VPNs have been the standard for years for "safe" access into your corporate network.  But as you know, nothing is perfect.  

Once your "safe way in" has been compromised, and we can all assume at some point it will be through deception, security flaws or phishing, it's critical to ensure that your crown jewel applications and data are isolated.  Just because a bad guy gets control of an internal box, doesn't mean he or she should have full access to anything on that subnet.