[starkruzr]

counterpoint: those policies are not sustainable and can be easily defeated by someone simply setting up an endpoint somewhere not on any lists. if you have a security worry about devices being compromised by dint of their location, you need to control the location in some physical rather than logical way. if you have an HR worry about residency, I suspect those rules are going to slowly go the way of the dodo anyway.

[faeriechangling]

It doesn't matter if the policies COULD be easily defeated. If you live in a country of 5 million people, and say "only connections from smallstan are allowed into this sensitive infrastructure", you've probably wiped out 99% of automated attacks.

Security measures are judged by how much they cost to implement, and how effectively they reduce the threats you will actually face, and geolocation blocking has the amazing one-two punch of being cheap and effectual against real world threats. Realistically, you're going to face a lot more automated hacking attempts than you are hackers actively trying to workaround security safeguards your company has implemented. It also generates indicators of compromise, so even if this doesn't stop a hostile actor, it can reveal their presence.

Getting to 100% security is too expensive and it's also impossible.

[networkchad]

These types of views/takes honestly are not productive. Security is never 100%. If location-based blocking defeats 98% of the low hanging fruit threats, it is most likely worth it. You can then filter down your more costly countermeasures to the 2% of the remaining pie.

Similar reality exists regarding security through obscurity. Is it perfect? No; nothing is. But if the cost to even understand the system in play is very expensive, that alone is a deterrent to low-effort / drive-by attackers.