Do you require a VPN for ALL remote work?

Yup, always on vpn and to turn it off you have to type why, which is logged and put in your password. Logs are reviewed once a week. It’s honestly not that many.

Same thing we do. Any systems that deal with critical or private data require on-prem access, and thus necessitate VPN. Everybody gets the VPN client and we keep it updated, but we only put you in the access group if necessary.

Yep. If they can do their job with only SaaS then don’t worry about a VPN

This is the way. Its an HR policy, so they will only want to use it when an Employee is being difficult and they have something to point to.

We don’t have this yet, but want to. Still working through all client requirements so that we have the same security applied, but decentral.

Thanks. We no longer have any on-prem resources so this was simply a check on using the VPN to create a layer between the device and their unencrypted network. You actually made a fantastic point that while there has historically been some general guidance to “use a VPN at a coffee shop” to protect the machine, it does actually lessen on-prem security. Not a great trade. Your final recommendation, “SSO, MFA, device trust, proper risk analysis before logon” is exactly the route I have taken the environment. I appreciate the reassurance.

“Performative friction” Giggity.

The policy is not a technical policy. They were more focused on “my internet is down so I can’t work today” excuses and wrote something about not being able to connect to the VPN means you have to come to the office, not realizing that the VPN is not even used anymore (they don’t work remotely).

It’s HR’s responsibility to centrally manage current employment policy. The vast majority of the remote work policy is not technical in nature at all, and I was given opportunity to write whatever I wanted before implementation. Because of this, the thing they added without input was removed. You are correct that they should have asked me first, but our review process worked.

You see how often vpn appliances are breached? The minute everyone is zero trust you should be turning off that attack surface