Solving the perimeter problem
Moving beyond traditional security with Zero Trust
The days of traditional perimeter security are over for the modern enterprise. That’s in part because the traditional ways of working have changed. Modern employees might be working from a small branch office, an airplane, a home office, a coffee shop, and a client’s office all in one week.
Most technology leaders recognize that Zero Trust security offers the best alternative to that legacy approach of protecting an enterprise. The identity-centric, continuous verification of Zero Trust security enables organizations to protect resources no matter where users are located and what devices they are using. By transitioning to a Zero Trust model, organizations can address the essential limitations of perimeter security.
Still, many companies are not there yet. In fact, many are not very far along in their Zero Trust journey. On a scale of one to ten? “I would say four,” said Menny Barzilay, CEO and co-founder of the cybersecurity platform Milestone, and a partner at Cytactic. Personally, I’d say a six at best.
I recently spoke about the perimeter security problem with Menny Barzilay and Khalid Kark, Cloudflare’s field CIO for the Americas. We touched on the vulnerabilities of legacy perimeter-based security highlighted in the 2025 Cloudflare Signals Report, and we discussed how transitioning to a Zero Trust model can help address those issues.
We all agreed: Moving forward on a Zero Trust journey is critical for protecting organizations in today’s threat environment. But doing so requires more than just buying a single solution.
Replacing the perimeter with identity-based security
Before organizations can transition to a new security model, it’s important to understand where they came from. For years, organizations focused cybersecurity efforts on protecting their network perimeter, which largely coincided with the physical perimeter of corporate offices. They protected that network perimeter with a firewall in their on-premises data center.
Today, organizations have expanded far beyond their physical offices. Employees are working from everywhere, using cloud-based apps. As Menny Barzilay put it, “Perimeter is a very questionable concept in today’s reality.”
Instead of defending organizations like they are castles with moats, cybersecurity leaders need an entirely new model. Most agree that identity will be key to that model. Of course, it’s not as simple as only verifying the identity of a user. Organizations need to incorporate additional context for each access request as well as the user’s device posture.
If they get it right, there is a huge security payoff. “There’s a concept that says, if you’re able to solve the identity problem, you’re able to solve cybersecurity,” says Barzilay. “If you know that the right person is using the right data with the right device…you don’t have a cybersecurity issue.”
Solving the identity problem is a primary goal of implementing a Zero Trust security model. The central principle of that model is: never trust, always verify. Instead of trusting everyone who makes it across the “moat” surrounding your castle (and giving them access to all resources), Zero Trust assumes there are risks inside and outside your network. Zero Trust tools verify the user, context, and device before granting access to specific data and applications.
As Khalid Kark pointed out in our recent discussion, Zero Trust is not a single, specific solution: “This is actually a mindset.” Menny Barzilay agrees: “It’s about understanding and acknowledging that you cannot ‘trust by design’ anything. You have to verify everything.”
I also think of Zero Trust as a journey — and it almost doesn’t matter where you start. But most organizations start by identifying their most problematic scenarios.
"If you’re able to solve the identity problem, you’re able to solve cybersecurity.”
— Menny Barzilay
CEO and Co-Founder of Milestone and Co-Founder and Partner at Cytactic
Pinpoint a first destination: Find a key use case for Zero Trust
A Zero Trust security model can help you address some of the most pressing threats created through the explosion of hybrid work and cloud-based resources. For example, you can replace outdated remote access solutions, control shadow IT, and simplify security for users.
1. Replace traditional VPNs
Attackers know that if they can steal VPN credentials from a single user, they can gain broad access to an enterprise’s network. Transitioning to identity-centric Zero Trust security can help solve this serious problem. With Zero Trust, you can enforce continuous verification of users and implement contextual authentication across cloud workloads and software-as-a-service (SaaS) apps. If attackers still manage to gain remote access to your network, least-privilege access capabilities limit the extent of the infiltration, preventing lateral movement.
Replacing a VPN with Zero Trust security has added benefits: Users will enjoy a more seamless, lower-latency experience as they connect to resources. You can also scale the use of Zero Trust access more rapidly and cost-effectively than scaling a VPN solution. And your IT team can reduce the administrative complexity of managing remote and hybrid access.
