Penfold uses Twingate to deliver simple and secure access for DevOps teams
A Scalable Zero Trust Solution that Supports Growth.
“When a product works, you don’t notice it — it just works. In the past, I’ve always known about when I’m on VPN because it’s annoying. It’s been very smooth sailing with Twingate. We don’t even notice it.”
CTO & Co-founder
Context / Situation
In the past decade, pensions in the UK have witnessed a major shift. Previously, UK taxpayers used to work for a single company for 20+ years and get entered into a pension scheme and then in a defined benefits scheme; companies would look after their loyal staff. As people started working for multiple companies, companies moved away from this model. The UK government stepped in and launched a new scheme where taxpayers make defined contributions and build up as they go from company to company.
Penfold founders saw a lack of knowledge among the workforce about how much to contribute toward retirement and how defined contributions work; they also saw the self-employed market left out from this government scheme to start their own retirement funds. It was all leading to a savings crisis - leaving people without enough to enjoy their retirement. Penfold decided to first serve the self-employed market where it was easy to go direct to consumer, and after succeeding in that, expanded to the workplace market.
Network and compute topology
Penfold’s infrastructure is cloud-heavy, using a combination of public and private cloud services and APIs. Initially they had used third parties to enter the market and obtain regulatory approval. Today, their architecture consists mostly of solutions they’ve built in-house. Some of their infrastructure is hosted in their provider’s cloud while their own stack is deployed in AWS. They built a self-scaling cloud-native environment that adjusts to fluctuating customer demand, providing cost-effectiveness in a pensions industry with limited product margins.
On the investment side, they use an API-based custodian that provides them with access to the specific funds that they use in their products. Penfold passes its customers’ instructions, on where they’d like to be invested, onto the custodian.
On the banking side, Penfold does direct communication via open banking. In the UK, where banking is increasingly digital, banks offer an API-based integration, transforming the way customers can make payments into their pensions plan.
On the networking side, adopting the latest technology was an interesting challenge. “But I think we’ve all got to a place where we’re quite comfortable. Obviously, Twingate has been a big part of that,” says Robinson.
Several challenges drove Penfold to look for a Zero Trust solution:
Cumbersome access provisioning process for developers - Penfold operates services that it has built in-house, running under a serverless architecture, and also operates persistent storage devices and machines running some of their system services. Their devs need to connect to these services directly to diagnose issues and apply upgrades. Their traditional setup involved a bastion host within AWS, with their dev team using that as a jumpbox to access these services. As the team grew, this became painful to maintain as it required verifying keys and following a cumbersome provisioning and de-provisioning process as people joined and left.
Need for more secure access - Penfold’s teams need access to regulatory systems and third-party providers. Because Penfold also has a shared office, they don’t own the network and don’t have a fixed IP; there is more than just their office on that IP range. Twingate helped them to secure legacy services that have a more traditional networking approach of whitelisting IP ranges. Additionally, Penfold’s bastion host constituted another attack point exposed to the public internet.
Contractors creating access churn - Penfold has short-term contractors that create a lot of access churn. The network setup process involved with onboarding these contractors did not scale with Penfold’s growth and became increasingly painful to manage.
After trying traditional VPN solutions, Penfold decided to look elsewhere due to the painful setup, manual configuration, and prohibitive cost involved with VPNs. They looked at Zero Trust networking solutions and found Twingate. After completing a Proof of Concept with Twingate and Tailscale, Penfold chose Twingate because it best addressed their pain points:
Integration with their identity provider (Google Workspace), allowing centralized user access management
Ease of use, as they needed their remote team to be able to install and set up Twingate themselves on their machines
Pricing that works with their business model
Ease of hosting, operation, and maintenance
When Penfold completed the initial deployment of Twingate, they considered the project a huge win. The standout benefits they identified included:
Twingate’s ease of customization and flexibility let them set up granular access controls that improved security, and ensured that individual network requests were authorized only in appropriate contexts.
The end user experience was noticeably improved. End users can now self-enroll for remote access with a few clicks. Once installed, the Twingate client did not interfere with daily work.
The deployment process was straightforward, with support for their existing identity provider and compatibility with their existing technology stack.
Twingate’s web-based admin console for configuring and managing enterprise-wide access controls gave Penfold centralized visibility over their entire network, coupled with extensive logging capabilities that support auditability.
“We don’t notice using Twingate because it just works. This is in contrast to VPNs, which you definitely notice when they don’t work. Twingate is super simple from a maintenance perspective, and it’s been very smooth sailing,” said Stuart Robinson, Penfold’s CTO and Co-founder.