Introducing Twingate Ephemeral Access

Emily Lehman

Nov 24, 2023

We’re thrilled to announce that you can now leverage Ephemeral Access policies when protecting Twingate Resources. Twingate customers can now set an expiration time for Groups that have been granted access to Resources. Once a Group’s expiration time has elapsed, access to the relevant Resource will automatically be revoked.

The expiration time for a particular access right can be set to any time from the next hour to one year from the current date. When the expiration time has elapsed, the Group will be removed from the Resource and users in that Group will no longer have access to that Resource.

This is an exciting step forward in making least privilege access fully automated, keeping your most sensitive resources protected, and reducing vectors of attack for malicious actors, all without adding time consuming overhead for admin teams.

If you have contractors who are only working with your team for a set amount of time, or have a break glass scenario that requires troubleshooting for today only, or maybe you just know that access to certain servers will only be needed until the end of the year, you can automate access provisioning so that you maintain strict access policies without adding extra work to already resource-strapped teams.

A quick history lesson

How long, exactly, has the concept of least privilege access been around? The short answer: a while. 

The principle of least privilege as it relates to access dates to the Multics operating system’s development in the 1960s, which was the first operating system to make the controlled sharing of information a design requirement. 

The official formulation is often credited to a 1974 article from MIT professor Jerome Saltzer, where he synthesized the concept into a single sentence:
“Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.”

Other than a trip down computer science memory lane, what’s the purpose of bringing up the history of least privilege access? The fact that the concept has been around for so many decades highlights a key problem that Twingate is trying to solve: it’s really hard to put into practice.

Making least privilege a reality

So why is least privilege so hard to do? 

The first problem we identified here at Twingate was that perimeter-based approaches to network security don’t cut it. For starters, a perimeter based approach means that once an attack gets the metaphorical keys, they can move laterally across resources. Then you have the issue of what a modern network actually looks like: on-prem servers, cloud environments, SaaS apps, and legacy applications. It can be incredibly difficult to have complete visibility into complex networks, which makes applying security controls challenging.

Twingate’s unique approach to network architecture leverages direct peer-to-peer connections that sit behind your firewall rather than centralized chokepoints, which has the double advantage of automatically limiting lateral network traffic while improving performance for end users. That’s one step closer to making least privilege a reality for organizations.

Next, you have the problem of granularity: you need robust data and powerful access controls to actually grant and restrict access. Historically this data is siloed and access policies are cumbersome to implement. 

Twingate supports fine-grain access policies based on identity, device, and context, with a rich library of integrations so you can deepen the impact of other tools in your security stack. In addition to integrations with major IdPs, MDMs, EDRs, and native device posture checks, you can apply Twingate’s universal MFA to any Resource, including things like RDP and SSH. With our user-friendly admin console, applying these granular access policies is simpler and faster than other ZTNA solutions.

You’ll notice that we’ve referenced usability and speed a few times. That’s another reason why least privilege access has been a challenge for many organizations. The fact is, people need access to stuff to get their work done. When remote access tools slow down the pace of business, take eons to actually deploy, and require heavy admin overhead to maintain, teams often have to sacrifice ideal-state security in the name of getting things done.

We’ve invested heavily in making Twingate a best-in-class user experience for both end users and admins. With deep investments in IaC tools like Terraform and Pulumi, plus Twingate’s API, you can programmatically deploy and manage access across your entire network.

Dynamic least privilege for a dynamic world

Let’s get back to Ephemeral Access, which is just one component of the next big problem of least privilege access that Twingate is working to solve. 

Organizations aren’t static, and neither are malicious actors, but access is often treated as such.  To implement true least privilege, admins would have to constantly audit network resources, users and groups, access lists, the application of access policies, and then spend time adapting access permissions accordingly. It’s neither realistic nor especially secure to expect admins to dedicate all of their time scrambling to manually update access.

Ephemeral access is just the first step Twingate is taking to enable organizations to implement dynamic least privilege access that keeps pace with our dynamic world. 

A key requirement of that is automating access provisioning and deprovisioning. With time-bound access expirations, admins can automate a number of key steps - no more calendar reminders to remove access, no extra provisioning work required.

