As part of our network modernisation journey, we identified several critical limitations in traditional remote access and application security architecture. Legacy VPN solutions required significant operational overhead — including client software management, frequent troubleshooting, and maintaining a VPN gateway exposed directly to the internet. Authenticated users often received broader network access than necessary, increasing the potential blast radius of a compromised account.
The security risk is well-documented: according to the Zscaler ThreatLabz 2024 VPN Risk Report, 56% of organisations experienced one or more VPN-related cyberattacks in the previous year — up from 45% the year prior. More strikingly, VPNs and exposed firewalls now account for 58% of ransomware entry points, making them the primary attack vector exploited by cybercriminals (Coalition Cyber Threat Index, 2025).
Similarly, our on-premises Web Application Firewall (WAF) demanded ongoing maintenance, hardware management, software patching, and continuous rule updates to remain effective against emerging threats. This consumed valuable IT resources while creating scalability and lifecycle management challenges.
These challenges highlighted the need for a more secure, scalable, and modern approach to remote access and application protection — one aligned with Zero Trust security principles and cloud-native capabilities.
As the client’s workforce became increasingly mobile and cloud-enabled, the existing VPN and on-premises security infrastructure began to present both operational and security challenges. Traditional VPN access required ongoing client management, introduced connectivity issues, and provided users with broader network access than necessary. Maintaining an on-premises WAF required significant effort to patch, scale, and keep security rules current. Most critically, the publicly exposed VPN gateway represented a single network-level entry point that, if compromised, could provide attackers with direct access to internal systems.
Key challenges included:
- A public-facing VPN gateway that increased theorganisation’s overall attack surface.
- Users receiving broad network access after authentication, rather than application-specific access.
- VPN client software requiring ongoing deployment, maintenance, and troubleshooting.
- Frequent connection dropsimpacting user experience and productivity.
- An on-premises WAF requiring continuous patching, rule updates, and infrastructure management.
- Scaling andmaintainingsecurity appliances consuming valuable IT resources.
- Growing cyber threats increasing risk across perimeter-based security models — with VPN Common Vulnerabilities and Exposures (CVEs) growing 82.5% between 2020 and 2024 (ZscalerThreatLabz2025 VPN Risk Report).
These challenges highlighted the need for a more secure, scalable, and simplified approach to remote access and application protection — aligned with Zero Trust security principles.
VPN vs. Zero Trust Network Access (ZTNA)
For years, VPNs were the standard for providing secure remote access to corporate resources. However, they were designed around network-level trust: once a user authenticated through a publicly accessible gateway, they were often granted access to large portions of the internal network, far more than their role required.
The industry is responding decisively. According to the Zscaler ThreatLabz 2025 VPN Risk Report, 65% of organisations now plan to replace their VPN services within the year — a 23% jump from the prior year’s findings while 81% are transitioning to zero-trust security frameworks by 2026. Organisations that have deployed Zero Trust architecture save an average of USD $1.76 million per breach compared with peers that have not (IBM Cost of a Data Breach Report, 2025).
Zero Trust Network Access (ZTNA) takes a fundamentally different approach. Instead of granting access to an entire network, every connection request is continuously verified and evaluated against identity, device posture, and access policies. Users are connected only to the specific applications they are authorised to access, with no visibility of the broader network.
Key differences include:
- No exposed VPN gateway for attackers to target.
- Application-level access instead of network-level access.
- Continuous verification of user identity and device security posture.
- Least-privilege access, ensuring users can only reach the resources they need.
- Reduced attack surface and improved protection against compromised credentials.
By replacing the traditional VPN with Cloudflare Zero Trust, clients move from a model of implicit trust to one where every request is authenticated, authorised, and securely brokered before access is granted. This significantly improves security while delivering a simpler, more seamless experience for remote users.
This significantly improves security while delivering a simpler, more seamless experience for remote users.
WAF: Before and After Cloudflare
Traditionally, all web traffic — both legitimate users and malicious actors was routed directly to the client’s on-premises WAF before reaching application servers. This required the IT team to manage dedicated security infrastructure, including hardware, software updates, rule tuning, and capacity planning.
