Two months of remote work revealed a fundamental problem: VPN creates a false sense of security. Once a user connects, they have access to everything. Zero Trust flips this model: never trust, always verify.
The Problem with VPN¶
VPN works on the principle: outside is dangerous, inside is safe. But 150 laptops connected from home networks, where IoT devices hang on Wi-Fi and the router has firmware from 2017 — that’s a security team’s nightmare. If an attacker gets inside, they have access to everything.
Zero Trust Principles¶
- Identity is the new perimeter — access based on identity, not IP address
- Least privilege — minimum necessary permissions
- Continuous verification — verification with every request
- Device trust — devices must meet security policies
Identity-Aware Proxy¶
We deployed OAuth2 Proxy for internal web applications. Instead of VPN → app, we introduced reverse proxy with Azure AD authentication. The user logs in via SSO, the proxy verifies group membership and only then allows the request through.
Microsegmentation¶
We created isolated network segments — dev separated from production, databases accessible only from app servers, CI/CD isolated. Transition between segments requires explicit permission. An attacker in one segment cannot reach the others.
Legacy Applications — The Biggest Challenge¶
An internal system from 2008 doesn’t support SAML or OIDC. Solution: reverse proxy with header-based authentication. It’s not elegant, but it works. Zero Trust isn’t a quarterly project — it’s a journey, application by application.
VPN Won’t Die Overnight¶
Zero Trust is a gradual journey. But the direction is clear: the future of security lies in identity, not perimeter.
Need help with implementation?
Our experts can help with design, implementation, and operations. From architecture to production.
Contact us