I mean “cloud only” in the sense that there isn’t a need to reach a physical on-prem server that sits behind a firewall. Small business here with all cloud based solutions in mind, ie Office 365, Zoom Phones, etc.
For those of you in similar cloud only environments - what you do?
No, you don’t need a VPN. Unless you have workers traveling or remote workers in countries where some services are blocked or can be monitored. In that case VPN is needed, but does not have to be onprem but something like ProtonVPN.
But if you want to be more secure, you can do something like IP filtering for cloud services (for everything or just for admin stuff) and allow only company IPs in which case VPN onprem is needed.
We have a couple clients who are pure SaaS but their employees travel a lot, so we set up software-based VPN for them with Perimeter81.
Cloud does not negate the need for security. It’s not magic.
If you needed VPN security when everything was on-premise, you need it for cloud as well. Only you can answer if that level of security was needed to begin with.
Cloud systems MAY be patched quicker and have higher perimeter security setup than SOME on-premise solutions, but that’s on a network by network basis. Lots of times the security breaches aren’t admitted to until long after the fact for Cloud. Additionally, Cloud systems are generally a MUCH more prevalent target due to exposure, meaning VPN can often be even MORE of a need with Cloud systems. Plenty of on-premise can have much more robust security than Cloud alternatives, even affordable now.
If you don’t want to use VPN, be prepared for some Cloud services to get disabled or restricted from time to time when the SaaS service is targeted or a zero day is out.
Putting everything behind a VPN, no matter if Cloud or on-premise, often adds a layer of security that no just protects your data, but often prevents downtime from forced restrictions/disabling of services while a exploit is fixed, or you having to spend nights and weekends running manual scripts to mitigate exploits that no patch is ready for yet.
If you have cloud based VM’s, I’d argue you still need a VPN for maintenance and other tasks.
If everything is SaaS, most likely not unless you want to reach infrastructure in you offices. Switches, printers, a Nas… Things like that.
My old side gig was supporting a few small businesses with up 12 PCs. After we moved everyone to SaaS services we couldn’t find any good reason to keep VPN so shut it down and hasn’t been an issue.
Depends on what you need for device and network connectivity and protection.
A full tunnel SSL VPN for all users is probably overkill.
You may get by with MFA and conditional access policies limiting access to your M365 tenant.
Other solutions like zscaler, Cloudflare, Azure app proxy, and/or tailscale can be utilized to connect users to on prem resources if needed depending on use case. Some of those can help with network filtering and logging too, but maybe you won’t need that.
A traditional VPN is probably not needed though for most users.
Small business here with all cloud based solutions in mind, ie Office 365, Zoom Phones, etc.
I think it’s a classic cargo cult to be fully functional in that sort of environment, and then say “we need a VPN because someone said you need a VPN”.
Realistically, it actually increases your attack surface to add connectivity to things you weren’t connected to previously.
That depends on what you do and how secure you want to be.
If you manage truck drivers. Maybe not a big deal.
If you handle medical information. Probably a big deal.
If you want the deepest layer of security that you can get then a VPN is good. If you don’t think its going to be a big deal. Drop it.
As a perspective of any one of these cases. Communication with the cloud resources is not all encrypted. There is still plaintext. Not to mention if you deploy a solution that you can’t control the security over. Something with a webpage likely. Then there is the other issue of if the workers always work on VPN and are using company laptops/desktops then you can control the content they use. So a VPN doesnt seem like a bad idea.
If you are running eg a DC on an azure VM, yes you do.
Restricting access to known mac and ip is normal.
Someone mentioned contractors, various support/auditors would also fall under that category.
Remote workers can be an issue.
I’ve facepalmed speaking to dudes that would use their personal gear with cracked software. Those are usually Russian speakers.
So the question isn’t whether to use a vpn, it’s what environment you’re in and how much risk is acceptable.
The classics like publicly pastebinning credentials was a thing that made yubikeys popular.
There are still valid reasons to have all endpoint traffic going through a cloud VPN gateway. You can monitor, filter, block traffic company-wide at one place, no matter who connects with what device.
For SaaS you should only do the web part of a traditional VPN. So secure web access/web firewall not Private access.
Also a CASB and CABB Proxy (new tech that integrates) is good to look into.
Here is an example. I do not use Zscaler myself:
The only likely use case would be so that IT could access a local network on a basic level. There are plenty of alternative options for that, as well. That being said, you’ll have to gauge the likelihood of needing to access the network without internal assistance. That is, without someone to remote to and interact with.
Yes, just limited mostly to IT in my environment.
No VPN. Azure Virtual desktop for the few internal resources we have.
What about protecting the cloud apps with SAML auth and using conditional access via trusted IPs only? This is where a VPN or SASE solution makes sense even in a “cloud only” environment.
Yes, sadly. Our CISO and VP of Compliance don’t believe SSL is good enough for accessing our EHR so now we’re spending > $100k annually on a VPN solution to put everyone on a common network.
Doesn’t matter whether or not users need the VPN or if they even have access to the systems the VPN is designed to protect - everyone gets it
allow only company IPs
Remember to have at least one alternative IP address, or range, for when someone puts a backhoe through your fibre
Known ip and mac for kms admin is usual.
Parameter store as well.
Mfa delete with no assigned yubikey for certain tiers of volumes is sop