[maxsaltonstall]

Exactly. And because you can't be sure that the intervening network is safe, you need to encrypt all the traffic, even after checking authorization and authentication. That's the BeyondCorp mission at Google. [Disclaimer: I work for Google, and worked on these papers and blog post]