zet

Death of enterprise VPNs

Our company is moving everything onto cloud services. I used to think that was insecure and a bad thing, but what is worse is building an assumption that just because a computer is connected to a VPN that it is safe to do things that you shouldn’t otherwise. These days I believe it is better to built an expectations of zero-trust and user consideration for everything they are doing as if their computer is directly connected to the Internet, because it is. Switching a laptop between being on the VPN and off creates a margin for error that can really mess up corporate security. Users are already trained to disconnect from the VPN to do whatever they want that they can’t otherwise do. It’s better for the IT department to assume that users will bring insecure devices and put them on the network and build service offerings around that expectation. No IT department can ever fully lock down its laptops and computers allowed on the network so long as they provide any VPN network because smart people will work around it in the gray areas that aren’t fire-able offenses. I’ve seen this my whole life. IT security is, therefore, better when the people responsible for the security of the enterprise never trust a single person or device in the company, ever.

As a matter of convenience the migration of all our Enterprise GitHub stuff onto the Internet-facing cloud service offering makes getting work done a lot easier. I don’t even need the VPN to do 99% of my work. We also get all the stuff our IT team didn’t have resources to setup before, like GitHub Actions. At the end of the day people are lazy and this is going to simply promote more adoption of this kind of cloud offering.

Financially, this is also going to mean that more and more remote employees will be able to “bring their own devices” which is what most competent technologists want anyway. There doesn’t have to be an exception made for those special IT people who know how to install and manage their own network connections. There is no longer any fear that Linux users will thwart their carefully crafted security-through-obfuscation strategies at the highest level, there is just people and their devices. The simpler users will easily be able to purchase any working computer and enable it. Viruses and phishing will always be a problem no matter what computer is involved. It’s best, therefore, to expect that every single device connected to any core cloud resource has been compromised. Every computer should be assumed to have a complex keylogger installed. Enterprise security should build tools that monitor traffic in ways that allow them to know if and when something bad is going to happen and those working for those companies have to be okay with that snooping and loss of privacy and security if they want to work there. It’s just practical. Users concerned about such monitoring should install that software only on a computer or mobile phone dedicated for work usage.