How Ampush drives disruptive growth for high-performance companies using Twingate
Ampush uses Twingate to ensure that its workforce and IT team can continue operating at peak efficiency and access what they need, even when working remotely in a fast-paced environment.
Ampush partners with some of the world’s best known brands and houses their clients’ materials in private AWS-based staging environments. Access to those environments was historically secured via IP-based restrictions, and this had been adequate for Ampush to manage access for their various office networks around the world.
With the onset of COVID-19, IP-based access management became a significant pain point overnight. With hundreds of employees and contractors now working from home, each of their IP addresses needed to be manually added to the IP allow-list by an already busy DevOps team. To make matters worse, many home connections used dynamic IP addresses that were periodically updated. Given the volume of updates, each request could take several hours to process, resulting in nearly a day of lost productivity per user, per request. “I’ve had to update my IP address in the system three times a week since working from home,” said Maksim Pavlishin, Ampush’s Head of Engineering.
Moreover, this approach was not able to support mobile device access when those devices were connected to carrier networks or unrecognized Wi-Fi networks—a significant problem, given the amount of work Ampush does related to mobile apps and marketing on mobile devices. Employees were essentially tied to working from home or in the office, and not anywhere else.
Ampush quickly began looking for a better solution.
Ampush needed to replace IP-based access with a different approach to solve their core problem of lost user and admin productivity. Another requirement was ensuring that any solution was compatible with the work they needed to perform on mobile devices. Ampush also desired to minimize any impact to users’ connection speeds, as well as to minimize what needed to be installed or stored on their own servers.
Ampush initially evaluated corporate VPNs as a solution, including open source VPNs. However, VPNs posed technical challenges when used with mobile devices due to the specific type of work that Ampush employees needed to perform on mobile devices. The team also considered building a custom solution in-house. However, this would have taken up to two months to complete, cost several thousand dollars, and still required ongoing maintenance and improvements over time.
Ultimately, the team needed something that met three key criteria:
- Speed: There should be minimal impact on throughput, regardless of where the users are located.
- Security: There should be no private Ampush data visible to or captured by the service provider.
- Split tunnel: Only specific protected traffic should be secured.
After careful evaluation of various vendors against these criteria, Ampush decided to select Twingate’s Zero Trust Network Access solution. “We knew there were other solutions that would get us part of the way there, but Twingate gave us a single platform to meet all our needs,” said Adonis Voulgaris, Senior Director.
Twingate was deployed to over 100 users and the impact was immediate. The hundreds of requests sent each week to the DevOps team by users trying to maintain their network access vanished completely, and the time spent by DevOps provisioning user access was dramatically reduced to just a few hours per month. Users could now also securely access Ampush’s staging environments with desktop and mobile devices from anywhere in the world without slowing down their internet connections.
Deployment & Maintenance
As a SaaS-based product, Twingate was quickly deployed by Ampush. Unlike a VPN, Twingate did not require Ampush to reconfigure its network, or install and maintain complicated software.
This simplicity also meant that maintenance overheads for Twingate were minimal. “I’m now personally spending zero hours on managing Twingate,” Pavlishin noted. “Moreover, my team’s workflow for user management and security monitoring has been cut down to only 10-20 hours per month, and that’s to manage a couple hundred accounts.” Voulgaris added, “This has been hugely impactful, especially because the lists of people working on our projects frequently change.”
Pavlishin also remarked that Twingate’s integrations with their identity provider, Google G Suite, provided them with an added benefit of simplifying user and group management. Twingate’s ability to extend SSO functionality to network access through Twingate’s G Suite integration was “tremendously valuable.”
Compared to traditional VPNs, Twingate provides superior performance. Authentication and authorization activities are performed on end user devices, leading to better responsiveness, and once a request to a protected resource is authorized, it is then routed more directly to that resource than would typically be the case with a VPN.
Moreover, Twingate is split tunnel by default, meaning that only data destined for protected resources is actually sent via Twingate. Access to the public internet is unimpeded. “We did regular VPN load testing measurements for bandwidth and with Twingate, we saw zero noticeable impact on speed when Twingate was turned on. VPNs are typically 50% slower,” Pavlishin said.
From an end user perspective, access is now granted by sending users a link to download the Twingate client app. No additional support from the IT team is needed.
Users also appreciated the upgrade in experience. “It made my work from home experience so much better. Twingate made it super easy for me to connect to Tableau dashboards and staging environments,” Vaibhav Mathur, a Product Manager at Ampush remarked. “Twingate doesn’t require me to hassle IT with IP whitelisting across all my devices any more!” Voulgaris observed that “Twingate is always on my phone. I don’t even notice it’s there most of the time.”
Since deploying, the team has been highly satisfied with their decision to adopt Twingate. One clear sign of success in this case was not hearing any complaints from users. “No [user] feedback is good feedback. We tend to only hear from users when something is not working!”