In 2025, over 107 million cyber threats were prevented in Uzbekistan — 15 times more than the previous year. Forecasts for 2026 predict over 200 million attacks (source: Ministry of Digital Technologies of the Republic of Uzbekistan). The growth rate of threats outpaces the speed of updating security controls in most organizations — especially those where access management is still built on classic VPN solutions. The core vulnerability isn't a lack of technology, but the access management architecture itself, which fails to keep up with emerging attack vectors.
The number of entry points into an average company's corporate network has multiplied in recent years: contractors with access to internal systems, branch employees, integrations with external services, and personal devices (BYOD). Yet, the primary tool for remote connectivity remains the same: the VPN.
Why Classic VPNs No Longer Protect You
A VPN solves exactly one problem: creating an encrypted tunnel between a device and a network. It does not verify who exactly is using the connection, it does not restrict what that person can do inside the network, and it does not record what they accessed.
When only one or two employees connected to the corporate network externally while on a business trip, this was sufficient. But today, dozens of contractors, branch workers, and external integrations operate through that same VPN. Servers are still located in local data centers, but the volume and variety of connection points have drastically changed. Meanwhile, the VPN still operates on the legacy principle: "connect once, get access to everything."
This creates three specific risks:
- Lack of segmentation: A user with VPN access sees the entire network. If their credentials are compromised, a threat actor also sees the entire network, enabling lateral movement.
- Lack of context: A VPN does not check device posture — whether the OS is patched or if endpoint protection agents are active. An unpatched personal laptop looks identical to a managed corporate workstation.
- Lack of auditability: Who accessed what, when, and why? A VPN provides no answers. Yet this exact data — access logs with timestamps, user IDs, and IP addresses — is strictly required during regulatory audits.
There is a fourth, less frequently discussed problem: many companies still use outdated, unlicensed legacy access solutions — without current security patches, without vendor support, and without guarantees of compliance with modern standards. This is not just a technical vulnerability; it is a severe legal risk.
What Zero Trust Is and Why It's Not Just a Buzzword
Zero Trust is neither a product nor a technology. It is an architectural principle for building security systems where access to any corporate resource — application, server, database — requires explicit verification for every connection. Neither the user, nor the device, nor the network segment is automatically trusted, even inside the corporate network. Every access request is evaluated: who is connecting, from what device, to which resource, and do they have the authorization?
In practice, this entails several core concepts:
- Identity instead of perimeter: Access is determined not by where the connection originates, but by who is connecting and what they need to do.
- Least privilege: Users have visibility and access only to the specific systems they need to perform their work, and nothing more.
- Continuous verification: The system constantly evaluates context (device posture, location, behavior) and can instantly revoke access if anomalies are detected.
- Full visibility: Every action is logged: who, where, when, and from what device.
This is not just a theoretical concept. Google began transitioning to this model after a 2009 cyberattack (Operation Aurora), when attackers gained access to internal systems via targeted phishing. The result was the BeyondCorp architecture, which eliminates the traditional divide between "internal" and "external" networks: every request is verified equally, regardless of its origin.
What This Means for Uzbekistan
For the Uzbek market, transitioning to modern access management models is no longer a theoretical debate. The driver is regulatory requirements taking shape on three levels:
- The Law on Cybersecurity (ZRU-764, April 15, 2022) defines fundamental principles, including priority for domestic developers in creating cybersecurity systems (Article 8) and the mandatory use of certified security controls.
- The Resolution on Protection of Critical Information Infrastructure (CII) (PP-167, May 31, 2023) extends stringent requirements to telecom, energy, transport, and the public sector. All security controls at CII facilities must possess certificates of conformity, and cybersecurity personnel must undergo official certification every three years.
- Sector-specific requirements from the Central Bank of Uzbekistan for the banking sector mandate centralized access management, Multi-Factor Authentication (MFA), comprehensive logging of all actions (date, ID, IP address), and Privileged Access Management (PAM).
All these requirements share a common thread: they demand what traditional VPNs fundamentally cannot provide — visibility, granular control, and a forensic evidence base.
For regulated industries, the issue of digital sovereignty is highly critical: where traffic is physically routed and where data is processed. Global Zero Trust platforms — Zscaler, Cloudflare — do not have Points of Presence (PoPs) in Uzbekistan and route traffic through foreign data centers. In the context of ZRU-764 (priority of domestic solutions), PP-167 (mandatory certification of CII security tools), and Central Bank Regulation No. 19/1 (hosting information assets within the bank's own data center), utilizing such platforms in regulated segments entails significant compliance risks.
Where to Start
Transitioning to Zero Trust does not require a full infrastructure replacement overnight. The practical path is a phased approach:
- Step One: Audit the current posture. Determine how many users have access to corporate systems, through which channels, and with what level of control and logging. These audits vividly illustrate the scale of unprotected access points.
- Step Two: Implement Single Sign-On (SSO) combined with Multi-Factor Authentication (MFA) for all critical systems.
- Step Three: Phase out classic VPNs in favor of an architecture where every user sees only authorized resources (microsegmentation) and every session is recorded.
It is crucial to understand: migrating to Zero Trust does not inherently mean massive capital expenditure. Modern open-source solutions make it entirely possible to build a robust Zero Trust access management ecosystem — unified authentication, encrypted communication channels, endpoint telemetry, and privileged session management — with zero licensing fees. The actual challenge lies not in the cost of the software, but in having the engineering expertise for its proper integration and operation.
Conclusion
The surge in cyberattacks, tightening regulatory mandates, and constantly expanding attack surfaces are three factors making a paradigm shift in access management inevitable. Zero Trust is a direct answer to a specific problem: how to ensure visibility, control, and compliance when network perimeters can no longer be clearly defined. Servers reside in a data center, but they are constantly accessed by contractors, remote employees on personal devices, and external systems via APIs.
At UzCloud, we are building a sovereign Zero Trust platform tailored specifically for the Uzbek market. In future materials, we will dive deeper into specific architectural solutions and guide you on how to prepare your infrastructure for incoming regulatory requirements.