> It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
It likely will be entirely contained, at least in theory. Because is your IT and OT isolated? They should be, but man could I tell you something about the energy and public sectors... Let's just say, that if you're in an organisation with any sort of OT, then you may as well assume that everything you have is facing the internet in some way. I suspect it's frankly like this in any sort of enterprise organisation getting worse the more the org views IT purely as a cost center.
This is why we don't just rely on things like VPNs. Everything we have uses port security (mac-adresses) at a much more ganular level than the VPN does. At least for the parts of our systems landscape where this is possible. With something like SharePoint it's hard to allow specific devices because it's usually something everyone should have some sort of access to. Then you have all the organisations where SharePoint also has some sort of non-VPN access because some CEO level wanted it at one point since they can't be bothered to bring a work PC to their Holiday home.
It likely will be entirely contained, at least in theory. Because is your IT and OT isolated? They should be, but man could I tell you something about the energy and public sectors... Let's just say, that if you're in an organisation with any sort of OT, then you may as well assume that everything you have is facing the internet in some way. I suspect it's frankly like this in any sort of enterprise organisation getting worse the more the org views IT purely as a cost center.
This is why we don't just rely on things like VPNs. Everything we have uses port security (mac-adresses) at a much more ganular level than the VPN does. At least for the parts of our systems landscape where this is possible. With something like SharePoint it's hard to allow specific devices because it's usually something everyone should have some sort of access to. Then you have all the organisations where SharePoint also has some sort of non-VPN access because some CEO level wanted it at one point since they can't be bothered to bring a work PC to their Holiday home.