Why it's time to ditch the VPN and embrace RPAM for secure remote work [Q&A]
As much of the workforce takes time out from the office for the holidays, employees, contractors and third-party vendors continue to log in remotely from holiday homes, airports or hotels, far from the traditional corporate environment.
This surge in remote work access inevitably heightens security risks. For IT and security teams already managing a sprawling attack surface, reduced visibility and control create a challenge that legacy tools like Virtual Private Networks (VPNs) were never designed to address.
We asked James Edwards, senior director of engineering at Keeper Security, about why remote privileged access management (RPAM) is emerging as a more effective alternative to traditional VPNs.
BN: Why RPAM and why now?
JE: Recent research from Keeper Security highlights the impact of Privileged Access Management (PAM): more than half (53 percent) of organisations that implemented PAM report better protection of sensitive data, while 49 percent experienced fewer incidents tied to privilege misuse. Remote Privileged Access Management (RPAM) extends these benefits to today’s remote and hybrid environments without the complexity of traditional VPNs or the need for endpoint agents. RPAM is emerging as a more secure, scalable and intelligent solution for managing remote access to sensitive systems and data, particularly for privileged users like administrators.
With 94 percent of organizations now operating in hybrid or cloud-first environments, legacy access tools like VPNs are increasingly misaligned with modern infrastructure. RPAM, in contrast, is built for these environments, offering granular, identity-based access without requiring full network connectivity. As a modern evolution of traditional Privileged Access Management (PAM), RPAM is specifically designed for remote and hybrid workforces. It enables IT and security teams to manage access securely and efficiently, using capabilities like session brokering, credential injection and just-in-time access to limit exposure and reduce risk.
RPAM also aligns with zero-trust principles -- verifying user identity and enforcing least-privilege access before any system is reached. This helps reduce risk and supports compliance with regulations such as GDPR and NIS2.
Crucially, RPAM eliminates the need for a traditional VPN tunnel. Connections are brokered through a secure gateway, avoiding the configuration challenges and security weaknesses of VPN-based access. This approach simplifies deployment, reduces risk and provides a seamless user experience.
In today’s distributed workforce, spanning locations, devices and employment types, RPAM provides consistent, scalable access, whether users are full-time staff, seasonal hires or external partners.
BN: Is the VPN showing its age?
JE: Once the gold standard for secure remote access, VPNs are now struggling to keep up with modern work environments. By granting broad network access, they follow an ‘all-or-nothing’ model that significantly expands the attack surface. A single compromised credential or vulnerable device can expose entire systems. VPNs also operate on implicit trust, a model that contradicts zero-trust principles now central to most cybersecurity strategies. Summer travel and flexible schedules only amplify the problem, with more users working from unknown locations on unmanaged devices. IT teams lose crucial visibility and control just as risks are rising. VPN deployments also typically require software agents to be installed and configured on each user device -- an inefficient approach when onboarding external users such as remote workers, contractors and vendors, or supporting non-corporate hardware.
BN: What are some of the key use cases for RPAM?
JE: RPAM is particularly valuable during high-risk, high-mobility periods like summer. Benefits include:
- Granular, just-in-time access: Users receive access only to what’s needed, for a defined purpose and time.
- No trust required at the endpoint: Even if a device is compromised, RPAM can isolate access and protect critical systems.
- Session visibility and audit trails: Every privileged session can be recorded and monitored in real time, supporting compliance reporting.
- Streamlined onboarding and offboarding: Temporary or external users can be quickly provisioned and automatically deprovisioned.
- Credential security: Credentials are injected directly into systems, never exposed to users or endpoints.
- Secure off-hours vendor access: External support teams can connect securely without broad network visibility.
- Access to Operational Technology (OT): RPAM enables access to critical infrastructure without relying on standard IT pathways.
BN: What should users look for in an RPAM solution?
JE: Not all RPAM platforms are created equal, and organizations should prioritize solutions that integrate seamlessly with existing PAM and IAM systems, support secure credential vaulting and injection, and provide real-time session monitoring and recording. Features like self-service onboarding, identity federation for external users and compatibility with Desktop-as-a-Service (DaaS) or Virtual Desktop Infrastructure (VDI) environments are essential, particularly for organizations managing legacy systems or a diverse remote workforce. Built-in multi-factor authentication, whether static or adaptive, adds another critical layer of security without unnecessary friction.
Simplicity remains a key factor in adoption. In Keeper’s recent survey, 57 percent of UK organizations identified implementation complexity as a top barrier to deploying PAM. Modern RPAM platforms address this challenge with agentless architecture, no reliance on VPNs and intuitive, browser-based workflows that streamline secure access for users and administrators alike.
BN: How can organizations make the shift from VPN to RPAM?
JE: Transitioning away from VPNs doesn’t have to be disruptive. Organizations can start by assessing current VPN usage and identifying high-risk remote access users, such as field engineers, contractors or offshore teams, who would benefit most from RPAM.
Pilot RPAM with a specific business unit or vendor group, and use that rollout to build access policies grounded in just-in-time and least-privilege principles while ensuring all access is auditable and compliant with relevant regulations.
BN: Is RPAM the future of mobile working?
JE: As hybrid work becomes standard and summer travel further disperses the workforce, relying on legacy perimeter-based security like VPNs is no longer sustainable. The risks are too great and the infrastructure too complex.
RPAM provides a smarter, more secure and more adaptable solution. It enforces consistent access controls across all users -- whether full-time staff, contractors or third parties -- helping organizations secure their data and systems no matter where work happens.
Image credit: Rawpixel/depositphotos.com