Legacy encryption protocols were not designed for today’s dynamic, distributed cloud environments. Organizations that simply “lift and shift” these outdated models often leave critical blind spots—unprotected traffic flows and fragmented key control—that attackers can exploit to exfiltrate data or breach internal systems. 

The CISA Zero Trust Maturity Model 2.0 (ZTMM) empowers organizations to secure distributed, dynamic, and complex cloud environments through a series of core principles. One of those principles is Traffic Encryption: organizations should “ensure encryptions for all applicable internal and external traffic protocols.”

Unfortunately, the old encryption models that many organizations still use were designed for on-premises environments and fail to deliver the holistic, distributed, scalable security that cloud networks need.  

This blog will explore the three widely used legacy encryption models — MACsec, TLS/SSL, and site-to-site VPN — why they fail to protect cloud environments, and how you can achieve high-performance encryption that aligns with zero trust principles. 

What You’ll Learn:  

  • The gaps in MACsec encryption 

  • The silos of TLS/SSL encryption 

  • The static nature of Site-to-Site VPN 

  • How Aviatrix’s Cloud Native Security Fabric (CNSF) offers high-performance encryption that aligns with zero trust 

 1. MACSec: Hop-by-Hop Encryption that Leaves Gaps

MACsec (Media Access Control Security) is a Layer 2 encryption protocol that secures traffic on a link-by-link basis within local networks. It was designed for traditional perimeter-based environments, providing encryption between trusted devices on the same physical or virtual LAN.  

While MACsec can effectively secure point-to-point links within environments you control, it decrypts and re-encrypts frames at each network hop, exposing traffic to risk at every intermediate device. In distributed cloud or hybrid environments where you don’t control the full path, this creates blind spots that attackers can exploit. 

CISA’s Zero Trust Maturity Model 2.0 calls for comprehensive, end-to-end encryption across all internal and external traffic paths. Because MACsec terminates at each hop and lacks centralized policy enforcement or visibility, it falls short of these expectations—especially in multicloud architectures where data traverses untrusted networks. 

2. Application-Layer Security that Creates Silos

While TLS/SSL provides application-layer encryption, it falls short of meeting Zero Trust standards for comprehensive, policy-based protection. While offering end-to-end encryption for specific application traffic, TLS/SSL operates in isolation: it secures individual applications rather than providing comprehensive protection across all traffic types.  

The CISA ZTMM 2.0 framework calls for encryption for “applicable internal and external traffic protocols,” including east-west and cloud-to-cloud communications. However, TLS requires encryption to be implemented separately for each application. This siloed approach can lead to inconsistent security policies, especially when some applications lack native TLS support or are misconfigured. 

Relying solely on TLS creates encryption blind spots and makes it difficult to enforce centralized, policy-driven encryption across hybrid and multicloud environments: key tenets of modern Zero Trust architectures. 

3. Site-to-Site VPN Static Rather than Dynamic  

Site-to-site VPN technologies, another legacy encryption model, also fall short of aligning with zero trust principles. Traditional VPNs were designed for static network architectures, creating encrypted tunnels between fixed endpoints.  They do not adapt to dynamic, identity-based access patterns required in modern environments. 

These persistent tunnels contradict a key Zero Trust principle: access to individual enterprise resources should be granted on a per-session, per-identity basis. Once a VPN tunnel is established, it typically provides broad access for extended periods, exposing internal systems if credentials are compromised. 

Cloud-delivered IPsec VPN technologies typically rely on static configurations and long-lived credentials, falling short of the CISA ZTMM 2.0 framework’s Optimal maturity requirement for “dynamic policies based on automated/observed triggers” and proper key rotation practices.  

Key Management: Separate Systems Mean Inconsistent Policies

Key management presents another critical gap between current encryption technologies and zero trust requirements. CISA’s ZTMM 2.0 framework calls for organizations to automate the issuance and rotation of keys and certificates and to centralize key governance. However, most encryption models still rely on fragmented systems, separately managing MACsec keys, TLS certificates, and IPsec VPN credentials across environments. 

This fragmented approach makes it nearly impossible to enforce consistent encryption policies, audit access effectively, or achieve the “cryptographic agility” that ZTMM defines as a maturity goal. Without centralized oversight, key rotation becomes manual, enforcement is inconsistent, and compromised credentials may go undetected.  

Zero Trust’s optimal stage requires encryption to be governed with least privileged principles, automated lifecycle management, and enterprise-wide visibility—standards that traditional encryption methods cannot meet. 

