After responding to hundreds of ransomware cases, I feel that cloud services are far more reliable than you’re leading on.
Fundamentally, you have to ask what you’re trying to secure with a VPN and if the VPN matches your organization’s requirements in a cloud world. If you’re running Zoom/Teams meetings all the time, do you need to have a full tunnel VPN and does your bandwidth support that? Are you actually inspecting all that traffic being passed through the VPN, or are you just adding additional hoops for your users to jump through to get working? Do you really need to use a single IP address to access everything or would your users be better served with a cloud access broker implementing conditional access policies? Does your on premises proxy work for remote users or would a cloud proxy better fit a distributed workforce?
Depends on the usecase and your cloud provider, but in AWS session manager can be a pretty good replacement for a VPN. You can write iam policies to limit who has Access to to what vm instead if a network connection.
Some downsides obv, but trend seems to be these techs like Teleport, hashicorp boundary, etc.
You should always have at least 1 (preferably 2) emergency accounts that have no access restrictions whatsoever (no MFA, Conditional Access, etc.). Obviously these accounts need to be secure themselves, e.g. no one person has access to the full password, or something like that. But having a secondary IP address is a good idea, you don’t want to have to use emergency accounts unless absolutely necessary.
How so? I have a set of machines that need to be publicly accessible so I open them to the internet. Or I lock them up to be only accessible through a VPN gateway. The individual machines need individual IAM in both scenarios. Machines that aren’t supposed to be public are neither open to the internet nor reachable through the gateway.
Your still using these encrypted channels. But there are some things that are not as secure that get deployed. So using a VPN is more secure. Being able to reduce/eliminate sniffing packets of any application and instead getting VPN packets is by and far a better way to go than just using HTTPS or other services.
If locking the doors on your car is secure, then locking your car inside a garage with the doors locked on the car is more secure. Simple logic.
A VPN usually exposes an entire LAN segment, rather than just a single machine as is the case with something like RDP over HTTP.
How so? I have a set of machines that need to be publicly accessible so I open them to the internet. Or I lock them up to be only accessible through a VPN gateway. The individual machines need individual IAM in both scenarios. Machines that aren’t supposed to be public are neither open to the internet nor reachable through the gateway.
How does having the VPN expose anything that wouldn’t be exposed with the alternative of not using one?
its possible to run a vm is azure as your ONLY dc, vpn it to the office and voila. have a few customers that prefer this set up to an on prem dc because they would rather pay the monthly azure costs than fork out for a physical server.
unlike azure you can then still have full featured gpos, roll out printers etc.
We call these “break glass” accounts. The passwords are randomly generated, rediculously long and written on a piece of paper in a tamper envelope then locked in a fire safe.
It gets reset on a schedule or god forbid whenever it has to be used.
No MFA?!?! No thanks. I can get behind alternative MFA that bypasses Conditional Access, like TOTP but only for those break glass accounts. No way I’d have an emergency backup account with no MFA.
Most orgs I’ve seen will make the whole LAN accessible through a VPN, so once you’ve logged into the VPN anything can be accessed. If the VPN credentials are compromised or the VPN has a vulnerability then an attacker has access to everything inside the network.
Being able to reduce/eliminate sniffing packets of any application and instead getting VPN packets is by and far a better way to go than just using HTTPS or other services.
What useful infos can one attain by sniffing your packets?