This year has witnessed a string of critical vulnerabilities in VPNs and firewalls, spanning many of the major vendors. Recently, we saw another critical vulnerability exposed in the perimeter security meant to protect our organizations from cyberattacks. In this recent case it was a critical flaw in the GlobalProtect feature of Palo Alto Network’s Pan-OS software that the vendor acknowledged “may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.” Initially the ShadowServer Foundation found “more than 156,000 potentially affected Palo Alto firewall devices connected to the internet, representing thousands of organizations.” Not long ago CISA issued an emergency directive on Ivanti VPN vulnerabilities that allowed “a malicious threat actor to move laterally, perform data exfiltration and establish persistent system access, resulting in full compromise of target information systems.” This was how MITRE was breached (before CISA’s warning). Firewalls and VPN appliances are critical gateways. Like all on-prem systems, a vulnerability can lead to a compromise that is used to open the door for attackers.   

Reliance on Firewalls and VPNs

As we navigate through the digital transformation that has redefined our world, it becomes increasingly clear that our cybersecurity strategies must also evolve. The traditional reliance on network-centric models, built around firewalls and VPNs, has been a cornerstone of our security posture for two and a half decades. However, in the face of the relentless evolution of cyberthreats and the changes to network designs due to the cloud, this approach is proving inadequate. We need a complete overhaul of our cybersecurity architecture. 

In the early days of client/server, the primary focus was on connectivity. Systems were monolithic, and the goal was straightforward – connect and operate. However, the past two years have witnessed a seismic shift towards distributed systems, cloud computing and a remarkable increase in mobility. This shift has brought with it a plethora of benefits, but also a host of new vulnerabilities. As our applications and workforce became decentralized, so too did the potential points of exploitation. 

The reality of this threat is evident in the daily headlines of cybersecurity breaches. Sectors as diverse as logistics, healthcare, government and even entertainment have not been spared. These breaches are stark reminders that the old fortress mentality – building higher walls around our network – is no longer effective. A recent ransomware attack on a major casino company in the U.S. is a case in point.  

The attacker group calling itself Scattered Spider had researched an employee’s LinkedIn profile and used that information to social engineer the IT support desk into granting them credentials to gain access to the network.  Once in, the attackers had the foothold they needed to spread the ransomware. As long as you are dependent on firewalls and VPNs you are vulnerable to ransomware attacks. The solution? Move to a zero-trust architecture and phase out your firewalls and VPNs. 

Think of a corporate VPN as a way to extend the trust granted to a desktop within the moat created by the firewall to an employee’s laptop at home. He may have used strong authentication to connect via the VPN but what happens when he clicks on a link in a phishing email and inadvertently introduces a Trojan Horse?   Now his laptop is controlled by the attacker who can send emails, connect to internal resources and move laterally throughout a network with minimal internal controls. The VPN is just a wide-open hallway through the firewall. The recent series of Ivanti VPN breaches and CISA’s emergency directive to immediately disconnect  Ivanti VPNs further highlight how risky VPNs are for a modern organization. 

Enter the concept of zero-trust – a term that gained credence when the White House started using it in Presidential Directives, not to mention the Pentagon adopting it. Zero-trust is the understanding that implicit trust is a vulnerability. In a zero-trust model, verification is central, and nothing, not even elements within the network perimeter, is trusted by default. 

The traditional methods, while once groundbreaking, are now showing their age. Firewalls and remote access via VPNs create a dangerous illusion of security. As IP-based systems, they present an attack surface that is reachable and potentially breachable. In addition, they operate on the outdated premise that everything within the network can be trusted, a notion repeatedly proven false by the ease with which attackers move laterally through networks after breaching the perimeter defenses. 

Traditional firewall and VPN vendors have made an effort to deflect this criticism by moving their on-premises architecture to the cloud and calling it “zero-trust” or “SASE” or “ZTNA.” This approach continues to proliferate IP-centric architectures that fail to mitigate the fundamental risks of exposed attack surface and lateral threat movement. Indeed, the increasing spend on such technologies has not prevented an increase in breaches. 

What we need today is a model that understands the fluidity and dynamism of the modern digital landscape. A zero-trust architecture (ZTA) is not just about implementing new tools; it’s about a strategic rethink of security. It’s about understanding that the network is no longer a castle to be fortified but a conduit only, with entity-to-entity access authorized discretely for every connection based on business policies informed by the identity and context of the entities connecting. Gone are IP-based policies and ACLs, persistent tunnels, trusted and untrusted zones, and implicit trust. With a zero-trust architecture in place, the internet becomes the corporate network and point-to-point networking fades in relevance over time. Firewalls become like the mainframe – serving a diminishing set of legacy functions – and no longer hindering the agility of a mobile and cloud-driven enterprise.  

This shift is not just a technical necessity but also a regulatory and compliance imperative. With government bodies mandating zero-trust models and new SEC regulations requiring breach reporting, warning shots have been fired. Cybersecurity is no longer just an IT issue; it has elevated to a boardroom priority, with far-reaching implications for business continuity and reputation. 

Many access control solutions have claimed to adopt zero-trust by adding dynamic trust. They may layer this concept into an existing gateway: an employee can get access if they are logging in during normal business hours and from their home IP. That is good but it is not zero-trust. Once logged in they are trusted 100% not to abuse their access. zero-trust goes beyond dynamic authentication. The app does not trust the user, the network does not trust the endpoint.  

For those struggling to fit their existing IT infrastructure into a modern cloud-first stance, start with adopting a zero-trust framework.  This requires not just adopting new technologies but also fostering a new mindset. A mindset that acknowledges the fragmented, decentralized nature of our digital world and seeks to secure it not by blind trust but through continuous verification and adaptation. 

The shift to a zero-trust model is a trend driven by necessity. As we continue to expand our digital footprint, our approach to securing it must be as dynamic and agile as the landscape itself. The future of cybersecurity is in architectures that are built not on the assumption of trust, but on the principle of constant verification and minimal privilege. It’s time to reimagine security for the world we live in today – a world where the only constant is change.