Stop Cutting Two Inches Off the Ham: The Case for Modernizing Remote Access
Old Habits Die Hard
Picture this: A father is preparing Thanksgiving dinner while his daughter watches. He takes an electric knife, cuts a full two inches off the end of a perfectly good ham, and tosses it in the trash. Naturally, his daughter is confused.
“Dad, why would you throw that away? I love ham!”
Her father pauses. “You know, I’m not sure. That’s just how my mom taught me to make it. Go ask her.”
So the daughter finds her grandmother and poses the same question. The grandmother reflects for a moment: “I don’t really know either. That’s how my mother taught me. You should ask your great-grandmother.”
When the great-grandmother finally hears the question, she laughs.
“The pan I had was too small for the ham, so I had to cut off two inches to make it fit.”
Three generations had been cutting perfectly good ham and throwing it away, not because it made sense, but because it’s just how things had always been done.
This story resonates deeply with me as someone who works in cybersecurity because I see organizations doing the exact same thing every single day. They’re using VPNs to connect remote workers. They’re managing complex password policies and multi-factor authentication systems. They’re maintaining perimeter-based security architectures ress designed for a world where employees showed up to an office building every morning. And when you ask why, the answer is often the same:
“That’s just how we’ve always done it.”
The Pan Doesn’t Fit Anymore
Just because we don’t like to talk about it doesn’t mean we should shy away uncomfortable conversations.
And the uncomfortable truth is the pandemic didn’t just temporarily change where we work… it fundamentally transformed how we work.
I’m sitting in my home office right now. I haven’t been to a physical office in years. When I do my job, I’m logging into cloud applications, accessing systems that live in data centers I’ll never visit, collaborating with colleagues I’ve never met in person. The office building as the center of our technology universe? A relic of a bygone era. Yet many organizations are still trying to force their modern, distributed workforce into a security architecture designed for a completely different era.
We’re cutting two inches off the ham, except the ham is our productivity, our security posture, and our employees’ sanity.
The Workforce Experience Nobody Talks About
Let’s start with the human cost of legacy remote access approaches. Your workforce, (you know, the people who make your business run) deal with this friction every single day. They need to access a customer relationship management system to close a deal. They need to pull up design files to review with a client. They need to run a financial report before the board meeting. And before any of that can happen, they need to connect to a VPN.
Sometimes it works on the first try. Sometimes it doesn’t. The VPN client needs an update. Or it won’t connect from the coffee shop. Or it drops the connection mid-task. Or it slows everything to a crawl because all traffic is being backhauled through a central gateway that was never designed for this volume of remote users. Your sales rep sits in a parking lot before a client meeting, watching a loading spinner, wondering if they’ll have access to the proposal they need. Your engineer misses the first fifteen minutes of a video call because they’re troubleshooting their connection.
This isn’t just annoying. It’s expensive. Every minute of friction is a minute not spent on the actual work. Multiply that across hundreds or thousands of employees, across thousands of connection attempts per week, and you’re looking at a massive hidden tax on productivity. You’re also looking at something harder to quantify but equally important: employee satisfaction. The technology we provide shapes how people feel about working for us. Clunky, unreliable tools send a message that we don’t value their time or experience.
Modern workers expect technology to simply work. They use elegant applications in their personal lives, apps that connect seamlessly, that don’t require troubleshooting, that don’t make them think about the underlying infrastructure. Then they come to work and encounter a remote access experience that feels like time travel to 2005. The disconnect is jarring.
The Operational Complexity Nobody Signed Up For
Now let’s talk about the IT teams trying to keep this legacy infrastructure running. VPN concentrators require constant maintenance. Firmware updates. Certificate renewals. Capacity planning. Troubleshooting individual user connection issues. Managing split-tunneling policies. Dealing with compatibility problems across different operating systems and device types. Supporting users who don’t understand why they need to connect to a VPN before accessing systems that are, from their perspective, “just on the internet.”
Your security and IT teams didn’t sign up to be VPN support specialists, yet that’s where they spend an enormous amount of time. Ticketing systems fill up with remote access issues. Help desk staff become experts in a technology that adds no business value. It’s purely overhead, a means to an end that exists only because of architectural decisions made when the world worked differently.
Consider the complexity of the typical enterprise remote access stack: VPN concentrators, multi-factor authentication systems, privileged access management tools for sensitive systems, endpoint security agents, mobile device management platforms. Each of these technologies requires its own expertise, its own maintenance windows, its own budget line item. They need to integrate with each other, which means more complexity, more potential points of failure, more specialized knowledge required on staff.
