Monday I made the difficult decision to send the team to work from home. Since everyone takes public transit, it would not be fair to leave it to individuals to decide, they might feel pressured. This makes me sad since we are all about Agile, which values live face-to-face discussions.
What was not a concern for me was remote access. We are 100% Zero-Trust. The network is not part of the trust model. You are no different on our corporate network than on a mobile network or airport WiFi. Each service authenticates the user (using 2-Factor authentication), directly. No L2TP, no PPTP, no IPSEC, none of these. This means that we can scale just as easily on-site as off-site. The number of remote users does not matter.
Monday night I helped my wife set up her VPN access for remote to work. It was, um, not modern. A different login experience. Web pages that ran on a local network and didn’t have domain names. A VPN that worked inside some browser tabs, but not all. Popup windows. It was device specific, curated, complex to maintain. And one thing I know about security: complex to maintain implies insecure. It may look secure with all the facades, but underneath it, something is not setup properly. I was very sad, how could things be this bad?
I’ve talked earlier in Secure Exposed Access about how you could, with an increase in security and decrease in complexity, get rid of the VPN and expose individual applications to the Internet. In such a fashion that only authenticated users would see them. I think its a better model. It gives you a lot of the value of SaaS, without the short term transition issues. It gives you better segmentation and simpler deployment (on the client, on the network) than the VPN.
Be safe, work from home, be productive. When you come out of your shells, challenge the status quo. Next time can be better.