Which team is responsible for VPN at your company?
As a security guy, my “ideal” situation is the security team provides governance and requirements, and the networking team implements it. I’d rather have the desktop guys own the AV, the networking guys the VPN and firewalls, etc, etc, we just define what “right” looks like and consume the logs, alerts, etc.
The VPN shouldn’t be owned by one specific team. If you have server infrastructure (not on the FW) that runs the VPN, there should be a team responsible for the OS (patching, etc.), there should be a team responsible for the actual client configuration of the VPN and there should be a team responsible for the underlying network connections.
The client config should either be owned by security or owned by both security and the network team. The underlying network connections by the network team.
I find it helpful when asking questions like these to ask myself “if something on the VPN were to break, who is responsible for fixing it?” If an underlying network connection breaks, this is almost certainly a network team issue. Or if the VPN client subnet fills up, this is the network teams responsibility. If a request comes in to allow more resources through the VPN, this should be reviewed and approved by security, then implemented by the network team.
Infrastructure should own it, Security should oversee, govern, and audit it. Anything directly enabling operations shouldn’t really belong with the security team imo. If security team disappears overnight, everything to keep the business running should still have an owner.
Depends who has operational capability. The grc model for security is the norm, but if the security has ops capability and budget I don’t mind them owning individual ingress controls.
Basic tenant of security…
The person who runs it should not be the person who audits it.
I would assign the product owner as CISO office, preferably the CISO themselves. I would then assign the Network Dept boss as the IT Custodian. This way you can have the Security team define the baseline for the service and you now have some SMEs that will feel comfortable working with any IT Risk compliance stack that you want to implement.
Daily BAU can be handled by Network team and all major and significant changes should have CISO approval before going to CAB
In a perfect world security team should be governance and security monitoring. Network should own the network pieces. Desktop/Server team, or whatever your org calls them, should own the server/client/desktop/software & hardware. Management handles people. They all should implement security policy, directives and procedures as directed/approved by Security after collaborating on needs/etc. Also, the CIO should be co-equal with the CEO and should have a strong background in security themselves. Security should be considered first whenever a decision is being made then adjusted based on needs/feasibility/costs/benefits. A security first mindset is absolutely essential in today’s world.
Every person in the IT department should be required to maintain a Sec+, at minimum, so that they actually understand why security is important. It’s stunning how many “IT Experts” know absolutely nothing about why various security procedures and policies are important.
Every employee in the company should have to go through a 1 hour bi-annual cyber/opsec training refresher to ensure they understand policy and procedure and why it’s important. That last part is vital… the weakest link, security wise, is human.
So… who owns the VPN?
Security determines specifications and requirements. Network handles network configurations… Server/Client takes care of the software configuration and installation. Security does the monitoring.
Network - switches and routers
Network security - firewall and vpn
InfoSec - polices and compliance
Application security - penetration testing and OWASP
Server team is responsible for any issues on the device. Security team can provide guidance on what policies should be enabled
Network Security.
I mean, we had a department for every possible aspect of security, so at times it was difficult to figure out who to page out for other reasons. But VPN going down was a no brainer: Network Security.
Network, Private, Virtual.
Here where I work, the security team has no idea about infrastructure and operational security. Let alone application security. Maybe because they never get their hands on implementing, developing and/or operating such things. They’re even confused about SSL certificate and private key. Very frustrating
So, my unpopular opinion and somehow off topic is, it should be experienced infra/devops team who’s hierarchically moved in to security team. A pure GRC dude? Hell no
According to the security engineer handbook, the network team should own it because the security team has a million other things to do.
Its purely a network team function, but security would determine the privileges a VPN user would have.
Our team is a little different. Our Network Security team is a subset of the Network Services team. We implement and administer all border security/access devices and services, including VPN, IDS/IPS, and DNS block lists. Our cyber security team sets policy, performs audits, and aggregates data and logs to understand our security posture in the network, servers and clients, and users.
Obviously, the question of “who should” will always differ from the question “who does”, right? I mean, every org is different.
That said, I agree with a lot of the folks here. Responsibility is best divided.
-
Any team that’s operational/production - for example: server admins, network analysts/engineers, etc. - should be the hands-on team for the VPN server/VM/appliance/whatever.
-
Any team responsible for governance, risk management, “setting the rules”, etc. should be responsible for policies, but not hands-on, day-to-day administration.
So in summary: There should be a task split between the every-day care and feeding roles, and the governing roles.
Again, though, that’s the ideal. The real world will definitely mess with this. As one post here noted: Some security staffs are operational. In those cases it’s hardly irrational to have them manage the VPN. Also: Orgs differ in size, so one place may have multiple teams for these functions, and others will have a handful of staff who swap out hats depending on the task. They can separate roles on paper, maybe, but not in practice.
If I ran the zoo, I’d want an operational group - server administration group, network administration group, etc. - to take care of the “machine” itself, but a policy group to determine how it’s used. At the same time, I’d admit that not all groups can do this, so many will have to do what they think is best. The proper answer will be situationally dependent.
Who’s trained? Ideally the best qualified person should be running the hardware.
Sounds like there’s conflict management issues if the question is being brought up.
I was lucky to have a network team and a network security team. The security team was oversight to network team, but they where generally separated.
We have a Network Security team that owns it 
In my organization VPN is governed by Security team but own/implement by network team.