I see people using VPN with cloud services like Gmail, Google Drive, SalesFroce, Basecamp. All these services operate on HTTPS. I don’t see VPN adding any value here. All the traffic is already encrypted. How can VPN help? Am I missing something?
Even if you are connected to an open WiFi and someone sniffs the traffic the only thing they can see is the website your are browsing, not the contents because everything is encrypted.
Depending on your policies, there might be configuration alowing access to certain resources only from specific IPs, so that may be the case
We force users through VPN so we can utilize UTM features from the DC firewalls against their connections. It’s also easier to isolate cloud services from being reached by IP ranges/conditional access features if using MS365, etc.
sparkle serious placid soft screw worthless flag stocking different dog
This post was mass deleted and anonymized with Redact
There some good solid answers already here, and there’s some kind of out there ones. Something I haven’t seen mentioned at all is generally the PCs issued to users are domain joined and would get GPO and password sync via AD, which won’t be reachable without a VPN connection.
Yes, I know with Radius/Azure/SSO/etc, you can sync the password to AD and the other services out there, but the password locally on the PC/Laptop still requires the AD connection to sync.
Obviously it’s functional without that, and most companies don’t have GPOs that change very often (I don’t think?), but generally having it check in periodically is good practice.
An organisation may choose to lock down access to an online service (Cloud Storage for example) for a specific group of users.
An organisation may also have HTTPS decryption and a policy in place to monitor traffic during contracted work hours.
Just two examples from the top of my head.
All our AWS, gcp, and Azure environments are firewalled to only accept access via VPN. Very strict controls on resources that can have a public IP.
The main reason you still see corporate VPNs is most companies aren’t 100% in the cloud.
you can limit access to cloud resources to a specific ip range with vpns. more secure.
It’s going to depend on your environment, and what layers you’re required to have for the type of information you’re dealing with. But don’t forget, even with MFA, 2FA, and Federated Access, you’re going to have employees who will try their hardest to introduce company data and “work” onto personal hardware, without enrolling it into the MDM. A VPN acts as another layer to keep the uninformed from doing that, and it acts as a compliance reminder to those who are going through the motions to use unapproved hardware. I’ve seen people who go through great lengths to write software to defeat the compliance checks on VPNs to load them onto personal machines, then publish it to GitHub. I’ve also seen those who refuse to use the corporate hardware because it is “too slow” when they have some $2,600+ machine that smokes my own personal laptop in power. Slow computer my ass 
.
You should at least provide a VPN for those who are traveling, for those who are working on shared or otherwise, sketchy networks (apartments, coffee shops, airports, cellular). Doesn’t matter if your transport is TLS1.2+ when the underlying network might be actively performing MITM against it. I can bet you that not all applications are using MITM-resistant protocols like QUIC, TLS1.3, etc. If your VPN acts as a barrier to the resources so you’re not having to trust all of the bastions and SSO to full Internet exposure (minus the typical country blocks…), even better. It’s a layer on the cake.
Your VPN doesn’t have to provide full domain access or what not, either. RBAC is a thing, and tied into a proper identity system, you can squeeze the access down to only what is needed. If the VPN is set up to provide full access to all the things, that’s not the right way to go about it.
But of course, I’m going to be wrong here.
I think VPN is mostly for using the internal services. Things that are hosted in house on a data center. Not sure why we would use a VPN for accessing Gmail…
A lot use a split VPN now. If all of our traffic went through VPN our servers would literally catch fire
There’s public and private cloud- server information for private cloud tenants might be sensitive. Or you’re trying to wrap SAML SSO authentication that can be very easily decrypted to avoid leaking credentials. Or there might be compliance or cyber insurance auditors who’ve played the “because I say so” card.
But the absolute biggest reason I can think of is mixed content- you might be typing in one web address, but that web page is usually a whole colony of bits and pieces loaded in from elsewhere on the internet, and you would be amazed how much of that is still HTTP instead of HTTPS and has the potential to leak private data.
Using a public cloud service might be reasonably safe without a VPN, but it only takes one slip from someone linking the wrong thing to cause a very bad day for the company. Hence, we continue to take security into our own hands and enforce VPN usage.
Case in point: I had to report a legal vendor to our security team a few weeks back for having a plain HTTP email contact form where our users might ask for case support without knowing it’s unencrypted.
In one of the most hilarious swings of the past 5 years, force-tunnel, always-on VPN is now almost exclusively used for information security controls.
You have to have full remote access to the entire domain. For security, of course.
There’s a lot of dinosaur style comments here. The old “put everything behind a big firewall” is slowly going extinct. Everything that matters these days is HTTPS with HSTS.
Cloud SaaS and PaaS means accessing services from anywhere in most cases, which means zero trust.
Zero trust means just that. You cant be zero trust but also require your VPN IP address to access services.
Embrace the change.
That depends. Some services allow admins to restrict access to specific IPs. This is often to prevent someone from accessing confidential data on non-company devices.
If you want to make sure they are using a company device, you require a VPN link. Then they can’t use their grandma’s laptop which is full of malware and bullshit to access work resources.
You don’t have to, but it’s a good idea
Not sure I’d say VPN though… zscaler and netskope have ‘better’ solutions than traditional vpn’s.
But having a secure web gateway install allows you to still see traffic and enforce DLP and other policies to protect company data
It also helps prevent shadow IT, if you’re an office 365 place, prevent uploads to google drive / docs to help prevent data walking or departments just randomly creating accounts and working elsewhere
I don’t see VPNs going away, there will still be internal stuff and site to site connections that will have to be maintained.
Depends if you are pushing Group Policy from your domain controller or Intune if the latter then probably not.