.png)
12 hours ago
1
01//
Reality vs aspiration
Reality: “Is it as dire as it seems?”
Zero Trust has a reputation for being something that is more often talked about than actually implemented. So far, our data shows this is the case.
Mesh gains ground on legacy VPNs
A growing 27% of companies are using peer-to-peer mesh VPNs, and 34% use cloud-delivered ZTNA platforms. Legacy VPNs still own a hearty share of company usage at 41%.
Current secure access and network connectivity tools
Question: Which of the following tools or platforms does your company currently use to manage secure access and network connectivity? Please select all that apply.
Identity-based access is low
Fewer than a third (29%) of organizations currently use identity-based access as their primary model. Many still operate in a hybrid mode of adding an identity layer on top.
Company policy for system access
Question: What is your company's overarching policy for controlling system access?
Features that help Zero Trust aren't ubiquitous
Only 56% of companies granted access based on role or need, and 46% via groups or teams. For more granular controls that support Zero Trust, an even lower 33% had just-in-time access (JIT) and 26% followed least privilege (with manual approvals).
Employee access control
Question: How does your company grant employees access to critical business systems (software, platforms, and digital infrastructure)?
Aspiration: “We would, if we could”
Zero Trust adoption could be better, but the problem is not lost on companies. The desire for something better is there.
Low overall satisfaction
Only 1% report being satisfied with their organization's current access and connectivity setup, with the majority citing security (49%) and performance (45%) as the main priorities they want to redesign around, and a notable portion (26%) wanting more automation.
99%
of companies want to redesign their access and connectivity approach
Access and connectivity priorities
Question: If you could redesign your company's access and connectivity setup from scratch, what would you prioritize?
New solutions are needed soon
Many IT professionals (42%) believe their current access setups will no longer meet their needs within two years. Companies are moving towards identity-centric solutions with robust security, streamlined operations, and better user experiences.
42%
say their security and access model will be outdated within two years
How long your current setup will meet your organization's needs
Question: How long do you predict your company's current access and connectivity setup will continue to work well for you?
Companies would change for productivity
At 38% of companies surveyed, a major security incident is cited as what would force companies to upgrade. Simultaneously, 30% say that employee complaints about slow or frustrating access would also trigger the same type of change, indicating that better productivity is a strong underlying rationale in any scenario.
What would prompt decision-makers to consider a new approach
Question: What would prompt people at your company to consider a new approach to access and connectivity? Please select all that apply.
Connectivity: “Is it just our VPN that sucks?”
Turns out, it's not just you. A lot of companies still use legacy VPNs that are slow and frustrating to use.
Legacy VPNs are slow and frustrating
Of respondents, 90% have one or more issues with their current VPN. Latency issues are a key frustration for 35%, and throughput limitations for 24%. Frustrations are mounting as legacy VPNs struggle to transition to cloud services and remote work.
90%
have one or more issues with their current VPN
Current VPN limitations
Question: What are the biggest limitations of your current VPN or network access setup?
Workers are vocal about their frustrations
Employee complaints are a frequent occurrence, with 37% of respondents reporting daily or weekly complaints related to remote access or network security.
Complaint frequency
Question: How often do you hear complaints from employees at your company about how remote access and network security are managed?
Legacy VPN frustrations are on the rise
These frustrations will only grow. 84% of companies report increased throughput needs over the past couple of years. 1-in-10 say their throughput needs have doubled in the past 2 years alone.
Throughput needs increase over time
Question: How have your company's compute and throughput needs changed over the past 1–2 years? (For example, processing load, data volume, service traffic, number of systems or environments, etc.)
Management: “How much effort are we wasting?”
It's not just the connectivity and tooling that's affecting everyone; the people managing the networking solutions are also not having a good time.
Balancing security and productivity is hard
The two biggest challenges IT and security professionals cite are balancing security with speed and productivity (32%) and enforcing IT rules, such as dealing with unauthorized tools (31%). Users are often just trying to do their jobs, sometimes by working around security measures.
Current challenges for IT and Security teams
Question: What are the biggest challenges your company's IT & security teams are dealing with right now?
Manual processes are more common than automation
A majority of organizations (68%) still rely on manual processes to manage network access. This creates complexity, friction, and security gaps.
Manual vs automatic access controls
Question: How are firewall rules or network access controls (ACLs) managed at your company?
Security: “At least we're secure, right?”
For all the frustrations of networking security solutions, one would expect good security results. Unfortunately, this isn't the case.
Security incidents are common
A large majority (88%) report at least one security incident over the past two years. This includes misuse of privilege (24%) and bypassing security protocols (22%). 1-in-3 companies report security incidents from employee error, which is even more common than system or network failure.
Causes of security incidents
Question: To your knowledge, has your company had security incidents from any of the following causes over the past 1-2 years?
Remote network security concerns
Organizations worry about VPN connections being “always on”, with 38% concerned about VPNs being left open. Another 38% of respondents worry about unmanaged personal devices connecting.
90%
of respondents have security concerns
Causes of concern for remote network security
Question: What concerns you about how your company handles remote network security?
Infrastructure access is shaky
A majority of respondents (76%) report gaps in their infrastructure access.
Concern for infrastructure access
Question: Overall, how secure do you think your company's approach to managing infrastructure access is?