The operational burden is significant: on-premises WAF management often requires dedicated specialists with three to five years of platform-specific experience, with associated annual salary costs ranging from $140,000 to $200,000 (Infrastructure Intelligence, 2025). Compliance implementation for on-premises deployments can cost $100,000–$500,000 annually due to independent auditing requirements alone.
With Cloudflare, security is delivered at the edge through a globally distributed network. Every request is inspected before it reaches the client’s environment, allowing malicious traffic including SQL injection attempts, cross-site scripting (XSS), bot attacks, and other threats — to be blocked closer to its source. In 2024, Cloudflare mitigated 21.3 million DDoS attacks alone; in the first half of 2025, it had already surpassed that total, mitigating 27.8 million attacks (Cloudflare DDoS Threat Report, Q2 2025).
Key benefits of the edge-based WAF include:
- Threats are blocked before they reach the corporate network.
- No on-premises WAF infrastructure to manage ormaintain.
- Reduced load on origin servers and internet links.
- Automatic updates to security protections against emerging and zero-day threats.
- Improved application performance through Cloudflare’s global edge network.
- Enhanced scalability and resilience against large-scale attacks.
By migrating WAF responsibilities to Cloudflare’s edge, clients significantly reduce operational overhead while strengthening the security posture of internet-facing applications.
Website Hosting: With vs. Without Cloudflare
Traditionally, website hosting relied on a publicly accessible static IP address provisioned by the ISP. Visitors connected directly to this IP, exposing the origin server to the internet and requiring inbound firewall rules and ongoing management of public-facing infrastructure. This approach increased the attack surface and often required additional investment in static IP services.
With Cloudflare, the website is fronted by Cloudflare’s global network, and a Cloudflare Tunnel establishes a secure, outbound-only connection from the origin server to Cloudflare. Visitors access the website through Cloudflare while the origin server remains hidden from the public internet. This architecture eliminates the need for inbound ports, allows the server to operate behind NAT, and removes dependency on a static public IP address.
Key benefits include:
- No public IP addressexposedto the internet.
- No inboundfirewallports required on the origin server.
- Supports hosting behind NAT and dynamic ISP connections.
- Reduces the attack surface by concealing origin infrastructure.
- Simplifies network andfirewallmanagement.
- Improved security, availability, and resilience through Cloudflare’s global edge network.
- Enables secure publishing of applications without exposing internal systems.
By leveraging Cloudflare Tunnel and the Cloudflare edge network, clients transform website hosting from a publicly exposed model to a secure, modern architecture that protects the origin while simplifying operations and reducing infrastructure requirements.
From VPN to Zero Trust Network Access
Oreta replaced the client’s traditional VPN with Cloudflare Access — a core component of the Cloudflare One Zero Trust Network Access (ZTNA) framework. The security model shift is fundamental: rather than granting broad network access upon a single authentication event, ZTNA continuously validates both user identity and device posture for every individual application request.
| BEFORE | → | AFTER — CLOUDFLARE |
| Exposed gateway + broad access — Remote users connected through a publicly visible VPN gateway, receiving sweeping network access upon login — including systems well outside their role. | → | No gateway, per-app verification — Each request is individually verified by Cloudflare Access and routed only to the specific application the user is permitted to reach. No exposed gateway. No opportunity for lateral movement. |
This delivered immediate, tangible improvements:
- The publicly exposed VPN gateway was eliminated entirely.
- Staff now access internal applications via a simple browser-based login, authenticated through the existing identity provider.
- Access policies are enforced at the per-application level — users reach exactly what they need, and nothing beyond that.
From On-Premises WAF to Cloudflare WAF
Oreta migrated web application firewall responsibilities from on-premises hardware to Cloudflare’s edge-based WAF, intercepting and filtering malicious traffic before it ever reaches the client’s origin servers.
| BEFORE | → | AFTER — CLOUDFLARE |
| All traffic routed through local hardware — Both legitimate and malicious requests passed through the client’s self-managed, on-premises WAF appliance before reaching the origin server. | → | Threats neutralised at the edge — Traffic is screened across Cloudflare’s global network first. SQL injection attempts, XSS payloads, and malicious bots are blocked upstream — only verified, clean traffic reaches the origin. |
The impact was immediate:
- Automatic rule updates:Cloudflare continuously updates managed rule sets in response to emerging threats, removing the burden of manual tuning.
