Corollary: Should users ever get access to the corporate LAN?
In this age of mobility, SaaS, and cloud, the trend is eventually all users will be coming in from outside of the enterprise. Does that mean we should be giving everyone access to the corporate LAN?
Whether via WiFi, VPN, or other means, giving outside users LAN access exposes every system on the network to potential attack. Apart from a select few admins, users don't need access to the LAN. They need access to applications.
Cloud-based perimeters or DMZs, whether built in-house or delivered as a service, can deliver internal applications with enterprise-grade security to select users on the Internet with out exposing the internal network to the Internet.
When your internal applications can be accessed as easily as a SaaS application, the only access any user needs is to Internet.