Former employees aren't getting their access revoked
After leaving their companies, 68% of respondents report retaining access to their former employers' systems. Many companies don't have automation or centralized visibility into who has access.
68%
have retained some level of access to privileged systems
Retaining access that should have been revoked
Question: Have you ever retained access to a previous employer's infrastructure, systems, or software after leaving?
Productivity: “At least we're productive, right?”
You might assume that network security would act transparently for a seamless experience. Unfortunately, negative productivity impacts are common.
Developers don't feel understood
More than 2-in-3 developers and engineers say IT/security teams don't understand how they work and what they need to build fast and effectively. Nearly 1-in-4 say IT/security outright block productive workflows.
Perception of IT and security
Question. How well do your company's IT and security teams understand how you work and what you need to move fast and build effectively?
Network security feels disconnected from development
Furthermore, half of the respondents say their company's security rules feel disconnected from supporting modern development practices.
50%
say their company’s security rules feel disconnected from how modern development actually works
Perception of security policies
Question: The security rules at my company feel disconnected from how modern development actually works
Onboarding takes longer for IT
It takes a lot of time for IT teams to onboard a new user onto networking systems, with 35% saying it takes more than a day.
Onboarding speed
Question: How long does it usually take to provide new employees with access to networked systems and applications needed for their role?
Going to market is slower
Twice as many employees at companies using a legacy VPN say they are slower than average to bring new products to market.
Comparative speed in developing and launching
Question. How quickly can your company develop and launch new products compared to other similar companies in your industry?
04//
Hurdles to improvement
Team: “What can our leadership do to help?”
Indicators show that while leaders care, they may be missing easy wins for their team. This is true for tangible steps towards progress, but also for influencing the perception of how committed a company is to improving.
Perception of preparedness is a sliding scale
63% of non-management employees think they are fairly or very well-equipped to detect unauthorized tools and workarounds, while the number is higher for executives at 80%. This indicates a misalignment in perception and an opportunity for leadership communication to bridge that gap.
Perceived preparedness
Question: How well equipped is your company to detect unauthorized tools or access workarounds?
Improvement delays are common, and leadership can address them
When it came to the cause for delays in security improvements, 35% of respondents pointed to the cost of resources, 39% to leadership priorities, and 42% to the risk of workflow disruption. Once again, many causes identified by employees can be opportunities for better alignment and signaling from management.
90%
have delayed security or networking upgrades
Causes of delays to security or networking upgrades
Question: Which of the following has ever been a reason to deprioritize or delay networking or security upgrades at your company?
Tailscale’s predictions
So we have all these numbers and visualizations, what's next? There are some common trends and a clear direction we at Tailscale see for the future.
IP design will be supplanted with access and identity-first networking. The old perimeter-based model will be replaced, and every instance of access will be authenticated as a baseline of “Never trust, always verify”.
Legacy VPNs are demonstrably issue-prone as seen in the data, and while they won't disappear, there are better options. Peer-to-peer mesh architectures that are identity-aware will be the new default.
AI in particular will play a role, given its ubiquity. This will be true for both defenders of security who use AI for anomaly detection and risk scoring, and attackers generating phishing attempts and scanning for poor security configurations. Companies themselves will bet big on AI, investing in GPU clusters and shared model training infrastructure that will require modern networking tools for performance and security.
And this is just the tip of the iceberg. For even more insights, including the evolution of security and engineering culture, the extension into edge and IoT environments, and the move towards modularity, we recommend checking out our full report. You can download the report below.
Want to read more? Download the full report.
Tailscale's recommendations for leaders
Here's what you can start acting on if you're a CIO, CISO, CTO, Engineering Manager, Security Manager, or IT Manager—our recommendations are heavily rooted in our trend analysis in the previous section.
Access and identity-first networking needs to be the core of your access control model. It's no longer enough to have old perimeter-based models that rely on broad access. Start by auditing your current critical infrastructure. As a baseline, gauge your level of integration with identity providers, and determine if access is granted based on roles and attributes.
If you rely on legacy VPNs for remote access, it's time to upgrade to a more modern solution. Aim to pilot a new solution, starting by identifying the pain points of your current setup. Find a solution that offers easy deployments (like Tailscale). Start building the case for upgrading by gathering data.
Then dig even deeper. Look into onboarding and offboarding processes, take stock of your stack of internal network security tools, and ultimately gauge how your technical teams feel about your current solution. Modern security should be invisible and effortless, and understanding how your colleagues are engaging with networking security can yield benefits beyond building an immediate case for structural improvement. Gain a more nuanced understanding of what is frustrating people, and they'll join your cause as champions.
All of this is just the start towards a bigger, company-wide win from spearheading an upgrade in networking security. For these types of insights and more, including recommendations on implementing just-in-time and least privilege access, download our full report below.
Want to read more? Download the full report.
All statistics and insights in this report are based on Tailscale's 2025 Secure Access and Zero Trust Adoption Survey, conducted with 1,000 IT, security, and engineering professionals across the United States and Canada, representing a range of industries. Management-level employees comprised about two-thirds of the sample, including twenty-three percent from the C-suite. Nearly half of the respondents work at enterprise firms. Data was collected from April 21 to 28, 2025.
