Enterprise VPNs And Network Access

Interview: How SMEs Can Achieve A Better Route To Remote Access

Alex Marshall, Co-Founder And Chief Product Officer At Twingate, discusses the importance of Zero Trust principles in the modern threat landscape.

Alex Marshall, Co-Founder And Chief Product Officer At Twingate

Since the pandemic changed the ways in which we live and work, remote access has become one of the top priorities of organizations around the world. But with the office perimeter gone, providing secure remote access to employees without compromising on usability and productivity has become a central challenge for security and DevOps teams. 

We spoke to Alex Marshall, Chief Product Officer and Co-Founder at Twingate, to learn about the challenges with remote access, the issues with VPNs solutions, and his tips for SMEs to find the right remote access solutions.

What’s the background behind Twingate; what led to the genesis of the business?

After several years of working with Dropbox Business, myself and the two other co-founders started looking for other interesting developments in the area of remote work. In early 2019, we started investigating this area of remote access, and three things stood out to us. 

Number one is that everybody at that time, and still, I think to this day, are using VPNs for work. That was surprising because it’s a fairly old technology from the mid-90s. The second thing, which did not surprise us, is that nobody likes using a VPN. And the third thing is that we started looking into this, at the time, newish concept of Zero Trust. And what everybody told us about Zero Trust is that they hadn’t yet found a product that was easy to deploy and use. 

And that was the genesis of Twingate. We saw an opportunity to create something in the space that was easy to deploy. From our standpoint, if you have a product that solves the same technological problem, all things being equal, it’s really valuable to companies if it’s easier to use. If it’s easier to use, they’ll get adoption for it, instead of it being yet another security tool that causes internal friction. 

How does Twingate secure access to resources, and what are the use cases for this solution?

Our vision is to make sure that any employee, from any company, can work from anywhere securely. The mission that comes out of that is to make sure that companies can easily adopt Zero Trust principles. Zero Trust means a lot of things to different companies, but the way we define Zero Trust is pretty specific. It’s answering this one question: “Can this person, on this device, in this context, access this resource?” And that question should be asked every time a network connection is ever initiated. 

Many of our customers are moving off something basic from a VPN standpoint. If all you care about is replacing your VPN, we offer a more secure and frictionless solution with room to scale. There are no real downsides; you have better security and usability.

But what we’re offering as a company is a platform through which you can have a single view into every user, every device, and all security controls around devices. Whether it’s bespoke apps, internal resources, SaaS applications, or something deployed on-premises. We provide a single view through which you can control authorization for anybody in any situation for all those different resources. And the goal over time is to automate a lot of those things. 

And the other essential part of the platform is visibility. Every private connection that’s routed via Twingate goes either through an agent installed on users’ devices or goes through a remote connector, which is used for remote access into internal resources. Every network connection goes through these two gates. That’s why we’re called Twingate.

Because these private connections are routed through Twingate, we have detailed metadata on every connection: who was accessing those applications, how much data was transferred, and where access took place from, which then lets us give companies a view of exactly what each user did based on their corporate identity—typically an email address—and not on ephemeral information like their IP address. 

Who are your typical customers, and what are their biggest challenges today?

We’re targeting customers anywhere from a few hundred employees to three to six thousand employees. We do have customers that are smaller and larger than that, but that’s our target range; what people call mid-market or small enterprise. We are over-time moving upmarket, so we intend to go for enterprise as well ultimately. On the other end, we also just launched a new free Starter Tier, which makes adopting Zero Trust accessible regardless of an organization’s budget.

In terms of the problems we’re solving, I think the biggest thing that’s happened is a trend called ‘Wave Three’, which the pandemic has really accelerated. Wave One was that everyone was in an office, computers were in the office, and it was a physical security model, it’s pretty simple. Wave Two is then taking a lot of internal business applications and moving those to the cloud. And you had a bunch of companies that emerged in the early 2010s to address that. 

And then Wave Three is where you’ve now got employees moving everywhere;  not always in the office. You’ve got applications everywhere, and you’ve got many different devices. It adds a lot more complexity than we had five to ten years ago. And what happened during the pandemic was that Wave Three was really accelerated. The pandemic showed a lot of companies that their remote access infrastructure just isn’t adequate for the reality of how people actually work today: lots of people at home, with very, very variable internet security and lots of different devices. 

When looking to solve these challenges, why should SMEs consider a Zero Trust solution over a traditional VPN?

The biggest thing is that VPNs aren’t designed for the job they’re actually doing today for most people. VPN was originally designed to connect your HQ office to branch offices. It was meant for a many-to-many connection. And yet, it’s being used today for a one-device-into-a-network connection. We’re using it for something it wasn’t really intended for. 

If you think about that original use case of HQ and branch, those are both trusted networks that you’re connecting. The problem is that if you’re using a VPN on your laptop to connect into the office network, there is no guarantee that the laptop is adequately secured. VPNs assume a lot more trust in the devices connecting to them than is really the reality. That’s the big, fundamental problem. 

More specifically, because of the way VPNs are designed, to connect remotely to the VPN gateway, the receiving end of the VPN connection is, by necessity, on the public internet. As we know today, that’s just not a safe thing to do.

The last thing is that VPNs weren’t originally designed to give narrow access; they were designed to give network-wide access. Even if you’re okay with those first few problems, now, when someone connects into your network via a VPN, they have access to everything on your network, because that was the way it was originally intended to be used. And, of course, you can configure things and narrow them down. But you can’t do it in a specific, narrow way for users. Not easily anyway. 

As we talk to customers, these are the challenges they’re dealing with and why Zero Trust solutions like ours are so appealing. 

What advice would you give to organizations considering implementing a Zero Trust remote access solution over a traditional VPN solution? 

If you’re considering a bunch of different solutions the general advice is that there’s no real point in choosing a solution if people aren’t actually going to adopt and use it. And so, I think there’s two really important parts to making a decision.  

One is general adoption. Is the friction in the new solution low enough that employees aren’t going to rebel or find workarounds? And there’s a well-established case study around that for mobile device management, where nobody wanted a mobile device solution on their personal smartphone. There’s a lesson in that it’s something to very carefully look at when you’re evaluating a solution.

The other thing that not enough people consider is what does the change management process look like? One of the things we did very early on is design our technology so you can drop it in. So, you can have your VPN one day, and then the next morning turn Twingate on, and employees shouldn’t notice any difference. 

That’s important because users shouldn’t have to change the addresses they use to access anything or configure anything on their devices. With Twingate, you don’t need to configure anything on the server-side, other than dropping in our connector technology, which is very lightweight. 

So, I think it’s those two things when looking at a new solution: think about if users are going to adopt it, and what the change management process looks like from the IT security network side. 

You can learn more about Twingate’s secure remote access here: https://www.twingate.com