, ,

I regularly encounter arguments where people justify relaxed security in a design with the argument of – well the connection between systems will be protected by a VPN (Virtual Private Network) – so everything is fine.

Trying to dissuade a someone like a project manager or business end user that just trusting to just a VPN is challenging, after all private networks are safe aren’t they. So I have tried to identify a few resources – that can simply and clearly explain why this approach alone is not good. Just pointing to the principle of ‘security in depth’ is difficult to sell. So hopefully the following will help: