This article has been updated. Originally published 9 November 2025, this version reflects IXT's current security product architecture.
VPN vs Private APN vs Zero Trust for IoT: Which Security Model Is Right for Your Deployment?
Most IoT teams reach for VPN because it is familiar. It works for laptops. It is what IT already uses. So when devices need secure connectivity, VPN feels like a reasonable starting point.
The problem is that IoT is not IT. The devices are different. The threat model is different. The scale is different. What works for managing a corporate network fails quietly, and sometimes dangerously, when applied to thousands of headless field devices.
This article explains the three security approaches available for IoT connectivity, what each one does, and which deployment scenarios each one fits.
A quick summary if you don't need all the details
What is VPN for IoT?
VPN creates an encrypted tunnel between a device and a network endpoint over the public internet. It requires client software on every device, grants broad network access once connected, and does not provide visibility into device behaviour.
What is a Private APN for IoT?
A Private APN is a dedicated cellular access point for a specific customer. IoT traffic never touches the public internet. It flows from the SIM through a private network to your data centre or cloud. No client software is required. This is what IXT SecureNet delivers.
What is Zero Trust for IoT?
Zero Trust is a security architecture built on the principle of never trusting, always verifying. All traffic is device-initiated. No ports are exposed. No VPN clients are needed. Access is granted per session, per application, with full traffic visibility and anomaly detection. IXT Zero Trust combines Zscaler ZTNA and Illumio traffic visualisation, delivered natively through the SIM.
Which is right for my IoT deployment?
If your devices are headless, deployed at scale, or require third-party access, VPN is the wrong model. Private APN removes public internet exposure but leaves visibility and access control gaps. Zero Trust eliminates the attack surface, controls third-party access, and shows you what every device is communicating with in real time. It is IXT's standard security offering.
What is VPN, and why do so many IoT deployments start with it?
VPN is the default because it is familiar. Most enterprise IT teams already run VPN for remote employees. The assumption is that the same technology, applied to devices, provides the same protection.
VPN creates an encrypted tunnel from an endpoint to a concentrator on your network. Traffic travels encrypted across the public internet, arrives at the concentrator, and is decrypted inside your perimeter. For a managed laptop with a known user identity, this works.
IoT deployments hand VPN a different set of problems.
Most IoT devices are headless. They do not run operating systems in the conventional sense, they do not have screens, and they are not managed by a user who authenticates with credentials. Running a VPN client on a microcontroller or a constrained sensor is often not technically possible, and where it is possible, it consumes significant compute and power.
At scale, VPN generates certificate management overhead. Every device needs a certificate. Certificates expire. They need rotation. In a fleet of 500 devices across five countries, this becomes a maintenance burden that grows with every device added.
"VPN gives direct network access. It's like putting the third party's machine directly on your network. If their device carries malware, it's now inside your perimeter." — Marius Holmsen, CTO, Shift Security
The deeper structural problem is access control. VPN grants network access, not application access. A technician who connects via VPN to service one machine enters the network, not only the specific machine. Lateral movement is the result. The Target breach in 2013 is the reference case: attackers entered through an HVAC contractor's VPN credentials and moved laterally to the payment systems. The vulnerability was not the HVAC system. It was what VPN allowed them to do once inside.
What is a Private APN, and when does it replace VPN?
A Private APN is a dedicated cellular access point reserved exclusively for one customer's traffic. When a device with an IXT SIM connects, it enters a private network slice. The traffic flows from the SIM through IXT's core network to your data centre or cloud without touching the public internet.
This solves the public internet exposure problem. VPN encrypts traffic as it moves over the internet. Private APN removes the internet from the path entirely.
IXT SecureNet delivers Private APN connectivity with the following capabilities:
Direct Cloud Connect to AWS, Azure, Google Cloud, and Alibaba without an internet hop. Two redundant IPSec tunnels for encrypted site-to-site connectivity. Static or dynamic IP addressing. Virtual APN naming linked to the IMSI, so no changes are required on the device. Real-time visibility through the IXT CMP. Hub-and-spoke or full-mesh topology within the APN.
No client software is required on devices. The security is delivered at the network layer by IXT. Devices need no configuration change.
Private APN is the right choice when your primary requirement is removing your IoT traffic from the public internet and getting direct, private paths to your cloud infrastructure. It handles compliance questions around public internet exposure and gives you a manageable, scalable foundation.
What it does not do: it does not eliminate the attack surface for third-party access. A vendor who connects into your private network still has access to the network, not only the specific device or system they need to reach. And it does not provide visibility into device behaviour. You can see connectivity status. You cannot see what your devices are communicating with, whether their traffic is normal, or whether a device has started sending data to an unexpected destination.
What is Zero Trust for IoT, and how is it different?
Zero Trust is a security architecture. The principle is: never trust, always verify. No device, user, or connection is granted standing access to anything. Access is evaluated per session, based on identity, policy, and context, before a connection is established.
For traditional IT environments, Zero Trust is well understood. The challenge is that conventional Zero Trust implementations require agent software on every endpoint. Devices authenticate, agents enforce policy, sessions are inspected. IoT devices do not run agents. A temperature sensor in a factory does not have an operating system capable of running a Zscaler client.
IXT Zero Trust solves this by delivering the same Zscaler ZTNA architecture through the SIM, without requiring anything on the device.
IXT Zero Trust consists of two integrated components, always delivered together:
Zero Trust Connectivity, powered by Zscaler ZTNA
All traffic is device-initiated. No ports are exposed on your network. No VPN concentrators to maintain. Security policy is enforced at the network edge before any connection is established. Dynamic firewall inspection runs on all traffic.