2. Control shadow IT
Cloud providers make it incredibly easy to adopt new services — including AI services. But as a result, individual employees and teams often sign up for these services without consulting IT. This kind of shadow IT (or shadow AI) makes it increasingly difficult to monitor and secure cloud apps and cloud environments. Using even simple cloud-based collaboration tools can put sensitive data at risk.
Implementing cloud access security brokers (CASBs), AI-powered discovery tools, and automated policy enforcement as part of Zero Trust security can help you gain real-time visibility and control over use of unauthorized cloud services.
3. End the password era
Even as attackers employ AI to mount more sophisticated tactics, identity remains a primary attack vector. As the report notes, 25% of Cisco’s incident response engagements related to users accepting fraudulent multi-factor authentication (MFA) push notifications in Q1 of 2024. Attackers are also hijacking active sessions and stealing credentials in other ways, exposing enterprises to widespread breaches and account takeovers.
In particular, organizations face several identity-related challenges:
Credential reuse: According to the report, analysis of compromised credentials showed that 46% of all human login attempts — and 60% of enterprise login attempts — involved compromised credentials.
Automated credential attacks: Analysis of compromised credentials showed that 94% of login attempts use leaked credentials that come from bots, which can test thousands of stolen passwords per second.
Insufficient passwords: Static passwords and even basic MFA methods are often ineffective against modern threats, including session hijacking and phishing-resistant credential theft.
It’s time to leave traditional password-based security behind. Implementing Zero Trust access controls along with passwordless authentication, behavior analytics, automated credential revocation, and other capabilities can help you address the potential risks of simple static passwords and basic MFA.
Identify your point of departure for the Zero Trust journey
Once you’ve identified the right use case, you should inventory and audit your applications. The goal is to determine who already has access to each application — and who shouldn’t have access. Many Zero Trust journeys fail because organizations miss these audits.
At this point, you can choose a Zero Trust security solution. It’s true, Zero Trust is more of a model or philosophy than a single solution. But selecting the right Zero Trust solution enables you to enforce the Zero Trust principles and policies you establish.
While Zero Trust solutions are important, too many organizations start with buying the solution — and then their journey comes to a halt. Doing all of the preparation first — including picking a use case and conducting audits — can help make sure you are investing your time and energy in ways that will deliver the results you expect.
The journey will be easier for some organizations than others. As Menny Barzilay noted, startups can implement Zero Trust security from day one and avoid the potential hurdles of replacing legacy solutions. But for other organizations, targeting a specific use case — such as securing remote access — will help you earn a relatively fast win that can propel your organization forward.
Unfortunately, most companies are not yet very far along in their Zero Trust journey. Meanwhile, they have to address both the great promise — and fear — of AI. While AI will add some new obstacles, such as the need to manage non-human identity, AI will more effectively surface threats and automatically improve an organization’s security posture.
Nevertheless, Khalid Kark, Menny Barzilay, and I all agree that pushing forward with the Zero Trust journey is critical. Zero Trust helps address the shortcomings of perimeter-based solutions. And at the same time, it can help significantly reduce the complexity and costs of security. Instead of managing multiple tools, you can take a unified approach to protecting resources by focusing on identity.
Making the move to Zero Trust
Cloudflare’s connectivity cloud is a platform of cloud-native services that can streamline the transition from traditional perimeter-based security to a Zero Trust security model. With Cloudflare Zero Trust Network Access, for example, you can replace your legacy VPN, simultaneously strengthening your security posture and delivering better user experiences while simplifying management. Cloudflare’s platform also provides services to regain visibility and control over IT and stop bot-based identity attacks. Together these services enable you to progress on your Zero Trust journey and leave legacy perimeter security models behind.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Learn more about how Zero Trust security can help you build a more resilient organization and discover additional critical security trends in the 2025 Cloudflare Signals Report: Resilience at Scale.
Author
Steve Pascucci — @StevePascucci
Head of Zero Trust, Cloudflare
Key takeaways
After reading this article, you will be able to understand:
Why traditional, perimeter-based security is no longer sufficient
How Zero Trust is the modern security imperative
Where to begin your Zero Trust journey