By Praveen Kannan and Anna Strokolyst The Hotspot Shield team believes the internet should be open and secure …
Traditional VPN solutions impose stiff performance penalties on agile DevOps teams — especially when distributed teams need access to Google Cloud resources. While better VPN solutions exist, the best approach to Google Cloud security may be to ditch the VPN entirely.
What is Google Cloud VPN?
Enterprises trust Google with their cloud resources because of attention Google pays to security. From laser beam intrusion detection in the data centers to security chips in its custom hardware to the encryption on its internal network, Google designed security into its cloud infrastructure from the ground up. But Google leaves it to each customer to manage access to their hosted resource.
Of course, Google offers a suite of security tools, for a fee, that offer the advantage of being tightly integrated into the Google Cloud platform. Google Cloud VPN connects your on-premises network to your Google Virtual Private Cloud network. With a limited 3Gbps bandwidth, it is more suited for smaller businesses. And since Google Cloud VPN does not support remote access, companies still need to operate another vendor’s VPN solution.
Alternative VPNs for Google Cloud Security
The Google Cloud Marketplace hosts several third-party security solutions that have met Google’s integration and security requirements. The Marketplace’s security vendors span a wide gamut from small business VPN services to enterprise information solutions providers.
The founder of the open-source project OpenVPN also maintains a proprietary version designed for businesses. OpenVPN Access Server adds administrator tools and other features to the open-source platform. However, open-source contributors are often most interested in addressing technical challenges rather than enhancing user experiences. As a result, OpenVPN Access Server can be difficult to deploy, manage, and use.
Enterprise-class information solutions providers, such as Juniper Networks and Check Point, also adapt their security products to work with Google Cloud. These full-featured enterprise firewalls are comprehensive security suites. VPN is just one feature. These options make the most sense when your company already uses their solutions. Otherwise, you face the difficult process of integrating yet another vendor’s products and dealing with the inevitable conflicts.
Is VPN the Right Security Solution for Google Cloud?
Whether you go with Google’s in-house solution, a community-developed project, or an enterprise-grade service, any VPN product suffers from the technology’s inherent limitations. Frankly, VPN is no longer fit to purpose.
VPNs made sense in the 1990s when you could assume your resources were protected by a secured perimeter on a proprietary network. Everyone accessed those resources through managed devices on the network, and only a few employees needed remote access. VPN gateways let those trusted few pass through the secure perimeter to the network.
Today’s network perimeter stretches beyond the premises. It must protect resources hosted on services like Google Cloud and delivered by third-party X-as-a-service providers. At the same time, BYOD policies, ubiquitous wireless internet, work-from-home initiatives, outsourcing and contracting makes managing access through that perimeter far more complicated.
In this environment, trust is the core weakness of traditional VPN technology. VPN trusts that its network’s perimeter is secure and trusts all resources connected to that network. VPN trusts all authenticated users and grants them full network access. At the same time, VPN ignores the users and devices accessing the on-premises network — because they are trusted.
If any users, devices, resources or networks are compromised, then VPNs become an exploitable vulnerability. The measures companies must take to get VPNs to work in this dynamic environment makes network security more brittle and less responsive to the needs of the business.
Stop Trusting to Improve Security
Zero-trust is a security framework that eliminates the weaknesses of VPN. Rather than trusting everything by default, zero-trust assumes that every device, user, resource, and network could be compromised at any time. Authentication happens on an ephemeral, session-by-session basis. Rather than granting access to an entire network, zero-trust security grants access to individual resources — and only within the context of the company’s access control policies.
Google pioneered the zero-trust paradigm following a state-sponsored attack on its servers in 2009. Its BeyondCorp initiative has evolved to the point where all of the company’s internal resources have public-facing internet addresses. Google’s employees and contractors get fast access to those resources from anywhere in the world without having to use a traditional VPN.
Secure Google Cloud with Twingate’s Software-Defined Perimeter
Twingate takes zero-trust security to the next level by incorporating it within the framework of a software-defined perimeter (SDP). Originally developed by the US Department of Defense, an SDP operates on two principles: never-trust-always-verify and need-to-know. The first principle is the same zero-trust concept underpinning Google’s BeyondCorp.
The need-to-know principle adds an extra layer of security by making all resources, whether on-premises or in the cloud, invisible. Twingate’s SDP Access Node is a reverse proxy deployed between the resource and its network. The Access Node does not advertise its presence and is set to reject connection requests by default.
The only allowed connections come from Twingate’s SDP Controller which works with your company’s existing security stack to authenticate users and devices based on established access control policies.
End-user devices running the Twingate SDP Client have no visibility into the company’s network or the company’s resources. The Client sends each connection request to the Controller. Once authenticated, a private tunnel with end-to-end encryption is created between the Client and the Access Node. This connection only gives the user access to a specific resource and only for the duration of the session. Once the Client disconnects, it loses all access to the resource until re-authenticated by a Controller.
Enhance DevOps Productivity Without VPNs
Twingate’s approach to zero-trust security is optimized to meet the needs of DevOps teams.
End-users can be more productive. They follow a consumer-like journey to install the Client without having to change the operating system. There is no need for end-users to juggle multiple VPN client-gateway pairings to access separate resources as a single Controller manages resource connections. And since Twingate does not consolidate network traffic like a VPN gateway, the direct tunnel between the Access Node and the Client give end-users fast connections to each resource.
Twingate’s software-defined perimeter makes life easier for DevOps administrators as well. New users can be set up quickly with one-click onboarding and self-provisioning. Deploying an Access Node only requires a one-line Docker command. And since Twingate’s SDP security can handle all TCP or UDP traffic, administrators do not have to change the resources, networks, or the existing security stack.
Contact Twingate to learn more about securing DevOps with a zero-trust, software-defined perimeter.