If you opened a laptop in 1998 and tried to reach the office, you probably heard a modem. In 2008, you launched a VPN client. In 2018, you logged into a cloud app. In 2026, an identity layer quietly verified your device, your context, and your behaviour before any of that even started. How remote access has evolved is the story of three reinventions over three decades, and a fourth one is already underway. This piece looks at where the field stands today, the technology shifts driving it, and what to watch next.
Key Takeaways
-
Remote access has gone through four distinct eras, with each generation solving the limits of the last.
-
Identity has replaced the network as the trust boundary, and continuous verification is replacing one-time login.
-
AI now sits on both sides of every remote session, helping defenders cut breach lifecycles and helping attackers run smarter phishing.
-
The cybersecurity stack is consolidating into SASE and SSE platforms that fold five or six tools into one cloud service.
-
Quantum-resistant cryptography is the slow-moving shift behind the headlines, with NIST standards already finalised.
Then: How We Got Here
Remote access did not appear with the pandemic. It has been quietly reinvented every decade since the modem era, each time to handle a wider audience and a more hostile threat landscape.
The Generations at a Glance
|
Era |
Dominant Approach |
What Broke Eventually |
|
1990s |
Dial-up RAS, early IPsec VPNs |
Slow, fragile, expensive per seat |
|
2000s |
SSL VPNs, web portals |
Broad network access once authenticated |
|
2010s |
Cloud apps, mobile VPN clients |
Perimeter assumption no longer matched reality |
|
2020s |
ZTNA, SASE, identity brokers |
Tool sprawl, AI threats, quantum on the horizon |
Each generation looked permanent until it suddenly was not. The VPN had a 25-year run and is now being retired piece by piece in most enterprise environments, replaced by something that does not trust the network at all. Market data backs the shift: the global zero-trust network access category is forecast to climb from $1.34 billion in 2025 to $4.18 billion by 2030, a 25.5% compound annual growth rate, according to MarketsandMarkets analysis.
Now: The 2026 Stack
Today’s remote access stack is not one product but a layered system. Identity sits at the centre. Around it: device posture checks, application-specific access brokers, AI-driven anomaly detection, and cloud-delivered policy engines. The user often does not notice. They open a laptop, touch a fingerprint sensor or pass a passkey check, and the right apps appear.
What Changed Compared to Five Years Ago
-
Identity-first, not network-first: Access decisions look at who you are and what device you have, not where you are connecting from.
-
Continuous, not one-time: Sessions are re-evaluated throughout the day, not just at login.
-
Per-app, not per-network: Workers reach the specific application they need, never the broader internal network.
-
Browser-friendly, not client-heavy: Clientless access through a browser is now the default for contractors and BYOD users.
Quick Stat
The US National Institute of Standards and Technology finalised three post-quantum cryptography standards in August 2024 (FIPS 203, 204, and 205), giving vendors the algorithms needed to begin migrating today’s encrypted traffic to quantum-resistant equivalents.
Why the Pressure to Modernise Is Real
Costs of getting it wrong have stayed high. The IBM Cost of a Data Breach Report 2025 pegs the global average data breach at $4.44 million, with the US average reaching a record $10.22 million, up 9% year over year. Global numbers actually fell for the first time in five years, mostly because AI-driven detection helped organisations contain breaches faster. The companies still relying on perimeter VPNs are the ones bucking that trend.
Source: IBM Cost of a Data Breach Report 2025, average across studied organisations globally.
Organisations that used AI and automation extensively in security operations saved an average of $1.9 million per breach and shortened the breach lifecycle by 80 days. The defensive payoff is no longer theoretical.
AI Is Reshaping Both Sides of the Access Equation
The same IBM data shows AI in 16% of breaches, mostly powering phishing and deepfake impersonation. Shadow AI (unsanctioned tools used through personal accounts) was a factor in 20% of incidents, adding an average $670,000 to the breach cost. Both numbers point to the same lesson: AI changes the threat model, and remote access vendors are scrambling to keep up.
On the defender side, AI now sits inside the access broker itself. It reads session telemetry continuously, watches for unusual data flows, and can cut sessions instantly when something looks wrong. The result is faster containment and fewer late-night incident calls. Expect this layer to deepen over the next two years as vendors compete on detection quality, not just login speed.