Then there’s the scaling problem. When your workforce was 60% remote, the VPN infrastructure could handle it. What happens when that becomes 80%? 100%? Do you expand capacity? Implement load balancing? Add redundant concentrators? Each solution adds complexity, cost, and risk. You’re not investing in capabilities that differentiate your business or serve customers. You’re simply trying to maintain the ability for your employees to do their jobs.
The Security Theater Problem
Perhaps the most problematic aspect of legacy remote access approaches is that they create a false sense of security while actually increasing risk. The traditional model operates on an assumption that is fundamentally broken: the idea that there’s a clear perimeter between “inside” and “outside” the network, and that getting through the VPN is the primary security control.
Once a user authenticates to the VPN, they typically gain broad access to internal resources. The VPN connection becomes a de facto trust decision: “You’re on the network, therefore you must be authorized for everything.” This creates several problems. First, legitimate users often have excessive access to systems and data they don’t need for their jobs, expanding the potential damage from compromised credentials. Second, if an attacker does compromise a user account (which happens constantly through phishing, credential stuffing, or other methods), the VPN helpfully provides exactly what they need: broad network access.
The perimeter model also struggles with the modern application landscape. Your team uses Salesforce, Office 365, Slack, dozens of SaaS applications that don’t live “inside” any network perimeter. The VPN is irrelevant for these tools, yet they handle some of your most sensitive data. Meanwhile, the applications and systems that do live in data centers are increasingly virtualized, containerized, cloud-hosted. The concept of a network perimeter protecting them is increasingly fictional.
Legacy remote access also makes it difficult to implement proper least-privilege access controls. Users need to connect to the VPN to access System A, but that same connection gives them network-level access to Systems B through Z as well. Implementing granular controls in this model requires complex firewall rules, network segmentation, and policy management that quickly becomes unwieldy. Security teams find themselves trying to retrofit modern security principles onto an architecture that was never designed for them.
What Modernization Actually Looks Like
So what’s the alternative to cutting two inches off the ham? What does it look like to actually modernize how your workforce connects to business systems and applications?
The answer starts with rethinking the fundamental model. Instead of backhauling all remote traffic through central chokepoints and granting broad network access, modern approaches establish direct, encrypted connections between users and the specific resources they need. No VPN. No perimeter. Just secure, granular access to applications and systems based on identity and authorization policies.
From a workforce experience perspective, this is transformative. Employees connect to applications just as seamlessly whether they’re at home, in a coffee shop, or at a client site. There’s no separate connection to establish, no VPN client to troubleshoot, no performance penalty from traffic routing through distant concentrators. The technology becomes invisible, which is exactly what technology should be. Users focus on their work, not on the mechanics of access.
For IT and security teams, modernization means dramatically reduced operational complexity. Eliminate the VPN infrastructure and you eliminate entire categories of support tickets, maintenance windows, and troubleshooting sessions. Modern approaches leverage existing identity systems rather than requiring separate authentication infrastructure. Access policies are defined at the application level rather than through complex network segmentation. The technology stack becomes simpler, more manageable, and requires less specialized expertise to maintain.
From a security perspective, modern access approaches implement the principles that security professionals have been advocating for years: zero trust, least privilege, and microsegmentation. Every connection is authenticated and authorized individually. Users get access only to the specific resources they need, not broad network access. It becomes dramatically easier to implement granular controls, to monitor actual usage patterns, to detect anomalous behavior, and to respond to potential compromises by revoking specific access rights rather than trying to boot someone off a VPN connection.
Stop Cutting the Ham
We don’t have to keep doing things the way we’ve always done them. But we also can’t expect things to change unless we start asking questions and acting on the answers.
The question isn’t whether your current remote access approach technically functions. Of course it does, or you wouldn’t still be using it. The question is whether it serves your organization’s current and future needs. Does it provide the experience your workforce deserves? Does it create unnecessary operational burden for your technical teams? Does it actually deliver the security outcomes you need, or are you simply checking a compliance box?
Organizations that have taken the time to challenge their assumptions about remote access consistently discover the same thing: there’s a better way. Better for their employees, who get seamless access to the tools they need. Better for their IT teams, who spend less time troubleshooting and more time on strategic initiatives. Better for their security posture, with granular controls and visibility replacing broad network trust.
The great-grandmother in our story kept cutting the ham for a practical reason: she had a small pan. What’s your reason? And more importantly, when are you going to ask whether that reason still applies?
Jerod Brennen is VP, Cybersecurity Advisor at SideChannel, where he helps organizations build resilient cybersecurity programs. When he’s not geeking out about security technologies, he’s probably still wondering what his life would have been like as a high school choir director.
Connect with him on LinkedIn or reach out at jerod@sidechannel.com.
