Cloudflare has transitioned from using traditional VPNs to a zero-trust architecture for remote work. They have migrated services one by one, focusing on high priority ones first and moving them to Access, their zero-trust access proxy. Some services that did not run over HTTP or other Access-supported protocols required the use of VPN, but support for SSH over Access has allowed them to replace the VPN as a protection layer for source control systems. They have also used Spectrum, their DDoS protection and performance product, to protect their VPN endpoints against DDoS and improve performance for VPN users. As of 2020, new employees no longer get a VPN account by default, indicating the company's progress towards completely adopting zero-trust architecture.