The capability most relevant to industrial deployments is Privileged Remote Access. Service engineers and third-party vendors access specific devices through a browser-based portal. They authenticate, receive a time-limited session scoped to the device or system they need, and the session is recorded. When the session ends, access ends. They never enter the network. They never see what else is connected. This is what third-party access control looks like when it works.
Zero Trust Visualisation, powered by Illumio
All traffic flowing through the mobile gateway is captured and mapped visually. Normal device communication appears as green lines. When a device communicates with an unexpected destination, an anomaly alert fires. Policy-based segmentation limits the blast radius if a device is compromised.
This works for both intelligent and constrained devices, including headless sensors with no operating system in the conventional sense. The visibility is delivered at the network layer, not the device layer.
How do the three models compare?
Attack surface
VPN: Exposed ports and a flat network. Once connected, lateral movement is possible.
Private APN (SecureNet): No public internet exposure. Traffic is isolated by customer. No device-level segmentation.
Zero Trust: Zero exposed ports. No attack surface. All traffic is device-initiated and verified before connection.
Third-party access
VPN: Full network access granted via VPN credentials. No session control.
Private APN (SecureNet): No dedicated mechanism for controlled third-party access.
Zero Trust: Browser-based Privileged Remote Access. Time-limited, scoped sessions. Full session recording. No network access granted.
Device visibility
VPN: Tunnel status only. No insight into device behaviour.
Private APN (SecureNet): Connectivity and data usage via IXT CMP. No traffic behaviour mapping.
Zero Trust: Visual traffic map across all device connections. Anomaly alerts. Policy-based segmentation.
Client software required
VPN: Required on every device. Not viable for most headless IoT hardware.
Private APN (SecureNet): None. Security delivered at the network layer by IXT.
Zero Trust: None. Security delivered through the SIM via Zscaler ZTNA. No device configuration required.
Compliance (NIS2, GDPR)
VPN: Encryption in transit. Traffic still crosses the public internet. Auditors question this.
Private APN (SecureNet): Private infrastructure. No public internet path. Full audit trail in CMP.
Zero Trust: Private infrastructure plus segmentation, session recording, access logs, and anomaly detection. Strongest compliance posture available for IoT deployments.
Which security model is right for my IoT deployment?
Start with VPN if: Your devices run a full OS, your fleet is small, and you have the network team to manage certificate rotation and concentrator maintenance. VPN works for this scenario. It becomes expensive and risky as the fleet grows.
Choose Private APN (IXT SecureNet) if: Your primary requirement is removing IoT traffic from the public internet. Your devices are constrained and cannot run VPN clients. You want private, direct paths to your cloud infrastructure. You do not have active requirements around third-party vendor access control or device traffic visibility.
Choose IXT Zero Trust if: You have third-party vendors or contractors who need remote access to field devices. You operate in a regulated sector with NIS2 or GDPR obligations around network segmentation and auditability. You want to see what your devices are communicating with, not just whether they are connected. You are deploying in OT environments where a compromised device should not be able to reach other systems.
What does IXT Zero Trust actually look like in practice?
The Illumio traffic map is the demonstration that tends to settle the question. You connect the IXT SIM, and within minutes you see a visual representation of every device connection in your deployment. Green lines show expected behaviour. An anomaly alert shows you a device communicating with a destination you did not configure. You did not have to install anything on the device to get this.
The Privileged Remote Access demonstration is what tends to resonate in industrial automation conversations. A service technician authenticates through a browser portal, opens an SSH session to a specific machine, and the session is recorded from start to finish. When they close the browser, access ends. The technician never had network access. They had device access, scoped and logged.
These are not future capabilities. They are available now, delivered through the IXT SIM as the standard security offering.
Frequently asked questions
Does Zero Trust for IoT require software on the device?
No. IXT Zero Trust is delivered through the SIM via Zscaler ZTNA. No agent software is required on the device. This is what makes it viable for headless IoT and OT hardware.
Is Private APN the same as Zero Trust?
No. Private APN removes your traffic from the public internet. Zero Trust eliminates the attack surface, controls who accesses what and for how long, and provides continuous traffic visibility and anomaly detection. Private APN is a component of SecureNet. Zero Trust adds Zscaler ZTNA and Illumio Visualisation on top of that foundation.
Can VPN meet NIS2 requirements for IoT?
VPN provides encryption in transit, but traffic still crosses the public internet, there is no device-level segmentation, third-party access is not scoped or recorded, and there is no visibility into device behaviour. These gaps are increasingly relevant in NIS2 audits for energy, utilities, and industrial operators. Private APN and Zero Trust provide stronger answers to each of these points.
What is Privileged Remote Access and why does it matter for IoT?
Privileged Remote Access is a capability within IXT Zero Trust Connectivity, powered by Zscaler ZTNA. It allows third-party vendors and service engineers to access specific devices through a browser-based portal without entering the network. Sessions are time-limited, scoped, and recorded. This replaces VPN-based remote access for contractors, which grants broad network access with limited audit trail.
What is Zero Trust Visualisation?
Zero Trust Visualisation is the second component of IXT Zero Trust, powered by Illumio. It maps all device traffic visually through the mobile gateway. Normal communication appears as green lines in the interface. Anomalies trigger alerts when devices communicate with unexpected destinations. Policy-based segmentation limits the impact of a compromised device. It works for both intelligent and constrained headless devices.
IXT is a full MVNO built for IoT, operating its own core network across 600+ mobile networks in 190+ countries. IXT Zero Trust is developed in partnership with Shift Security, powered by Zscaler ZTNA and Illumio.
