Edit: Sorry, I am talking about a startup that uses “the cloud” by which I mean AWS, GCP, etc. If you want to hide these servers from the general public, but allow your devs/admins to connect to these servers (e.g. your database server), would you use a VPN for this?
Let’s say you were hired as the first engineer/sysadmin at a (currently) tiny tech startup company.
Would you institute a VPN and require all employees to access internal company resources via the VPN?
I work in a large enterprise and we use the VPN with 2-factor auth. To me, it seems like a no-brainer to use VPN for internal company resources, as it will offload the load of hacking scripts that just spam every IP:port to the VPN; additionally if you did have any blatant security risks on a given IP:port you could defend against those scripts. I don’t think anyone uses HTTP anymore but in theory the VPN could give some encryption.
However I wonder if this may be overkill for a tiny startup. Even at my large company we have had VPN outages that prevent everyone who is WFH from being able to do any work. Of course this is rare. People (including me) complain that it takes a few minutes to authenticate over VPN due to the 2-factor.
What do you think?
Edit: Many people here are saying that I don’t need to worry about VPN if I’m doing everything in the Cloud.
But I would think that you don’t want all your servers publically accessible, except for your webserver.
You could lock down connections to these servers except for the VPN.
Employees who need CLI access to these servers must do so over VPN.
Is there something wrong with that line of thought?
Lets take sharepoint as an example. Why is it more important to put the on premises sharepoint server behind a VPN when you don’t hesitate to use it without when placed in the cloud?
In both cases it is IIS listening to https. Being in the cloud doesnt make it more secure.
So keep the on prem server up to date, with only 2fa, firewalled from your other services, etc. All the things that is done to keep the cloud server safe. Go ahead and skip the VPN.
But if you need more security than that, then don’t put it in the cloud. And keep it VPN only for remote connections. You get one more layer of security. But there is a usability trade-off.
I only allow my clients to have a single port opened through the firewalls and that is for the vpn, in our case OpenVPN. I do believe in layered security policies but I think this one item is the biggest one to have in place. We also do outbound dns filtering with dns filter as well to help with outbound threats
You’re talking about offsite users? There’s no way I’d open things up for offsite users to come in without a VPN unless they all have static IPs and I can allow specifically those addresses.
You probably to want most of your resources in the cloud anyway. So what’s left to vpn to?
Start them right. Microservices in the cloud, not servers in racks in datacentres.
Maybe a dev network offljne if you need it, but just let them create their own tunnels by port forward over ssh. And firewall ssh to their home IPs (which tjey can manage themselves in the aws console)
If you really think it is justified put the dev stuff behind a vpn, but putting a whole load of admin effort into it when its just you, is a waste of your time and you’ll probably end up with something that could have an outage. There are higher value items to fix.
Me and a colleague did one in AWS with openvpn but no HA. I dont think we had more than a couple of hours outage over 3 years or so. And that took a fair amount of faff to make it suitably resilient.
You can get an AWS VPN as service now. Don’t need to even do anything but turn it on. It isn’t cheap though.
Well, what kind of company is it? Do they have data that is protected? (Example HIPA data) If so then it’s an automatic yes.
That’s a hard one to answer, I would sit down with who ever is in charge and ask them if their data was compromised due to there being no VPN would it hurt their business or their clients business. If the answer is yes, then I think that’s your answer as well. I have never had to set up a VPN from scratch , but there has got to be some basic VPN’s out there that don’t cost a lot for smaller companies.
But, you have to ask “what are the requirements”? If offsite users need access to onsite resources, then you work through identifying the actual needs, and use those to identify potential solutions. It might be VPN or some other secure remote access option. Or it could be making those resources available in another way, for example move from an onsite share drive to onedrive/sharepoint.
it’s not hard, it can be done on the cheap, pfsense etc, which you can pay for as organisations get bigger, get a quality ex-lease PC, (or two) set up as needed, job done, not one of my small customers are with out a firewall and/or VPN if they need access to in house resources, but most have onedeive/sharepoint/teams 2FA, with biometric access to notebooks, and bitlocker.
Depends on what kind of problem it will cause when all your systems are crypto locked. If you don’t want that, then don’t have infrastructure directly accessible from the internet