This article was first published on 9 January 2025. We have updated it in March 2026 to reflect the launch of IXT Zero Trust and our current product positioning.
Your devices are deployed. They're sending data. Engineers need remote access to maintain them. So you set up a VPN. It's what the industry uses. It works for laptops. Why wouldn't it work for IoT?
It won't. Not reliably. Not securely. Not at scale.
VPN was designed for users, not devices. It assumes a client on every endpoint, a managed identity, and a human on the other end of the connection. IoT gives it none of those things. What it gives VPN instead is thousands of headless devices, third-party vendors who need access, and a flat network that turns one compromised entry point into a path straight to your OT infrastructure.
This article explains exactly where VPN breaks down in IoT environments, and what Zero Trust architecture does differently.
VPN gives your network access, not controlled access
When a device or technician connects via VPN, they enter the network. Not a specific application. Not a single device. The network. Whatever is reachable from inside the perimeter is reachable to them.
For a team of employees on managed laptops, that's manageable. For IoT environments, it's a structural problem.
Consider what a typical industrial deployment looks like: dozens of sensors and controllers spread across a facility, third-party vendors who need regular remote access to service specific machines, and a mix of legacy OT systems and modern IP devices all sitting on the same network. A VPN tunnel into that environment doesn't distinguish between what a vendor should see and what they shouldn't. It connects. Then it trusts.
"VPN gives direct network access. It's like putting the third party's machine directly on your network. If their device carries malware, it's now inside your perimeter." — Marius Holmsen, CTO, Shift Security
The Target breach in 2013 is the example that still holds. Attackers entered via an HVAC contractor's credentials, then moved laterally through the retailer's payment systems. The vulnerability wasn't the HVAC system. It was the flat access model that let a contractor's compromised credentials reach something entirely unrelated.
That architecture hasn't changed in most IoT deployments. The same broad-access VPN model is still the default in 2026.
IoT devices can't run VPN clients
VPN requires a client. Software installed on the endpoint, managing keys, authenticating sessions, maintaining the tunnel. For a managed laptop or smartphone, that's standard practice.
IoT devices don't work that way. Sensors, controllers, meters, cameras, EV charging units — most run stripped-down firmware with no capacity for client software. You can't install an agent on a headless device. You can't push credentials to a device that has no OS-level user account.
So what happens in practice? One of three things. Either the device connects over a shared public network with no meaningful security. Or a gateway handles the VPN termination, putting the device behind a layer of protection it didn't earn. Or the organisation patches the problem with a private APN that isolates traffic but provides no visibility into what devices are actually doing.
None of these solve the underlying problem. They reduce exposure at the edges while leaving the interior completely open.
VPN shows you a tunnel. Not your devices.
Even when VPN is working correctly, it tells you almost nothing about what's happening inside your device fleet.
You can see that a tunnel is active. You can see data volume moving through it. What you can't see is which devices are communicating with which endpoints, whether a device has started sending traffic to an unexpected destination, or whether a vendor's access session is doing what it should.
In IoT environments, that visibility gap is where attacks develop and go undetected. A device that gets compromised doesn't announce itself. It starts behaving differently. Sending data somewhere new. Communicating with an address it never contacted before. Without traffic-level visibility, there's no way to catch that early.
A private APN keeps traffic off the public internet. That matters. But it doesn't show you what your devices are doing. It just keeps the pipe private.
What Zero Trust does differently
Zero Trust starts from a different assumption. Nothing is trusted by default. Not devices inside the network. Not vendors connecting remotely. Not traffic that looks normal. Every connection is verified, every time, against policy.
"We need to stop assuming anything is secure — whether it's inside or outside. Every device, every connection must be validated." — Marius Holmsen, CTO, Shift Security
For IoT, that means security moves to the network layer, not the device. No client software required. No agents on headless endpoints. The SIM handles the connection. The Zero Trust architecture handles the enforcement. Each device is identified, its traffic is inspected, and access is granted only to the specific destination it needs — nothing more.
There are no exposed ports. No open services waiting to be probed. Traffic flows from device to destination without the destination ever being visible to the outside. From an attacker's perspective, there's nothing to find.
