Are VPNs and NACs Undermining Cybersecurity in Southeast Asia?
VPNs and NACs Are Facing Obsolescence in the Digitalising Landscape of the Region
For decades, virtual private networks (VPNs) and network access controls (NACs) have served as the standard tools for secure enterprise access. However, as Southeast Asian businesses accelerate digital transformation and embrace hybrid work and cloud-first strategies, it is increasingly evident that they are no longer fit for purpose.
A recent report reveals that 56% of organisations experienced at least one VPN-related security incident in the past year. Many of these were high-profile breaches involving vulnerabilities like Ivanti CVE-2025-0282. Such figures should raise alarms, particularly in Southeast Asia, where a mix of tightening cyber regulations across the region, and enterprises operating across increasingly complex digital ecosystems requires proactive upgrades to cybersecurity postures.
The Regional Reality: Performance, Policy, and Risk
Regulators are stepping up mandates across the region: Singapore’s Cybersecurity Act, Malaysia’s Cybersecurity Bill, and Indonesia’s Personal Data Protection (PDP) Law are redefining compliance expectations. Meanwhile, enterprises are racing to expand cross-border operations, digitise critical services, enable hybrid work or equip field workers with digital tools, and embrace cloud and Artificial Intelligene (AI) technologies to create a competitive edge.
These dynamics are creating major security challenges that legacy architectures, including VPNs, are simply not designed to cope with, forcing organisations to make sacrifices between a weaker security posture, or a degraded user experience and network performance. Often both. Traditional VPN architectures frequently introduce unacceptable latency, inconsistent user experiences, and grant excessive network access and privileges, failing to meet the demands of modern organizations.
Zero trust network access (ZTNA) and secure access service edge (SASE) architectures, are security and networking models built to adapt, not constrain. For Southeast Asia’s IT leaders, replacing VPNs isn’t just a technological upgrade, it is about solving specific business challenges.
Making Hybrid Work Secure and Scalable
With hybrid work now firmly established worldwide, traditional VPNs fall short of delivering both seamless and secure access for today’s distributed workforce. Beyond excess privilege, they typically involve complex traffic routing and backhauling, which can significantly degrade the user experience for employees working remotely or on-the-go, as well as field workers.
Securing Third-party and Contractor Access
The region’s digital economy is powered by a complex web of partners, and the era of fractional workers is upon us. Building security for unmanaged devices, which security teams often have no visibility or control over, is becoming essential, especially when 70% of breaches in APAC occur via third-party access.
Exposing core networks through VPN tunnels is a risk organisations cannot afford to take anymore, and enterprise browsers that remotely deliver ZTNA policies ensure users are granted only the required permissions, and nothing more.
Accelerating Cloud Migration Without the Bottlenecks
By 2030, Southeast Asia’s public cloud market is projected to reach USD $30 billion, but users will not enjoy a seamless experience with cloud environments if traffic is still subject to complex routing and other VPN protocols.
Modern ZTNA solutions allow direct-to-cloud access with policy enforcement at the edge, optimizing performance, visibility, and security across platforms like AWS and Azure.
Supporting Remote Contact Centres
Southeast Asia has emerged as a global BPO hub, with countries like Malaysia or the Philippines hosting growing numbers of contact centres. But many operations still rely on legacy Voice over IP (VoIP) systems routed via VPNs, leading to jitter, poor call quality, and unhappy customers.
Platforms consolidating ZTNA and SD-WAN, and delivering dynamic traffic steering and context-aware Quality of Service, ensure reliable voice and video performance, even over consumer-grade internet.
Modernising Legacy Systems Without Disruption
Many established organisations in traditional sectors such as financial services and government across Southeast Asia still depend on legacy enterprise architectures, like IBM AS/400, which require server-initiated traffic and are incompatible with ZTNA models.
But some ZTNA solutions offer flexible access modes for legacy applications. In sectors where uptime and compliance are non-negotiable, this approach enables secure modernisation without service disruption.
The Way Forward: Bidding VPN Farewell in SEA
Southeast Asia is on the cusp of a security transformation. With organisations in Asia impacted by phishing, malware, or data leaks at a higher rate than their global counterparts, the status quo is no longer sustainable. VPNs and NACs, once considered foundational, now represent liabilities in today’s cloud-centric, hybrid-access landscape.
By embracing zero trust architectures, enterprises can evolve to defences optimised for performance, visibility, and regulatory compliance. Southeast Asia’s innovation economy depends on it.
