We’ve basically removed our client VPN in favor of a zero-trust model and SaaS services replacing much of our on-prem infrastructure that required the client VPN for remote access. I understand the added security layer of encapsulating all traffic on off-network laptops via a VPN, but since all web traffic is already encrypted now, it feels like an unnecessary step.
Our HR department is implementing a new remote work policy and part of it states that if the user cannot connect to the VPN, they cannot work remotely. I told them to remove that bit, but then I thought I’d pole the community to see if I was crazy or not. Am I?
Edit: Thanks everyone. You’ve given some great feedback and confirmed I’m going in the right direction. Much appreciated.
Have them reword the statement to say “remote users must be able to connect to the VPN for required services”. That keeps it vague enough so you can use service or app specific VPN like with zscaler, instead of sending all traffic back to the office, which is just silly.
And my last job, we had to work on leadership to allow split tunneling (instead of forcing all traffic) for video conferencing traffic, and at my new one we only require VPN for specific on-premise services.
There’s so many ways to address remote work without a VPN - including (but not limited to) device trust, zero trust models with geographic/other risk analysis at the identity layer. VPN’s used primarily as a security (as opposed to access) tool is looking at them the wrong way. You can and should require end-users to be on a VPN to access resources hosted on-premise.
On the other hand, there’s zero reason for one of your SE’s or AE’s to have to login to a VPN to log onto SFDC or Dynamics when they’re making a sales call, and you’re actually introducing performative friction in the process when you do that. You’re also making your BCDR processes worse for two reasons: one, now you’ve got a bunch of people who are likely to leave VPN’s connected at coffee shops or while their kids are around, so you’re introducing a greater likelihood, not lesser, of Bad Things Happening to your local network. Two, assuming you’ve got an AD/RADIUS dependency to logon to your VPN (as most do), now you’ve introduced a dependency to getting all work done. If you lose AD, now nobody, including a guy who just wants to update a quote in SFDC, can get anything done, and all of your SaaS services that don’t even touch AD are going to be inaccessible. This in turn is going to make things substantially harder for you.
Always secure things first at the user level (SSO, MFA, device trust, proper risk analysis before logon) when given the choice.
Sort of but indirectly. All computers have zScaler’s ZIA for cloud NGFW that they can’t disable. So while it doesn’t backhaul any internet traffic to us it does inspect 100% of their internet dealings.
If no one needs to get to anything on-prem, you’re probably better off using an endpoint agent of some kind to manage web traffic for corporate devices with Conditional Access than forcing people through the VPN.
Your HR department found some boilerplate, and part of their boilerplate isn’t applicable. Just change it to a requirement that the user be able to connect to relevant services.
In my shop (healthcare) we actually eliminated VPN entirely; too many horror stories at conferences of hospitals getting backdoored through some exec with a laptop on vacation. Any resources you need to access remotely are either available as a SAAS offering (gsuite and so on) or are presented via xenapp/xendesktop. Policy is that remote machines never store business or patient date. Patient data and business documents containing PHI must remain resident in systems within the hospital’s direct custody, and other operational documents are kept either on-premises or within gsuite.
We allow BYOD pretty generously for remote workers, and assume that any device we issue for remote work will be immediately stolen with all data on it. BYOD and remote work devices get their own network segment, which only allows internet access, nothing horizontal, and devices on the patient care and administrative networks never leave the building. Admin machines have their access to outside systems severely restricted.
The required programs are installed locally on our users’ laptops, i.e. access to the company network via VPN is only necessary for access to the file server. However, many users often copy the necessary data to their laptop at the company if they want to work with it in their home office, as the files are often relatively large. Access to the company’s own e-mail server also works without VPN access.
Encryption and remote resources on an internal network are reasons for a VPN, sure. You could also use one as another layer of authentication, only allowing login to company platforms from specific IPs.
We have an always on VPN (connect before sign in) with Meraki + AnyConnect, and then we use ZScaler. M365 conditional access restricts sign in to our ZScaler IPs. But we are in the financial industry and are required (in 2025) to use some kind of ZTNA/SASE solution.
Sorry… I have a really hard time comprehending HR’s role in the big US cooperate world…
Why the heck are HR responsible for implementing remote work strategies related to VPN or not?? It’s the IT departments responsibility and therefore them, with maybe a SEC guy sprinkled on top, that should be writing the guidelines…
Yes. We have Fortigate firewalls with the various threat detection systems on subscription that we route all users through when they’re working from home or in remote office or visiting clients. This ensures that their traffic is secure within the confines of security protocols we have to abide by.
if the user cannot connect to the VPN, they cannot work remotely.
Seems like a pretty reasonable take to me. If the software works well then I don’t see why
Our HR department is implementing a new remote work policy
Places I’ve worked for seem to have HR more focus on the opposite…emphasis on using own VPN/tunnel being a serious offence. People concealing location & working from odd places can be a bit of a shitstorm on taxes & labour laws etc.
