← All pain points
🎭critical

Security Theater

VPNs give you a false sense of security while leaving the front door open.

The Castle-and-Moat Illusion

VPNs are the digital equivalent of a castle moat. Once you cross the drawbridge, you're "inside" and trusted. The problem? Modern attackers don't storm the gates. They steal a badge and walk in.

The Lateral Movement Problem

Here's what happens when an attacker compromises a VPN credential:

  1. They connect to the VPN
  2. They're now "inside" the network
  3. They can reach every system the VPN subnet allows
  4. They move laterally — from the user's machine to a file server, to a database, to the domain controller
  5. Game over

This isn't theoretical. It's exactly how the Colonial Pipeline attack worked. And SolarWinds. And countless others. The VPN was the single point of entry that gave attackers the keys to the kingdom.

Authentication ≠ Authorization

VPNs authenticate at connection time. "Is this a valid credential? OK, you're in." After that, the VPN doesn't care what you do. It doesn't check whether it makes sense for an accountant to access the engineering source code repository. It doesn't flag a 3 AM login from a country you've never operated in.

The VPN trusts the tunnel. Not the user. Not the request. Just the tunnel.

The Credential Problem

VPN credentials are high-value targets precisely because they grant broad access. Phishing a VPN password gives an attacker far more than phishing an individual app password. And VPN credentials are notoriously hard to secure:

  • Many VPNs still support username/password authentication
  • MFA adoption on VPNs is spotty — and TOTP codes are phishable
  • VPN credentials often don't expire frequently enough
  • Shared service accounts for VPN access still exist in many organizations

Encryption Isn't Security

"But the tunnel is encrypted!" Yes. Encryption protects data in transit. It does nothing to prevent an authorized (or seemingly authorized) user from doing unauthorized things once they're inside.

Encrypting the tunnel between a compromised laptop and your data center just means the attacker's exfiltration is encrypted too. Congratulations?

The Modern Alternative

Zero Trust Network Access (ZTNA) through Cloudflare flips the model:

  • Every request is verified: Identity, device health, location, and behavior — checked on every single request, not just at connection time
  • Least-privilege access: Users only reach the specific apps they need, never the underlying network
  • No lateral movement: There's no "network" to move through — each app is an isolated access decision
  • Phishing-resistant MFA: Hardware keys and platform authenticators, not phishable TOTP codes
  • Continuous evaluation: Access can be revoked instantly, and anomalous behavior triggers step-up authentication

You don't need a moat when every door has its own lock.

The Modern Alternative

Zero Trust means every request is authenticated and authorized. No implicit trust. No lateral movement. Cloudflare checks identity, device posture, and context on every single request — not just at tunnel establishment.

Try Cloudflare Zero Trust

Want more like this?

Get practical guides on replacing your VPN. No fluff, no sales pitch.

← Previous
Nightmare Configuration
Next →
Remote Work Killer