Why Haven’t Firewalls and VPNs Stopped More Organizations from Being Breached?

May 16, 2024

Reducing cyber risk is an increasingly important initiative for organizations. Since a single cyber breach can be financially fatal as well as disastrous for countless stakeholders, improving cybersecurity has become a board-level concern and drawn increased attention from regulatory bodies around the globe.


As a result, organizations everywhere have poured massive amounts of time and money into security technologies that are supposed to protect them from cybercriminals’ malicious ends. Specifically, the go-to tools that are deployed to enhance security are firewalls and VPNs.


Despite the above, breaches continue to occur — and increase in number — at an alarming rate every year. News headlines about particularly noteworthy breaches serve as continual reminders that improperly mitigating risk can be catastrophic, and that the standard tools for ensuring security are insufficient.




With more organizations falling prey to our risk-riddled reality, an obvious question arises: Why haven’t firewalls and VPNs stopped more organizations from being breached?



The weaknesses of perimeter-based architectures

Firewalls and VPNs were designed for an era gone by; when users, apps and data resided on premises; when remote work was the exception; and when the cloud had not yet materialized. And in this age of yesteryear, their primary focus was on establishing a safe perimeter around the network in order to keep the bad things out and the good things in. Even for organizations with massive hub-and-spoke networks connecting various locations like branch sites, the standard methods of trying to achieve threat protection and data protection still inevitably involved securing the entire network. This architectural approach goes by multiple names, including perimeter-based, castle-and-moat, network-centric and more.




In other words, firewalls, VPNs and the architecture that they presuppose are intended for an on-premises-only world that no longer exists. The cloud and remote work have changed things forever. With users, apps and data all leaving the building all together, the network perimeter has effectively inverted, meaning more activity now takes place outside the perimeter than within it. And when organizations undergoing digital transformation try to cling to the traditional way of doing security, it creates a variety of challenges. These problems include greater complexity, administrative burden and cost, as well as decreased productivity and — of primary importance for our topic in this blog post — increased risk.



How do firewalls and VPNs increase risk?

There are four primary ways in which legacy tools like firewalls and VPNs increase the risk of breaches and harmful side effects. Whether they are hardware appliances or virtual appliances makes little difference.


  1. They expand the attack surface. Deploying tools like firewalls and VPNs is supposed to protect the ever-growing network as it is extended to more locations, clouds, users and devices. However, these tools have public IP addresses that can be found on the internet. This is by design so that the intended users can access the network via the web and do their jobs, but it also means that cybercriminals can find these entry points into the network and target them. As more of these tools are deployed, the attack surface is continually expanded, and the problem is worsened.
  2. They enable compromise. Organizations need to inspect all traffic and enforce real-time security policies if they are to stop a compromise. But approximately 95% of today’s traffic is encrypted, and inspecting such traffic requires extensive compute power. Appliances have static capacities to handle a fixed volume of traffic and, consequently, struggle to scale as needed to inspect encrypted traffic as organizations grow. This means threats can pass through defenses via encrypted traffic and compromise organizations.
  3. They allow lateral threat movement. Firewalls and VPNs are what primarily compose the “moat” in a castle-and-moat security model. They are focused on establishing a network perimeter, as mentioned above. Relying on this strategy, however, means that there is little protection once a threat actor gets into the “castle,” i.e., the network. As a result, following compromise, attackers can move laterally across the network, from app to app, and do extensive damage.
  4. They fail to stop data loss. Once cybercriminals have scoured connected resources on the network for sensitive information, they steal it. This typically occurs via encrypted traffic to the internet, which, as explained above, legacy tools struggle to inspect and secure. Similarly, modern data leakage paths, such as sharing functionality inside of SaaS applications like Box, cannot be secured with tools designed for a time when SaaS apps did not exist.





Why Zero Trust can stop organizations from being breached

Zero trust is the solution to the above problems. It is a modern architecture that takes an inherently different approach to security since the cloud and remote work have changed things forever. In other words, Zero Trust leaves the weaknesses of perimeter-based, network-centric, firewall-and-VPN architectures in the past. With an inline, global security cloud serving as an intelligent switchboard to provide Zero Trust connectivity — along with a plethora of other functionality— organizations can:


  1. Minimize the attack surface: Hide applications behind a Zero Trust cloud, eliminate security tools with public IP addresses and prevent inbound connections
  2. Stop compromise: Leverage a high-performance cloud to inspect all traffic at scale, including encrypted traffic, and enforce real-time policies to stop threats
  3. Prevent lateral movement: Connect users, devices and workloads directly to apps they are authorized to access instead of connecting them to the network as a whole
  4. Block data loss: Prevent malicious data exfiltration and accidental data loss across all data leakage paths, including encrypted traffic, cloud apps and endpoints


In addition to reducing risk, Zero Trust architecture solves problems related to complexity, cost, productivity and more.


Jacob Serpa
Senior Portfolio Marketing Manager | Zscaler
Jacob lives in Silicon Valley and works as a senior portfolio marketing manager at Zscaler. He has worked in the cloud security space for seven years, starting at Bitglass. Serpa’s current portfolio marketing role at Zscaler is focused on marketing the Zero Trust Exchange platform and explaining the benefits of embracing a Zero Trust architecture.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.