- Reduced origin load:Attack traffic is absorbed at the edge, no longer consuming resources on the client’s own infrastructure.
- Hardware decommissioned:The dedicated WAF appliance along with its OS maintenance, patching cycles, and upkeep was retired entirely.
General Security Hardening
Beyond ZTNA and WAF, Oreta activated a suite of additional Cloudflare security capabilities including DDoS mitigation, bot management, and automated SSL/TLS encryption. These replaced a collection of previously siloed, manually managed tools with a unified, always-on protection layer at the edge.
| Area | Before | After (Cloudflare) |
| Remote Access | Traditional VPN with exposed public gateway | Zero Trust Network Access via Cloudflare Access |
| Web App Protection | Self-managed, on-premises WAF appliance | Cloudflare WAF — managed and edge-based |
| Hosting & Testing | New static IP required from ISP per environment | No new IP needed; Cloudflare Tunnel handles all routing |
| Security Posture | Fragmented tools requiring independent upkeep | Unified, consistently managed protection at the edge |
The combined migration — replacing the VPN with ZTNA, shifting to Cloudflare’s edge WAF, and removing the dependency on ISP-issued static IPs — has materially simplified the client’s infrastructure. Key outcomes include:
- Reduced attack surface: With no exposed VPN gateway, there is no longer a single network-level entry point through which an attacker could gain broad access to internal systems.
- Lower operational overhead: Time previously spent on hardware maintenance, WAF rule management, and IP provisioning has been significantly reduced.
- Faster delivery cycles: New websites and test environments can be stood upimmediately, without waiting on ISP provisioning or network reconfiguration.
- Stronger, unified security posture: DDoS protection, bot management, WAF, and SSL/TLS are now managed cohesively at the edge, replacing a fragmented set of disconnected tools.
For any organisation managing a legacy VPN, an on-premises WAF, and ISP-allocated IPs as separate concerns, consolidating onto Cloudflare represents a meaningful step forward in both security and operational efficiency.
References
1. Zscaler. (2024). ZscalerThreatLabz2024 VPN Risk Report. Retrieved from https://www.zscaler.com/blogs/security-research/new-vpn-risk-report-56-enterprises-attacked-vpn-vulnerabilities
2. Zscaler. (2025). ZscalerThreatLabz2025 VPN Risk Report. Retrieved from https://www.zscaler.com/blogs/security-research/threatlabz-2025-vpn-report-why-81-organizations-plan-adopt-zero-trust-2026
3. Zscaler. (2025).ThreatLabz2025 VPN Risk Report: Over Half of Organizations Say Security and Compliance Risks Make VPNs Obsol Investor Relations Press Release. Retrieved from https://ir.zscaler.com/news-releases/news-release-details/zscaler-threatlabz-2025-vpn-risk-report-over-half-organizations
4. Coalition. (2025). Cyber Threat Index 2025. Retrieved fromhttps://securitybrief.news/story/cyber-threats-from-vpns-lead-ransomware-incidents-in-2025
5. IBM. (2025). Cost of a Data Breach Report 2025. Retrieved fromhttps://www.swif.ai/blog/zero-trust-statistics(summary of IBM 2025 findings)
6. Cloudflare. (2025). DDoS Threat Report Q2 2025. Retrieved fromhttps://www.securityweek.com/ddos-attacks-blocked-by-cloudflare-in-2025-already-surpass-2024-total/
7. Cloudflare. (2025). Radar 2025 Year in Review. Retrieved fromhttps://blog.cloudflare.com/radar-2025-year-in-review/
8. AxelSpire / Infrastructure Intelligence. (2025). Cost-Benefit Analysis and TCO of WAF Deployment Models. Retrieved fromhttps://axelspire.com/blog/cost-benefit-analysis-and-tco-of-waf-deployment-models/
9. GrandView Research. (2024). Zero Trust Security Market Size, Share & Trends Analysis Report 2025–2030. Retrieved fromhttps://www.grandviewresearch.com/industry-analysis/zero-trust-security-market-report
10. Security.org. (2025). 2025 VPN Trends, Statistics, and Consumer Opinions. Retrieved fromhttps://www.security.org/resources/vpn-consumer-report-annual/