The Pango Post

Pango Case Study: Why we left our corporate VPN for Twingate

By Tanuj Chatterjee, SVP Engineering

How Pango moved to Twingate’s modern remote access model in less than 24 hours during Covid-19  

Like many companies, COVID-19 forced us to move to a completely remote model for every employee without much notice. While we were already globally distributed with offices on three continents, there’s a significant difference between employees in a handful of offices around the world and a model where 100% of employees are remote.

Our Challenge

One of the biggest issues we identified immediately was that our legacy corporate VPN was not built to handle everyone working remotely.

While we offer the leading consumer VPNs that millions of people use to protect their privacy and security, we used a fairly traditional corporate VPN deployment for internal remote access needs.  We were using both an OpenVPN and IPSec based VPN to provide access to the internal resources and applications that our global employee base needed to get their work done. Even before a 100% remote work model, many of the global employees saw performance issues with these traditional VPN products.  With every employee suddenly going remote, we knew these performance and reliability issues would become major challenges for us to overcome.

In addition, we look to make continual improvements to our company security posture given the critical role that our services play in keeping millions of people safe and secure.  Because of that, we had identified our OpenVPN and IPSec based corporate VPN as a potential vulnerability point for outside attackers.  Every traditional corporate VPN (including those offered by large established enterprise security companies) require a public VPN gateway to function.  This public VPN gateway advertises itself on the internet in order to provide remote access to employees.  However, this same public VPN gateway is also an attack surface for potential hackers and has already led to multi-million dollar security breaches for companies around the world.

Like every company with a traditional corporate VPN, our access logs showed outside parties continually probing the VPN gateway for vulnerabilities.  Many companies see hundreds of unauthorized access attempts a second, and our corporate VPN gateways were no different.  Worse still, because traditional VPNs place users “on the network”, they are a common target for hackers to gain entry into a corporate network and move laterally to cause significant damage.

Because of this, we were eager to implement a solution that both solved the remote access productivity challenges of our legacy corporate VPN while also significantly improving our security posture.

Exploring a Better Way: Twingate

At Pango, we recognized the need for a better option to traditional corporate VPNs.  We know firsthand with our consumer products that mobile devices and the cloud have fundamentally transformed how people live their daily lives.  These same macro trends have also driven fundamental changes to how work is done in companies around the world.  Teams are frequently distributed, employees access applications that reside in data centers as well as the public internet, and work is done everywhere.

With hundreds of experts in security and enterprise networking at Pango, last year we created an internal project to build a modern alternative to corporate VPN.  In a world where the traditional, perimeter based approach to network security seemed increasingly archaic, we knew there was a better way.  The outcome of this effort is a new product called Twingate. Twingate is a modern alternative to corporate VPNs specifically designed for a “work from everywhere” reality.

Twingate offers a significant improvement to an organization’s security posture, while offering end users with seamless experience and IT admins with a service that’s easy to manage. It provides “Zero Trust Network Access” without the complicated deployment and configuration typically required by other solutions.

Key benefits of Twingate are:

  • Eliminates public attack surfaces: With Twingate, your internal network is dark to the outside internet.  With no public entry points into the network, private resources and applications stay completely private.
  • Granular least-privilege access: Twingate solves one of the biggest issues with traditional network security models by removing the concept of “trusted users” on the network.  Users are granted access only to the resources they need and nothing more, which prevents the chance of any compromised device or account moving laterally across the network.
  • Easy to deploy & manage: Twingate is designed to be deployed in minutes. No network changes, no configuration changes to resources, and end users can download apps directly from the public stores.  Administrators can easily manage users, set access permissions, and gain visibility over their various apps and services from a central admin console.
  • Fast & Reliable: Twingate efficiently routes traffic directly to the end destinations without high-latency traffic backhauls to a central corporate network.  This means users get blazing fast performance wherever they are.

Fortunately, we had Twingate ready to go when shelter-in-place guidelines required us to close all our company offices.  

The Outcome

Even while dealing with all the logistical complexities of shifting to a 100% remote work model, we were able to move the entire Pango employee base of 300+ employees across three continents to Twingate in 24 hours.  

Our IT teams deployed Twingate connectors into various remote networks including VPCs in AWS and private on-prem networks in under an hour, and were able to start granting remote access to employees on that same day.  Our employees simply downloaded the Twingate clients directly from the public app stores.  No need for IT handholding to install complicated VPN profiles on hundreds of devices.

After a few days of testing, we were able to shut down our legacy corporate VPN and have the entire company running on Twingate.  Our IT and security teams gained new-found visibility and control over our most critical resources, and our employees were ecstatic to never have to deal with the performance and usability challenges with the legacy VPN. 

We estimate that we’ll save over $70,000 a year with Twingate given the lower total cost of ownership vs our legacy VPN.  Our IT teams are now freed from the frequent demands of maintaining and managing a legacy corporate VPN, employees are both more productive and happier, and we’ve significantly increased our security posture. 

While these are challenging times for every company around the world, Twingate has helped us securely transition to a “work from everywhere” model.