Security Gaps in Cross-Environment Connections

The limitations of legacy encryption tools including MACsec, TLS/SSL, site-to-site VPNs, and fragmented key management become even more pronounced in multicloud and hybrid environments. As traffic increasingly flows between clouds, across VPCs, and from on-prem to cloud workloads, these technologies often fail to maintain consistent encryption and policy enforcement. 

MACsec terminates at each hop, TLS encrypts only specific application flows, and site-to-site VPNs rely on static tunnels that can’t adapt to dynamic workloads. Key management remains siloed across these methods, preventing centralized visibility and control. 

These inconsistencies violate the CISA Zero Trust Maturity Model 2.0’s guidance that organizations must encrypt all applicable internal and external traffic protocols, including east-west, cloud-to-cloud, and hybrid flows, using dynamic, policy-driven controls. 

Encryption Made for Cloud: Aviatrix’s Cloud Native Security Fabric

Aviatrix’s Cloud Native Security Fabric (CNSF) offers a made-for-cloud, dynamic, distributed, and comprehensive encryption solution for enterprises.  

CNSF equips organizations to meet zero trust standards by offer high-performance encryption of 10–100 Gbps without relying on specialized hardware appliances.  

CNSF vs. MACsec: Speed with Security

Aviatrix’s high-performance encryption (HPE) matches the line-rate speed of MACSec while providing a much stronger encryption solution. To provide both high performance and security, the Aviatrix controller creates multiple IPSec tunnels between two Aviatrix Gateways and aligns each tunnel to a unique CPU core on each machine.  

Cloud service providers’ native IPsec VPN solutions are typically limited to between 1.25 Gbps and 2 Gbps. With Aviatrix High Performance Encryption Mode tunneling, IPsec encryption can achieve 10Gbps, 25Gbps, or up to 100 Gbps.  

CNSF vs. Application-Layer Security: Unified Policies and Enforcement

Unlike TLS/SSL, Aviatrix Cloud Native Security Fabric encrypts all types of traffic, unifying security policies instead of creating silos:  

  • East-west (lateral movement within environments)  

  • North-south (client to server)  

  • Cloud-to-cloud  

  • Hybrid connections 

CNSF vs. Site-to-Site VPN: Dynamic and Distributed Architecture

Aviatrix’s distributed and dynamic model means that its high-performance encryption can scale dynamically with cloud workloads while simplifying deployment, policy management, and visibility.  While Site-to-Site VPN tunnels remain static and give users far longer access than zero trust allows, Aviatrix’s fabric allows comprehensive access control and access on a per-session basis.  

CNSF vs. Fragmented Key Management

Aviatrix’s Cloud Native Security Fabric avoids the problems of fragmented key management by centralizing key lifecycle management as well as policy control and telemetry. Aviatrix delivers consistent encryption governance across all environments in which it is deployed. 

Final Thoughts

To reach CISA’s optimal stage for zero trust security, enterprises need to move beyond legacy encryption models that fragment, silo, and leave blind spots in their security posture. Explore solutions like Aviatrix’s Cloud Native Security Fabric to learn how to embed encryption, security, visibility, and simplicity into your cloud architecture itself.  

Curious about Aviatrix’s Cloud Native Security Fabric?  

resources_orange_glow
related posts
The Adoption, Challenges and Hidden Costs of Cloud Firewalls card image

The Adoption, Challenges and Hidden Costs of Cloud Firewalls

AI-Powered Cloud Security That Actually Understands Your Environment card image

AI-Powered Cloud Security That Actually Understands Your Environment

Aviatrix Corporate Posture

Beyond Values: The Aviatrix Posture That Drives How We Show Up

Subcribe
Benson George
Benson George

Sr. Principal Product Marketing Manager

Benson brings deep experience across the security stack—from securing connected devices and embedded systems to quantifying and reducing cloud attack surfaces and enforcing encryption standards. He brings a threat-informed perspective to cloud architecture—helping enterprises defend against today’s advanced attack techniques and tomorrow’s unknown risks.

Featured Categories

orange-pattern-center

ACE Program

card image

Customers

card image

Cloud Network Security

card image

AWS

card image

Partners

card image

Cloud Networking Heroes

card image

Azure

card image

Events

card image
PODCAST

Altitude

View All
subscribe now

Keep Up With the Latest From Aviatrix

Cta pattren Image