The difference, hopefully, is that private Jenkins installation is behind corporate network. So for attackers to reach it, either they need to breach the network first or it’s an internal employee.
Personally i’m a big proponent of both cloud services and privately managed services. CI is one of those i think are better kept private due to its sensitivity.
> So for attackers to reach it, either they need to breach the network first or it’s an internal employee
So for instance an employee getting their laptop infected with malware, or through phishing, or through one of the many vulnerabilities discovered regularly on enterprise VPN software?
There is a reason that many organisations are going away with VPNs and "corporate networks" all together - it gives a false sense of security that stuff behind it is protected by the VPN and leads to poor security practices inside like obsolete Jenkins installs.
Disclaimer: I work at a company that sells Zero Trust as a concept and associated software, but I've had this opinion since before joining (I've seen enough of 'there's a VPN and then lots of apps/services/servers with very poor auth practices because it's behind the VPN, why bother?')
As someone from the security domain you should know there is not one single tool/service that will solve all your security challenges. I did not claim VPN will.
Your example of employee laptop getting infected with malware should be remediated by proper device management. Which should include policies like forced updates, prevents software install, uses corporate firewall, up to date antivirus, etc.
Since you mentioned you work for a company that sells zero trust, your response sounds like your solution would replace VPN. Don’t get me wrong, but feels like you are wearing the sales hat now.
Yes, old fashion VPN appliances will be probably seize to exist. Replaced by modern equivalent like tailscale. Layered security is the answer.
But if you look at the recent hacks of auto companies, it was all driven by bad web apps, badly implemented SSO, bad REST APIs etc and they could get control of the cars because it was all public on the internet. A properly implemented VPN would have killed their ability to do those hacks dead. A VPN concentrates an encryption and auth system in one place, which is hopefully somewhat competent. The zero trust concept assumes every app is a web app, and every web app is secure enough to be exposed to anyone. Big assumptions to make.
I've never seen a Jenkins instance that did not need to be open to the public internet in order to support GitHub webhooks. Granted they were using IP based restrictions but it's still not behind a corporate network by any stretch in that setup.
Though I believe the almighty cloud is overrated, not all cloud providers are equal. As much as I dislike Google, they would not have messed up this badly. Ditto Microsoft with GitHub.
I’ve seen internal hosted Jenkins servers give up the ghost more times than I care to mention.