At Opal, we use Twingate to make sure employees can remotely access sensitive infrastructure securely.
Like Opal, Twingate believes in the concept of secure by default. In this post, we interview Twingate’s CEO, Tony Huie, and ask him about the future of zero trust and how he sees companies evolving to meet the needs of remote work.
How do the principles of zero trust and least privilege work together in practice for organizations using Twingate?
At Twingate, we believe part of implementing a zero trust strategy means that employees and contractors should only have access to what they need, and nothing more. This least privilege access framework, however, is hard to implement overnight if you don’t have the right insights into which teams need access to which resources, and if your employee directory is in transition. This is why with Twingate, we’ve designed access control to be flexibly defined using your existing Identity Provider and directory (via Okta, OneLogin, Azure AD, JumpCloud, Keycloak etc.) or through Twingate-native groups you can define as you have a better understanding of what each user needs. We’re also increasingly seeing more companies take advantage of automation through our API and partners like Opal so that realtime access changes across other platforms are easily replicated and mirrored within Twingate’s RBAC controls.
At what size should a company adopt Twingate? What are some good signals that an org is ready to adopt a zero trust network access solution?
It’s never too early to adopt a zero trust strategy in my opinion, but organizations struggle to get going given the complexity and resources typically required to get a zero trust platform evaluated and deployed. This is why at Twingate we focus so heavily on ease of deployment and administration. Many customers get up and running in 15 minutes or less.
In terms of good signals that an org is ready to adopt a zero trust network access solution, there are a few common security imperatives we see zero trust addressing and those are 1) the need to define different access levels for different teams across and outside of the company 2) the need to include device health and device telemetry to block access across unhealthy / at-risk devices 3) the need to have consistent access policies across all corporate resources, regardless of where they are and 4) the need to incorporate context (location, time, use case, etc.) within access policies. If your organization is struggling to answer questions around the 4 security needs above, it’s time to align on a zero trust strategy that can help you get there over time.
What are some creative strategies you've seen organizations use to adopt zero trust in their network environments?
Most companies are not ready to move to a full zero trust model overnight, so we’ve seen IT, DevOps, and Security teams often maintain their existing VPN infrastructure and take a phased approach to zero trust. This is enabled by platforms like Twingate that can be progressively deployed on a department by department basis.
While many zero trust platforms force companies to overhaul everything overnight, the more flexible zero trust platforms will allow you to keep your VPN running. This allows you to start with a single use case or team to get users and administrators familiar with a new platform. One frequent use case we see companies start with for zero trust projects is access controls for third-party contractors. Contractor workflows typically do not require access to more than a few systems, so starting with this group can have immediate security benefits while requiring minimal changes to infrastructure.
How has using a solution like Twingate helped consolidate best practices in onboarding and offboarding across corporate and engineering resources?
Typically for network access, there is no central orchestration layer to deprovision all corporate resources with a click of a button. You will often have most SaaS apps covered with your Identity Provider, but also have many other resources that aren’t covered with your Identity Provider to make onboarding & offboarding easy. Resources such as cloud infrastructure, servers, databases, legacy apps, etc are often managed separately. This means most admins have a long checklist of separate systems to work through to make sure access is provisioned & deprovisioned properly. This is manual and error-prone, and a big drain on IT teams.
With Twingate, we’ve built integrations with your existing tools (Identity providers, EDRs, MDMs, etc) to make this process easier. Our platform takes inputs from all these different systems to orchestrate access permission changes for onboarding & offboarding, but also contextual changes like device health. Our goal is to integrate with your existing environment so you get more value out of those investments and reduce the overhead of administering access controls. One of the great side benefits of a zero trust platform like Twingate is that you not only get a better security posture for your organization, but also improved productivity for your admins.
How is Twingate evolving to combat increasingly sophisticated cyber attackers? Do you think companies will need to rethink what the boundaries of their access are?
We’re always looking to increase the number of data points we reference as part of contesting every access attempt. One thing that is unique about Twingate is that we do all checks locally before a connection leaves a user’s device. By doing this we prevent man in the middle attacks and by increasing the number of checks done at the device, we can stay ahead of potential threats. We already do a check against the user’s identity and device, but we’re expanding to include more contextual checks while also introducing additional forms of authentication (biometrics, ubikeys, etc.). While no solution is 100% foolproof, we strongly believe in the concept of “Defense in Depth” and are progressively adding more and more signals, telemetry, and integrations to mitigate against cyber attackers.
What do you think about context when granting access in a zero trust network access environment?
Context is a key pillar we thought about when developing our zero trust vision and roadmap. I think the hard part about context is that it’s dynamic and a moving target. The same user in a different location may need different privileges, or different checks might need to be administered to mitigate against nefarious access attempts. A security engineer accessing a sensitive prod resource in the US may only need to do an additional biometric check, but that same security engineer accessing that same resource in China may need additional measures of verification. In some cases this engineer may only need temporary access to this resource for a one time project. The dynamic nature of context makes it hard to administer, but with the right platforms and technology, you can put in place additional safeguards based on context without being detrimental to user productivity.
How does true zero trust network access help reduce bottlenecks on IT for managing access?
What we’ve seen with a lot of forward thinking companies is that by planning out their IT and security work flow around zero trust early on, they save a lot of manual time in the future. They choose a network access tool such as Twingate to save them from having to make constant changes to their network architecture. They use an IaC tool such as Pulumi or Terraform to automate the creation and management of their cloud environments. Platforms such as Opal are also key to our modern customer base as it helps them manage the delegation of access to resources and provide transparency on who has access to what.
By creating a smart scalable workflow early on, companies are saving themselves a lot of security and compliance headaches that would happen later on in a more manual setup.
About Opal:
Opal is the centralized authorization platform for IT and Infrastructure teams. Deeply integrated with developer infrastructure, SaaS applications, and custom internal tools, Opal enables companies to implement scalable access management.
Want to see it yourself? Contact hello@opal.dev or book a meeting here for a personalized demo.
Stephen Cobbe
