Introducing Identity-First Networking

Alex Marshall • 

If there's anything we've learned since we founded Twingate, it's that companies jump through extraordinary hoops to grant, manage, and secure access to their networks. Whether it's whitelisting ever-changing IP addresses; maintaining complex subnet assignments and VLAN segments; or manually piecing together network events across hybrid networks, these heroic tasks all have something in common: making up for the shortcomings of TCP/IP.

Where open, trusted access made sense at the inception of computer networking almost 50 years ago, the exact opposite is true today. Trust can no longer be assumed based on being physically hardwired to a network, and devices may have multiple IP addresses and hop across many networks in a single day. New layers of authentication, anomaly detection, and monitoring are continually being added to every layer of the network stack, but these approaches do not address the foundational shortcomings.

Twingate turns this model on its head by rethinking these base assumptions around networking. Rather than attempting to filter every network session looking for anomalies or performing additional checks on every network connection that arrives at a destination, Twingate starts by asking a simple question: should a network request even be allowed to leave a device? And if so, whose identity should be attached to it?

Once you start to think about every connection on your network as requiring an identity that just happens to have a source IP address, it makes setting parameters and understanding network activity a lot easier. Because network connections are never allowed to enter your network without an identity attached to an explicit authorization, there is no longer any question of who a network connection belongs to and why it was authorized.

Our customers have been thrilled with the experience of throwing out their clunky VPN and replacing it with Twingate's new approach to managing network access, which we call Identity-First Networking. Today we're proud to announce the launch of this foundational approach with the following new product features and partnerships.

Major identity provider support & SCIM-based synchronization

Twingate is pushing the boundaries of security and usability in the world of Zero Trust. They have created a product that starts with identity at the center. OneLogin is proud to partner with Twingate to bring Identity-First Network security to the most demanding and innovative companies in the world.
— Chelsea Wadsworth, Director of Global Alliances, OneLogin

Modern organizations—with a myriad of applications used by a distributed workforce—depend on centralizing user identity to ease management and improve security. Given the benefits, user identity as a primitive has been applied across virtually every application that enterprises use today, but the network layer has been left behind.

Twingate enables the benefits of identity at the network transport level (any TCP or UDP connection), allowing our customers to unify both network and application access centrally. Now every resource on your network—including databases, servers, k8s clusters, etc.—that are typically very difficult (if not impossible!) to integrate with your identity provider natively can be managed in one place. If a user is not entitled to access a network destination, their traffic will never traverse your network.

User authentication is only part of the story. Equally important is ensuring that user lifecycle state and applicable group membership is synchronized promptly and accurately. Twingate supports SCIM for user and group synchronization, extending automatic onboarding and offboarding to every resource on your network. Twingate integrates with the major identity providers including Okta, OneLogin, Google Workspace, and Microsoft Azure AD.

Universal Two-Factor Authentication

Today we're launching native two-factor authentication to our Business and Enterprise customers, which will allow more fine-grained controls independent of your chosen identity provider and independent of the destination. We call this experience Universal 2FA because it can be applied to any type of resource with zero application changes.

One of the "wow" moments for our customers is using Twingate's Universal 2FA to apply discretionary security levels to resources according to their sensitivity. For example, admins can ensure that users with production network SSH access are subject to an additional 2FA challenge. The lack of application changes, and flexibility to work with any protocol or resource, means that security changes can be made immediately. The user experience is also seamless, operating in-line with the user's workflow thanks to Twingate's transport-level network routing.

Identity-indexed network flow logs and analytics

With every network connection authenticated against a central user identity and authorized by security policies defined in Twingate, for the first time ever, our customers now have an identity-first view of their private network flow. All private traffic is always directly associated with user identity, including the authorization rule that allowed the connection, network path information, data volume transferred, and port details.

Identity-indexed network analytics make it straightforward to not only determine who accessed internal resources, but to quickly identify usage patterns, trends, and spot anomalous behavior. For forensic investigations, gone are the days of piecing together time-stamped network logs and IP addresses from disparate systems to try to understand a sequence of events. Identity ties all access information together, regardless of location, device, operating system, or network.

Secure your internet traffic with DNSFilter

In 2020 we saw a huge increase in the number of online threats targeting companies who have transitioned to a remote work environment. Our partnership with Twingate allows these companies to, through the use of our products, have access to true end-to-end threat protection while connecting from anywhere on earth. We’re excited to partner with a Zero Trust solution like Twingate that provides an alternative to traditional VPNs.
— Ken Carnesi, CEO, DNSFilter

Twingate secures your private network traffic, but we also recognize the risk that public internet access introduces to company devices, particularly as the prevalence of ransomware and phishing attacks has surged in our work-from-anywhere reality. Working from home, without the protection of a corporate firewall, has left devices more vulnerable. DNS filtering is a critical component in protecting employees from these threats.

Since our inception we've made it an explicit product goal to ensure that we "play nice" with other network security products. Our belief is that a combination of specialized products, with the companies behind them focused on solving their problem space in depth, presents the best possible outcome for customers.

As we've gotten to know the team at DNSFilter, they couldn't embody this spirit of focus in depth more fully, and we're excited to partner with them to offer a complete solution to protect employees. With DNSFilter’s AI-powered content filtering solution and multi-platform roaming client, admins can now deploy DNSFilter and Twingate side by side to fully protect both private and public user traffic, no matter where they are and what device they’re on.

The most innovative companies are adopting Twingate

From our company Zoom call after rolling out Twingate:
"Already changed my entire life. Run, don't walk, to Twingate!"
— Neal Harris, Director of Security, Persona

Since we launched Twingate, we have been fortunate to partner with some of the most innovative, fastest-growing companies around the world. Most of our customers are facing similar challenges—juggling efforts to rapidly scale their teams while dealing with the realities and limitations of remote work using outdated technology.

Most notably, our customers have found tremendous value in moving away from their existing piecemeal network access solutions built on top of VPNs, which have become brittle and difficult to manage after years of accumulating tech debt. Fast-growing companies like Human Interest, Frame.io, and Persona have been able to simplify access for employees, contractors, and admins, while achieving a more robust security posture by transitioning to Twingate.

Twingate customers report that they often reduce deployment time by 80% and ongoing client setup and support load by 90% compared to their previous VPN, all while expanding their distributed workforces in a more secure way.

This is just the beginning

We have an ambitious 2021 product roadmap that will continue to build on the foundation that we've laid out above. We're proud of our focus on ease of use, which has allowed our customers to adopt our vision of Identity-First Networking with minimal effort.

Give Twingate a try for free today. We'd love to hear what you think.

"Without Twingate, building our own VPN solution would have taken months and would have been a nightmare to support, given our networks and users are located everywhere. With Twingate, we got set up immediately, and it works across our cloud and on-prem networks. It was like "Wow!""
Eddie Weyrick
Director of IT at MHC Software

Get set up in minutes

Try Twingate today and give your team access to private applications in minutes