> The standard solution is to limit the webapp to be accessible on VPN, and limit VPN to be accessible on MDM controlled devices, and limit MDM to be accessible on company owned devices.
Didn't the "BeyondCorp" zero trust model pretty much kill that, or at least show there was a better way to restricting access to secure apps than a VPN?
BeyondCorp canonically includes device authentication! The way I’ve seen it implemented is a browser client certificate though, kept valid by MDM. No need for VPN.
Of course a certificate could be stolen/transplanted but you would need to compromise the laptop first, and that’s also true of VPN solutions unless the keys are in TPMs.
And yet security VCs are investing here again and yeah, no idea why This Time Is Different
We do get VDI users for our tool in some high-end security sensitive places to work around weak clients (budget is not uniformly distributed across users), but that niche is a small market wrt VC..
Didn't the "BeyondCorp" zero trust model pretty much kill that, or at least show there was a better way to restricting access to secure apps than a VPN?