Today we are proud to announce the launch of Twingate, a modern remote access solution designed to markedly improve your security posture without introducing compromise and headaches around deployment and ease of use. If you are a developer, work in DevOps, or are a network administrator, Twingate has been designed with your needs in mind.
We first decided to build Twingate when we were doing customer research almost 18 months ago. It was abundantly clear that remote access was broken. VPN—a technology that is almost 30 years old—has remained a de facto standard for remote access despite serving user needs poorly, introducing additional complexity into infrastructure decisions, and being the weakness behind multi-million dollar security breaches. Given these serious flaws, and our own negative experiences using VPN as employees, we were baffled as to why a new product had not emerged to replace it. We moved on from Windows 95 long ago, so why hasn’t remote access caught up?
Underestimating the threat of an outdated model
After speaking to nearly fifty IT, security, and networking professionals at companies of widely varying sizes across multiple industries, a few trends became apparent, repeated in almost every conversation. The most surprising of these is that most people we spoke to are aware that a more secure approach to remote access exists, but they think that it’s far too complex and costly to implement. Summarizing our customer conversations, these are the main trends that drove the approach we took with Twingate:
- The traditional “castle and moat” approach to network security persists, despite monumental changes to how we work over the past 20 years.
- The security risks inherent to lateral movement and attack “blast radius” are significantly underestimated and broadly unmitigated
- Most people are aware that a much more secure approach exists, with Google’s BeyondCorp proprietary implementation cited frequently
- However, the level of complexity involved in implementing an equivalent solution is perceived to be insurmountable
Reflecting on the above trends, the diagram below likely illustrates a network architecture very close to what you regularly access, administer, or both. Access involves some brittle combination of static IP whitelisting, subnet mapping for remote users, a vulnerable gateway on the public internet, firewall rule management, and routing rule management. That level of management overhead doesn’t even start to account for how vulnerable this general network architecture is to lateral movement and the resulting potential for serious business losses and impact.
The reason that this architecture persists is grounded in a gradual creep outwards from an outdated perimeter-based approach to securing networks. However, with the dislocation of user devices, users, and applications alike, an entirely new approach is clearly needed to secure access.
Restoring the balance between security and ease of use
“We’ve been in a beta of this for the past few weeks and I have been very impressed. It lives up to all of the promises.”
– Steve Pulec, CTO at YipitData
When designing Twingate, we knew that we would need to take a “no compromises” approach to security, but the challenge was ensuring that the product would still be both easy to use and—critically—easy to adopt for end users and administrators alike. We’re exceptionally proud of what we’ve built, and like the customer quoted above, we think you’ll find it surprisingly easy to both virtually eliminate your network’s attack surface and improve users’ experience at the same time.
Twingate’s design and development are driven by the following core principles:
- Undeniably more secure. Twingate uses standards-based cryptographic techniques to encrypt and authorize network traffic, but we take a unique approach to the level of decentralized agreement that must exist to authorize network connections. (In fact, the name Twingate is derived from the multiple cryptographic checks that every network connection must pass.)
- Simple to deploy. Over and over again, we’ve seen business products fail because they don’t take into account the importance of minimizing the pain surrounding change management. Whether it’s integrating with an existing identity provider, deploying infrastructure with a one-line Docker command, or enabling self-service deployment for end users, we’ve focused on making Twingate easy to use.
- Designed for how we actually work today. Users access applications hosted in multiple environments from multiple devices, in multiple locations, and from multiple networks. These scenarios are not future trends authored by an industry analyst; this is the reality of working in 2020. Add to that the greatly expanded range and sophistication of cybersecurity threats, and it’s clear that the old perimeter-based model is no longer adequate.
Twingate’s deployment model is incredibly simple:
Deploy a connector behind the firewall on any network that you need to provide remote access to.
Define any number of destination resources. Only these specific destinations will be accessible, and nothing more, resulting in a least-privileged access model by default.
Have users self-install the Twingate client app and authenticate using their existing credentials.
That’s it. Users continue to access resources using their existing addresses, using any application as they did before. No changes to the underlying applications or resources are required to allow Twingate to authorize access. Networks can also be completely segregated, minimizing the complexity of any routing or firewall rules. The right approach to network security can be implemented independently of any access needs.
Give yourself the network security you deserve (without the pain)
Though we never could have predicted the changes the world has seen since those first customer interviews, the security problems inherent to remote access are now more pressing than ever before, with remote work becoming an overnight necessity. The whole team has put a huge amount of effort into creating Twingate over the past 18 months, and we’re confident that what we’ve built represents a step function departure from today’s typical experience and outdated technology.