100% of it is pure paranoia. Working over a VPN or any other sillyness really has no effect on an employees ability to take your data. All they need is 30 seconds with a flash drive (or a screwdriver when nobody is looking and remove an HDD) and your data is gone. Something like source code is even easier with only a few parts in the code that is really ever 'trade secret' and it can be photographed with a cellphone.

Rather work on making your employees loyal to the company by being loyal to them. A happy and well paid employee is not going to steal your data, ever. An unhappy and smart employee will steal your data regardless of any silly obstacles you try to put up.

VPNs are not "sillyness", and they have nothing whatsoever to do with preventing employees from stealing data. They are to allow authorized people to securely access the network.

I work remotely for a company in healthcare, so we have some compliance issues as well. That said, I think increasingly server resources are moving out of physical offices, especially for smaller companies. My setup today isn't that different from a previous position where I was in the physical office.. servers are still remote, internal resources behind VPN.

I do remember feeling a little squeamish about the idea of hosting our code on github when we made the decision a few years ago, but now that seems silly. The benefits have definitely outweighed the drawbacks by a very large margin.

The employee trust question is interesting. If anything, I think I could argue that my access to resources is more easily controlled and audited when I'm remote.. Everything requires a secure authenticated connection, as opposed to some of the office environments I've worked in where I suppose lots of assets could have walked off relatively easily.

My company handles clinical trials, so we run into HIPPA regulations.

We all work remotely. Every developer and QA tester has his own laptop, they have set up a VM to run the application locally, with a fake database.

No one ever goes into prod for anything.

Companies have to trust their employees - else they wouldn't hire any. You can't really blindfold a developer from the code he's creating, can you?

My current and previous company were both hardware companies (though we had firmware and software teams to go with it). So we have to have lab environments to simulate various types of data for the hardware. For that, remote employees have to VPN into the network.

Interestingly enough, my company's wifi in their office is just a normal public internet connection (does not go onto the corporate network), so if you are on Wifi, you still have to VPN in. Its their way of allowing visitors to get proper wifi access anywhere in the building (plus they trust VPN encryption more than Wifi security).

As far as leaking data: anyone with a laptop can leak data. You should have good IT practices to prevent this type of thing. All laptops should have their harddisks encrypted and password protected. Now if the employee is being malicious, a local employee could steal data just as easily (see NSA and Snowden).

Good IT practices when you have a lot of computers on your network: (1) don't trust any device on your network, so you should have an IDS/IPS for tracking activity. (2) for VPN people, you want all traffic going through your network, so you can monitor the users network traffic with your IDS/IPS. (3) try to log as much activity as you can in-case you need to do post-mortem analysis once you've been hacked. (there is a lot more, but that's what you hire a good IT person/team for).

If you are working for a startup of < 50 people, you probably won't be the target of hackers. But if you are a large company or have sensitive data, you are a target. Having sound IT practices are important for your company's data.

I have never felt so far that Snowden was "malicious" as far as what he did with the NSA was concerned. In fact I felt the opposite.

I'd agree, but to the organization (the NSA in this case), Snowden is using the NSA data in a way that the management of the NSA would consider to be malicious to them. It's matter of perspective.

The company I work for has 33 employees, 16 of which are developers. We have the choice to work remotely. We use GitHub for code, Google Docs/Drive for document storage, and email, IM or Google Hangouts for communication - haven't found a need for anything else. There is a small office in the company's "base city" where a handful of employees work full-time (by choice), but the rest are remote throughout the region. Most of us are within a 1 to 2 hour drive. We gather at our space once or twice a month to catch up, show off new ideas, and hangout over a few beers - it's not a mandate, just whoever can make it. I'd say there's a 95% participation rate. We've found it takes the right employee to handle this environment - someone with a lot of drive and accountability. Bad apples shake down pretty quickly. A new hire will drive (or fly) to the office and spend 2 - 3 days in town getting his machine set up, filling out paperwork, training, meeting the rest of the team, etc., then head back out and work from whenever and wherever he/she likes.

We have a policy that unless you declare you're "out of the office" (i.e., vacation), you should be generally available between the hours of 9-to-5, should someone need to contact you. In practice, though, to avoid being disturbed like that, we've found that we've all become excellent communicators and will set expectations appropriately for our co-workers. To date, not one of my co-workers has called me if I've been out during 9-to-5 because they needed me.

Don't most companies already anyway use web-based SaaS solutions, so no VPN's needed except for legacy systems?

Many large companies will not trust their data to an outside company under any circumstances. They will put the SaaS solution on their intranet only accessible locally or thru a VPN. If the SaaS company isn't willing to do this, then they won't sell to these companies. This can be a valid choice for the SaaS company as long as they can find enough other customers to make them profitable.

Or, the data is hosted externally, but you can only access it through your company's VPN.

VPN still comes up.. Things like test-environments, analytics databases, etc. It's easy enough to do in the cloud though.

For everything? Does no one save any files ever?

What about the support staff? Not too many people using a SaaS SSH instance, or SAAS RDP service.

I work for a VERY large financial company and we have space issues. In some areas people are required to work from home 1-2 days a week. Our legal department is very strict, so I don't think this would be happening if compliance was really an issue.