Miscellaneous 4 min. read

Zero Trust Vs. VPN: Keeping DevOps Remote Access Secure

Chris Casper

DevOps teams evaluating the tradeoffs of zero trust versus VPN security solutions face a tough decision. On the one hand, zero-trust security offers benefits that meet their unique needs. And yet VPN solutions, for all of their limitations, do not require enterprise-wide transformations. In this article, we will explain how Twingate offers DevOps teams a third path to the security and productivity benefits of zero-trust security.

Understanding Zero Trust

Zero trust is a security framework designed to address the challenges of today’s cyber threat environment. Malware, spear phishing, and zero-day exploits can turn the most trusted employee or the best-managed devices into vectors for cyberattacks. Making things worse, the “company network” that must be protected is more nebulous than ever as more resources are hosted on third-party cloud services or X-as-a-Service platforms.

Dealing with threats that can come from any user, any device, and any network requires a different way of looking at security. It requires abandoning the traditional approach of securing a perimeter around a “safe” network accessed by “safe” users and devices. Zero trust assumes that nothing is “safe” anymore.

Since no network can be truly secure, the zero-trust framework focuses on securing each resource regardless of where it is deployed. Each attempted connection to a resource must be interrogated by identity management and access control systems. Once both the user and the device have been authenticated, a direct, encrypted connection is established between the user’s device and that resource. 

Administrators can protect both on-site resources and cloud-based resources using the same infrastructure since the zero-trust framework is network-agnostic. Google has even gone so far down this path that it deploys all of its resources to the public internet. The resources are discoverable but inaccessible to anyone not in compliance with Google’s access control policies.

Zero-trust security also assumes that any user or device can be compromised at any time. Just because a device is free from malware when first connected to a resource does not mean it will be malware-free the next day. All users, regardless of their position or role, must authenticate with the zero-trust system to access a resource. And each approved session is ephemeral requiring re-authentication before regaining access.

With zero-trust security, administrators can use the same access control system to manage employees and contractors whether they access resources from a company facility or remotely. Users are only permissioned to access the resources they need for their current role. When they take on different roles, a simple change in the access control system reassigns the resources they can access.

Trust Undermines Corporate VPNs

Remote access is where the comparison of zero trust versus VPN creates a stark contrast. VPN technology was created in the 1990s to link multiple networks together over the public internet. That original purpose carries with it assumptions that make VPN remote access less secure and more difficult to manage.

VPN technology’s core assumption is that it is connecting secure, trusted networks. This sense of trust lets the networks at field offices and other facilities work seamlessly with resources on the corporate network. However, it also means the VPN grants each user, and any malware on their device, the same network-wide access.

VPN technology also throttles business productivity. Since VPN gateways were intended to connect networks, they combine the control plane and the data plane into a single chokepoint. All data flowing between a user and a resource must be backhauled through the VPN gateway. Even if the user and the resource are closer to each other geographically than to the VPN gateway, their network traffic will route through the gateway and suffer a latency hit.

Administrators can mitigate some of these security risks by segmenting the company’s network, creating a secure perimeter around each subnet, and deploying unique VPN gateways to allow access on a subnet-by-subnet basis. Adding multiple gateways to each subnet can help address the backhaul issues. However, these approaches make network security and access management more difficult, often resulting in bad security habits like over-permissioning.

Twingate’s Superior VPN Alternative for DevOps

Twingate created a zero-trust security platform to meet the unique needs of DevOps teams. Previous zero-trust security solutions required enterprise-wide transformations. Even a company as resource-rich as Google took a decade to re-engineer its infrastructure and workflows.

Deploying Twingate does not require changes to your company’s network infrastructure, to your resources, or to your existing security stack. For example, you only need to enter a one-line Docker command to protect a resource behind a Twingate Access Node. It does not matter whether that resource runs on a company server or is hosted in the cloud. Twingate can handle any TCP or UDP traffic, letting you protect all developer resources with zero-trust security.

By operating at the transport layer and integrating with your existing security stack, Twingate streamlines access management. Installing the Twingate Client does not require changes to network or security settings on users’ devices. In addition, the end-users self-provision the Client through a consumer-like journey. Administrators’ involvement in onboarding and offboarding could be as little as a single click in Twingate’s dashboard. Reducing the overhead of user management makes it easier for administrators to apply narrower, resource-specific access policies.

Twingate improves DevOps productivity by splitting responsibility for the control plane and the data plane between a Controller and each resource’s Access Node. All access requests from the Twingate Client pass through the Controller which determines whether the user and device meet your company’s access control policies. The Controller then tells the Access Node to create a secure, encrypted connection with the Client directly. Routing network traffic along the fastest route between the Client and the Access Node eliminates the performance penalty imposed by VPN backhaul.

Taking zero-trust security to the next level, Twingate’s Access Nodes operate on a need-to-know basis. They do not advertise their presence on the network and only accept connections handed to them by the Controller. The Client apps do not know about your developer resources, much less their network locations, until the Controller establishes a link to an Access Node. Whether resources are deployed on a private network or the public internet, Twingate’s zero-trust solution renders them invisible to anyone who is not permitted access.

Contact Twingate to learn more about quickly protecting your DevOps resources with zero-trust security.

Get the latest stories and tips from Hotspot Shield in your inbox