There is a second-order effect worth noting. As AI handles more of the routine triage, security teams reorganise around the harder calls: which alerts deserve a human in the loop, when to escalate to legal, and how to communicate breaches without scaring the wrong audience. The skill mix shifts from log-staring to judgement and storytelling, which is harder to hire for and slower to develop.
Warning
Of organisations that experienced an AI-related security incident in 2025, 97% lacked proper AI access controls, according to IBM. Adoption is racing ahead of governance, and attackers know it.
Convergence: When Five Tools Become One
Secure access service edge (SASE) is the industry term for what used to be five separate products. Fortinet’s overview of SASE architecture describes the model as a cloud-delivered fusion of networking and security functions: ZTNA, secure web gateway, cloud access security broker, firewall as a service, and SD-WAN. For procurement teams, the appeal is simple: one vendor, one console, one set of policies, fewer integration headaches.
The trade-off is vendor lock-in. Switching SASE platforms once you are deep in is painful, so the negotiation power has shifted toward providers with broad, mature offerings. Mid-market companies that adopt SASE today are betting on the platform they choose still being competitive in 2030.
The Slow-Moving Shift: Post-Quantum Cryptography
Quantum computers capable of cracking today’s public-key encryption are not commercially available yet, but the timeline is short enough that serious vendors have started moving. The harvest-now, decrypt-later concern is real: any encrypted session captured today could be decrypted in five to ten years once quantum hardware matures.
NIST’s August 2024 post-quantum standards (FIPS 203, 204, 205) give the industry the algorithms needed to start migrating. Expect post-quantum readiness to move from press releases into procurement checklists within two years, particularly for organisations handling data with a long secrecy lifespan like healthcare, defence, and financial records.
What to Watch in the Next Three Years
|
What |
Why It Matters |
|
Passkey-only logins |
Phishing-resistant by design, removes the password attack surface |
|
Agentic AI in security operations |
Routine investigation handled by software, humans focus on judgement calls |
|
Browser-isolated remote access |
Risky web sessions run in a remote container, never touching the local device |
|
Identity threat detection (ITDR) |
Dedicated tools to spot identity-based attacks like token theft and OAuth abuse |
|
Continuous compliance attestation |
Real-time evidence that controls are working, rather than annual audits |
None of these are speculative. Each is already in production at large enterprises, with the technology now maturing enough for smaller organisations to adopt without a full security team behind them.
Frequently Asked Questions
Is the VPN really being retired?
Not entirely. Many organisations still use VPNs for legacy systems and administrative tunnels. New remote-access projects, though, are launching on zero-trust or SASE platforms because they offer tighter security and a smoother user experience for most use cases.
How small does a company need to be before zero-trust is overkill?
Cloud-delivered zero-trust is now priced per user, so a 10-person team can adopt it without a major IT project. The bigger question is whether your existing MFA and conditional access already cover most of the same checks, since some businesses get the benefit without buying a separate ZTNA product.
What is the single biggest mistake companies make when modernising remote access?
Treating it as a product purchase instead of an identity architecture project. Picking the right vendor matters less than fixing how user identities, devices, and policies are managed end to end. The wrong sequence creates new gaps.
Will users notice these changes?
In most cases, the user experience gets simpler. Passkeys replace passwords, sessions stay active across apps, and prompts only appear when something genuinely looks risky. Done well, modern remote access is almost invisible compared to the VPN era.
The Bigger Picture
Remote access has been quietly rebuilt four times in three decades, and a fifth pass is already in motion. The throughline is steady: every generation widened the audience, raised the security bar, and pushed more decisions out to the edge. The 2026 stack is the most capable yet, but the real story is not any one product. It is the shift from network-based trust to identity-based trust, from one-time logins to continuous verification, and from human-only operations to human-plus-AI defence. Companies that align with that direction will find security and user experience improving together. The ones still patching legacy VPNs will pay more every year for less.
References
IBM, Cost of a Data Breach Report 2025 — https://www.ibm.com/reports/data-breach
Fortinet, What Is SASE? — https://www.fortinet.com/resources/cyberglossary/sase
NIST, Post-Quantum Cryptography Standardization, FIPS 203/204/205, 2024 — https://csrc.nist.gov/projects/post-quantum-cryptography
NIST Special Publication 800-207, Zero Trust Architecture — https://csrc.nist.gov/publications/detail/sp/800-207/final
MarketsandMarkets, Zero Trust Network Access Market Forecast, 2025 — https://www.marketsandmarkets.com/Market-Reports/zero-trust-network-access-ztna-market-127221646.html
