRef]
56. Sood, A.K. Empirical Cloud Security: Practical Intelligence to Evaluate Risks and Attacks; Mercury Learning and Information: Duxbury,
MA, USA, 2023.
57. Kazim, M.; Pirim, H.; Shi, S.; Wu, D. Multilayer analysis of energy networks. Sustain. Energy Grids Netw. 2024, 39, 101407.
[CrossRef]
58. Jeffery, C.L.; Das, S.R.; Bernal, G.S. Proxy-sharing proxy servers. In Proceedings of the COM’96. First Annual Conference on
Emerging Technologies and Applications in Communications, Portland, OR, USA, 7–10 May 1996; pp. 116–119.
59. Saini, K. Squid Proxy Server 3.1: Beginner’s Guide; Packt Publishing Ltd.: Birmingham, UK, 2011.
60. Shahid, J.Z.; Cimato, S.; Muhammad, Z. A Sharded Blockchain Architecture for Healthcare Data. In Proceedings of the 2024 IEEE
48th Annual Computers, Software, and Applications Conference (COMPSAC), Osaka, Japan, 2–4 July 2024; pp. 1794–1799.
61. Xu, V. MAZE: A Secure Cloud Storage Service Using Moving Target Defense and Secure Shell Protocol (SSH) Tunneling. Ph.D.
Thesis, University of Pittsburgh, Pittsburgh, PA, USA, 2020.
62. Dusi, M.; Gringoli, F.; Salgarelli, L. A preliminary look at the privacy of SSH tunnels. In Proceedings of the 2008 Proceedings of
17th International Conference on Computer Communications and Networks, St. Thomas, VI, USA, 3–7 August 2008; pp. 1–7.
Information 2024, 15, 734 25 of 25

63. Yang, Z.; Cui, Y.; Li, B.; Liu, Y.; Xu, Y. Software-defined wide area network (SD-WAN): Architecture, advances and opportunities.
In Proceedings of the 2019 28th International Conference on Computer Communication and Networks (ICCCN), Valencia, Spain,
29 July–1 August 2019; pp. 1–9.
64. Yalda, K.G.; Hamad, D.J.; Ţăpuş, N. A survey on Software-defined Wide Area Network (SD-WAN) architectures. In Proceedings
of the 2022 International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA), Ankara,
Turkey, 9–11 June 2022; pp. 1–5.
65. Iesar, H.; Iqbal, W.; Abbas, Y.; Umair, M.Y.; Wakeel, A.; Illahi, F.; Saleem, B.; Muhammad, Z. Revolutionizing Data Center
Networks: Dynamic Load Balancing via Floodlight in SDN Environment. In Proceedings of the 2024 5th International Conference
on Advancements in Computational Sciences (ICACS), Lahore, Pakistan, 19–20 February 2024; pp. 1–8.
66. Islam, M.N.; Colomo-Palacios, R.; Chockalingam, S. Secure access service edge: A multivocal literature review. In Proceedings of
the 2021 21st International Conference on Computational Science and Its Applications (ICCSA), Cagliari, Italy, 13–16 September
2021; pp. 188–194.
67. Yiliyaer, S.; Kim, Y. Secure access service edge: A zero trust based framework for accessing data securely. In Proceedings of
the 2022 IEEE 12th Annual Computing and Communication Workshop and Conference (CCWC), Virtual, 26–29 January 2022;
pp. 0586–0591.
68. Awale, V.; Gaikwad, S. Zero Trust Architecture Using Hyperledger Fabric. In Proceedings of the 2023 14th International
Conference on Computing Communication and Networking Technologies (ICCCNT), Delhi, India, 6–8 July 2023; pp. 1–4.
69. Abbas, H.; Emmanuel, N.; Amjad, M.F.; Yaqoob, T.; Atiquzzaman, M.; Iqbal, Z.; Shafqat, N.; Shahid, W.B.; Tanveer, A.; Ashfaq, U.
Security assessment and evaluation of VPNs: A comprehensive survey. ACM Comput. Surv. 2023, 55, 1–47. [CrossRef]
70. Security Issues with Virtual Private Network (VPN) and Proxy Services. Available online: https://www.academia.edu/51073706
/Security_issues_with_Virtual_Private_Network_VPN_and_proxy_services (accessed on 26 August 2024).
71. Cybersecurity After COVID-19: 10 Ways to Protect Your Business and Refocus on Resilience. Available online: https://www.
marshmclennan.com/assets/insights/publications/2020/june/cybersecurity_after_covid_19.pdf (accessed on 26 August 2024).
72. Fuchs, J. Vishing: New Threat to VPNs—avanan.com. Available online: https://www.avanan.com/blog/vishing-new-threat-vpn
(accessed on 26 August 2024).
73. Odokuma, E.; Musa, M. Internet Threats and Mitigation Methods in Electronic Businesses Post COVID-19. Int. J. Comput. Appl.
2022, 184, 1–4. [CrossRef]
74. Purchina, O.; Poluyan, A.; Fugarov, D. Securing an Information System via the SSL Protocol. Int. J. Saf. Secur. Eng. 2022, 12,
563–568. [CrossRef]
75. He, Y.; Huang, D.; Chen, L.; Ni, Y.; Ma, X. A survey on zero trust architecture: Challenges and future trends. Wirel. Commun. Mob.
Comput. 2022, 2022, 6476274. [CrossRef]
76. Pittman, J.M.; Alaee, S.; Crosby, C.; Honey, T.; Schaefer, G.M. Towards a model for zero trust data. Am. J. Sci. Eng. 2022, 3, 18–24.
[CrossRef]
77. Buck, C.; Olenberger, C.; Schweizer, A.; Völter, F.; Eymann, T. Never trust, always verify: A multivocal literature review on
current knowledge and research gaps of zero-trust. Comput. Secur. 2021, 110, 102436. [CrossRef]
78. Ward, R.; Beyer, B. Beyondcorp: A new approach to enterprise security. Mag. USENIX SAGE 2014, 39, 6–11.
79. Osborn, B. Beyondcorp: Design to deployment at google. Useni 2016, 41, 28.
80. Zero Trust: What, Why and How. Available online: https://www.forbes.com/councils/forbestechcouncil/2023/04/07/zero-
trust-the-what-why-and-how/ (accessed on 26 August 2024).
81. Saleem, B.; Ahmed, M.; Zahra, M.; Hassan, F.; Iqbal, M.A.; Muhammad, Z. A survey of cybersecurity laws, regulations, and
policies in technologically advanced nations: A case study of Pakistan to bridge the gap. Int. Cybersecur. Law Rev. 2024, 5, 533–561.
[CrossRef]
82. Vensmer, A.; Kiesel, S. Dynfire: Dynamic firewalling in heterogeneous environments. In Proceedings of the World Congress on
Internet Security (WorldCIS-2012), Guelph, ON, Canada, 10–12 June 2012; pp. 57–58.
83. Giannakou, A.; Rilling, L.; Pazat, J.L.; Morin, C. AL-SAFE: A secure self-adaptable application-level firewall for IaaS clouds. In
Proceedings of the 2016 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), Luxembourg,
12–15 December 2016; pp. 383–390.
84. Crichigno, J.; Bou-Harb, E.; Ghani, N. A comprehensive tutorial on science DMZ. IEEE Commun. Surv. Tutor. 2018, 21, 2041–2078.
[CrossRef]
85. French, A.M.; Guo, C.; Shim, J.P. Current status, issues, and future of bring your own device (BYOD). Commun. Assoc. Inf. Syst.
2014, 35, 10.

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual
author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to
people or property resulting from any ideas, methods, instructions or products referred to in the content.