[bob1029]

The modern solution for remote access is to move all of your business systems to the web, employ TLS1.2+ with strong cipher suites, and enable MFA as appropriate.

We already have 100% of our business systems for 1 project using web-based access. This makes ramping new employees and doling out restricted access so much easier. If you give someone VPN access, you need to hire a full time guy to manage that bucket of pain if you want granular per-user permissions at the network-level. Web has no such problems. Everything is typically a completely independent security context in terms of network for any layer below HTTP. VPN means you have ~layer 3+ access by default to everything on that network.

There is an argument to be made for "XYZ doesn't have a web interface/API". But, I pose that this is a weak argument in 2020. Every cloud provider can be automated 100% via API calls. Every single thing you can do on the GitHub[Lab] web UI can be automated. Even if there isn't an explicit API, you can automate literally any legacy application with some mild scripting and duct tape. I've seen automation that samples a 3d application output in real-time and checks pixel colors for eventing, so I know this can be done. Bonus points here because these are typically legacy static and never-changing systems so you can code for it 1 time. There aren't really any excuses in my shop for manual labor. Setting up a new public webapp that can 2FA your employees and provision cloud resources via the AWS JSON API is not hard. You can make it hard, but you can also make it very very easy if you just focus on the value angle. Once you build one of these things, the next one takes 1/10th time time because you know how to do it. Maybe you just add a 2nd navigation option to your 1st one to manage that additional system...