Zero Trust Connectivity
This is the enforcement layer. All device traffic is initiated from inside out. Security policies are applied at the network edge globally, not at a central VPN gateway that becomes a bottleneck. Every session is verified before a connection is established.
For third-party access, the difference is concrete. Instead of issuing a VPN credential that gives a vendor broad network access, Privileged Remote Access provides a browser-based portal. The technician authenticates through the portal. They get access to the specific machine they need — via SSH, VNC, or RDP running in-browser — for the duration of the session. Time-limited. Session-recorded. No VPN client to distribute, no credential to rotate, no lateral movement possible.
That's the capability that changes conversations with operations teams. Not a theoretical security model. A direct answer to the question of how to let a vendor service a machine without trusting them with your network.
Zero Trust Visualisation
This is the visibility layer. Every traffic flow through the mobile gateway is captured and mapped in real time. Normal communication shows as green lines between your devices and their expected destinations. When a device starts communicating with something new, an anomaly alert fires.
That works for intelligent devices and headless ones. A sensor running stripped-down firmware has the same traffic visibility as a fully managed controller. The security layer sits at the network, not the device.
The result is something VPN never provided: a live view of what your entire connected fleet is doing, with automatic detection when something changes.
NIS2 has changed what 'secure enough' means
The EU's NIS2 directive has extended cybersecurity obligations to operators of essential services across energy, transport, healthcare, manufacturing, and digital infrastructure. It requires organisations to demonstrate active technical controls, not just encryption.
Network segmentation, access control, anomaly detection, audit trails for third-party access, these are NIS2 requirements, not optional best practices. VPN satisfies none of them cleanly. It encrypts traffic in transit. That's where the compliance story ends.
Zero Trust maps directly to what NIS2 asks for. Policy-based segmentation limits blast radius if a device is compromised. Session recording provides the audit trail for third-party access. Anomaly detection covers the incident detection requirements. The architecture is built for the regulatory environment that IoT operators are now inside.
"Regulators have caught up to what many of us have warned about for years. IoT isn't experimental anymore. It's infrastructure. And infrastructure needs real protection." — Henning Solberg, CTO and Co-founder, IXT
IXT Zero Trust: built for IoT, not adapted from IT
IT-focused Zero Trust vendors — Zscaler, Fortinet, Palo Alto — are strong solutions for enterprise IT environments. They require agent software on endpoints. IoT devices don't run agents. The gap between IT Zero Trust and IoT Zero Trust isn't a configuration problem. It's architectural.
IXT Zero Trust is the first solution to extend Zero Trust to OT and IoT endpoints over cellular. It delivers Zscaler ZTNA and Illumio traffic visualisation natively through the SIM, without client software on devices. The same enterprise-grade architecture that Fortune 500 companies use for IT security, adapted for headless devices, constrained hardware, and the operational realities of industrial IoT.
Zero Trust is IXT's standard security offering. It's not an upgrade or an add-on. Organisations that need a lighter option — private networking without the full Zero Trust layer — can take SecureNet-only. But the default is Zero Trust, because that's what IoT environments need.
Summary: VPN vs Zero Trust for IoT
VPN was built for managed users on managed devices. It grants network access, requires client software, and provides no visibility into device behaviour.
IoT environments need something different. Headless devices that can't run agents. Third-party vendors who need controlled, audited access. Regulatory requirements that demand segmentation, anomaly detection, and audit trails.
Zero Trust addresses all of it. No exposed ports. No client software. Device-initiated traffic only. Browser-based Privileged Remote Access for vendors. Real-time traffic visualisation via Illumio. NIS2-aligned architecture from the SIM to the application.
IXT Zero Trust delivers this through two integrated components: Zero Trust Connectivity powered by Zscaler ZTNA, and Zero Trust Visualisation powered by Illumio. Always sold together. No compromises on the security model.
See it in action
The easiest way to understand what Zero Trust looks like for your IoT fleet is to see it.
Book a 30-minute demo with the IXT team. Bring your questions about your current setup. We'll show you exactly what Zero Trust looks like in practice.
