[LimaBearz]

You're absolutely right. Its an interesting solution to the problem but I'm not sure what additional benefit this solution bought them that isn't covered by standard paradigm of VPN w/ role based access controls. (at least for user access)

They did however correctly identify the fact Jenkins is pretty much the holy grail of targets for bad actors and hackers. Failing to identify this has caused more then fair share of known hacks (to not Jenkins specifically but any build/automation system that has the required insane levels of access).

A strict VPN locked down and for external ingress access of automated actions a restrictive proxy sitting on the edge significantly lowers the attack surface. Operationally also much cheaper to maintain.

[qrkourier]

A strict VPN is still a perimeter that trusts addresses which are not really identities.

[PLG88]

This speaks to a strong nuance, its not only the closed inbound ports meaning no external network attacks, the strong identity allow the user to be anywhere (home, coffe shop, holiday) rather than tied to an IP while Sec team also get massively visibility of exact who/which identity (rather than IP) is accessing what and when. Its a stronger security, better visibility, greater velocity with higher automation.