Security’s role at ConsumerAffairs

ConsumerAffairs offers a “marketplace for life’s hardest purchases” where consumers can find news, curated reviews, and guides for making major buying decisions across a wide range of industries including automotive, home, finance, and more. The company is headquartered in Tulsa, Oklahoma and has offices in Texas, North Carolina and Argentina, plus remote employees across the United States and around the world.

Diana’s “small but strong” security team’s primary responsibility is protecting ConsumerAffairs’ sensitive data. At the same time, the team has to support users’ needs.

“Security is a lot about compromise,” Diana said. “When I think about security, I don’t want to be the roadblock. I want to make sure everybody is working towards the same goal. You have to understand what the teams are trying to accomplish. If it is a security risk, you find the pros and cons and then let the requester understand. Are you willing to take that risk?”

Remote access challenges

Remote access frustrated everyone from the security team to TechOps and end users. ConsumerAffairs’ infrastructure consisted of eight environments, each with an OpenVPN gateway and Two-Factor Authentication. This cumbersome structure controlled user access to sensitive data, but at a significant cost.

The burden fell on users to know which VPN account and 2FA to use at any given time. Engineers needing access to every environment juggled eight different accounts. The administrative side was just as tedious. TechOps used manual processes to create accounts, provide support, and off-board departing employees.

“We were having a lot of pain points in terms of our VPN solution at that time,” Diana explained. “I would have to say that it was the right place, right time to come across Twingate.”

Twingate’s easy remote access solution

VPN technologies grant authenticated users full access to whatever network and resources lie behind their perimeter. While this provides some protection, it also leaves organizations vulnerable: if a malicious actor breaches that perimeter, they can move laterally across the network to access an organization’s most sensitive resources.

By contrast, Twingate establishes direct, peer-to-peer connections between user devices and protected resources. This significantly limits the potential blast radius of a compromised credential.

The lightweight Twingate Client application handles all authentication and authorization, pushing access decisions to the edge. A central Admin Console manages user accounts, protected resources, and security policies.

“The user maintenance of what we were using was just so high,” Diana said. “Twingate sounded like a great tool to help us maintain the product. Twingate was so easy. You set up the Connector, you create the users, assign the various Connectors, and then you’re good to go.”

ConsumerAffairs went from having to touch multiple OpenVPN systems for any change request to having everything at their fingertips in Twingate. For example, deprovisioning a user went from a tedious eight-system process to simply deactivating the user’s Twingate account. TechOps saw their VPN-related workload fall from two to three tickets a month to “practically zero.”

It wasn’t just TechOps that noticed the change. Diana recalled that “the user community was like, ‘Can we switch over right now?’ Users were so thrilled they did not have to look up what VPN credentials and two-factor auth they needed to log in. That all went away.”

Going beyond remote access

Twingate is a solution for the challenges of VPN-based remote access, but more than that, it provides a framework for adopting a Zero Trust security model. By focusing on security and usability, Twingate gives the fastest-growing companies enterprise-grade security with consumer-grade user experiences.

“Twingate’s got these extra security features and functionality that I think are valuable to protect the information within our infrastructure. I could definitely go into my finance team and say, no, this is key. We need to have this in place.”

Role-based access controls

The principle of least privilege is a core tenant of Zero Trust. People should only have access to the protected resources they need for their work. Overprovisioning significantly increases organization-wide risk and magnifies the impact of compromised credentials, giving hackers more opportunities to traverse a network.

“We do have a few folks that don’t need to be able to access an entire network. They just need to access one system, right? So it’s nice to be able to create connections that way. Role-based access control is pretty important to us, and I think Twingate does it really well.”

Twingate lets administrators define user groups, the resources that group may access, and the security policies that govern connections to those resources. Administrators can set resource and minimum authentication policies to create granular role-based access rules.

Endpoint security

Whenever a user tries connecting to a protected resource, the context of their connection requests is just as important as their identity. As remote work and BYOD policies become more common, implementing device-based access controls is critical to maintaining a robust security posture.

“Bring your own device is a big pain point,” said Diana. “How do I secure a system that is not mine? I can’t just put an MDM on it. Twingate has features and functions that do the security device posture checks before it will let you make the connection.”

Twingate’s Client app automatically evaluates the status of device security features like hard drive encryption and firewalls. In addition, administrators can create Trusted Profiles that leverage MDM and EDR tools CrowdStrike, Jamf, and Kandji to assess additional device posture requirements. The Twingate Client will block connection attempts to resources if the device does not comply with resource or group security policies.