You can find full details on Twingate’s Ephemeral Access on the documents page. Not a Twingate customer yet? If you’re interested in taking Twingate for a spin, you can request a personalized demo from our team or try it out yourself for free.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

/

Ephemeral Access

Introducing Twingate Ephemeral Access

Emily Lehman

Nov 24, 2023

We’re thrilled to announce that you can now leverage Ephemeral Access policies when protecting Twingate Resources. Twingate customers can now set an expiration time for Groups that have been granted access to Resources. Once a Group’s expiration time has elapsed, access to the relevant Resource will automatically be revoked.

The expiration time for a particular access right can be set to any time from the next hour to one year from the current date. When the expiration time has elapsed, the Group will be removed from the Resource and users in that Group will no longer have access to that Resource.

This is an exciting step forward in making least privilege access fully automated, keeping your most sensitive resources protected, and reducing vectors of attack for malicious actors, all without adding time consuming overhead for admin teams.

If you have contractors who are only working with your team for a set amount of time, or have a break glass scenario that requires troubleshooting for today only, or maybe you just know that access to certain servers will only be needed until the end of the year, you can automate access provisioning so that you maintain strict access policies without adding extra work to already resource-strapped teams.

A quick history lesson

How long, exactly, has the concept of least privilege access been around? The short answer: a while. 

The principle of least privilege as it relates to access dates to the Multics operating system’s development in the 1960s, which was the first operating system to make the controlled sharing of information a design requirement. 

The official formulation is often credited to a 1974 article from MIT professor Jerome Saltzer, where he synthesized the concept into a single sentence:
“Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.”

Other than a trip down computer science memory lane, what’s the purpose of bringing up the history of least privilege access? The fact that the concept has been around for so many decades highlights a key problem that Twingate is trying to solve: it’s really hard to put into practice.

Making least privilege a reality

So why is least privilege so hard to do? 

The first problem we identified here at Twingate was that perimeter-based approaches to network security don’t cut it. For starters, a perimeter based approach means that once an attack gets the metaphorical keys, they can move laterally across resources. Then you have the issue of what a modern network actually looks like: on-prem servers, cloud environments, SaaS apps, and legacy applications. It can be incredibly difficult to have complete visibility into complex networks, which makes applying security controls challenging.

Twingate’s unique approach to network architecture leverages direct peer-to-peer connections that sit behind your firewall rather than centralized chokepoints, which has the double advantage of automatically limiting lateral network traffic while improving performance for end users. That’s one step closer to making least privilege a reality for organizations.

Next, you have the problem of granularity: you need robust data and powerful access controls to actually grant and restrict access. Historically this data is siloed and access policies are cumbersome to implement. 

Twingate supports fine-grain access policies based on identity, device, and context, with a rich library of integrations so you can deepen the impact of other tools in your security stack. In addition to integrations with major IdPs, MDMs, EDRs, and native device posture checks, you can apply Twingate’s universal MFA to any Resource, including things like RDP and SSH. With our user-friendly admin console, applying these granular access policies is simpler and faster than other ZTNA solutions.

You’ll notice that we’ve referenced usability and speed a few times. That’s another reason why least privilege access has been a challenge for many organizations. The fact is, people need access to stuff to get their work done. When remote access tools slow down the pace of business, take eons to actually deploy, and require heavy admin overhead to maintain, teams often have to sacrifice ideal-state security in the name of getting things done.

We’ve invested heavily in making Twingate a best-in-class user experience for both end users and admins. With deep investments in IaC tools like Terraform and Pulumi, plus Twingate’s API, you can programmatically deploy and manage access across your entire network.

Dynamic least privilege for a dynamic world

Let’s get back to Ephemeral Access, which is just one component of the next big problem of least privilege access that Twingate is working to solve. 

Organizations aren’t static, and neither are malicious actors, but access is often treated as such.  To implement true least privilege, admins would have to constantly audit network resources, users and groups, access lists, the application of access policies, and then spend time adapting access permissions accordingly. It’s neither realistic nor especially secure to expect admins to dedicate all of their time scrambling to manually update access.

Ephemeral access is just the first step Twingate is taking to enable organizations to implement dynamic least privilege access that keeps pace with our dynamic world. 

A key requirement of that is automating access provisioning and deprovisioning. With time-bound access expirations, admins can automate a number of key steps - no more calendar reminders to remove access, no extra provisioning work required.

You can find full details on Twingate’s Ephemeral Access on the documents page. Not a Twingate customer yet? If you’re interested in taking Twingate for a spin, you can request a personalized demo from our team or try it out yourself for free.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

Introducing Twingate Ephemeral Access

Emily Lehman

Nov 24, 2023

We’re thrilled to announce that you can now leverage Ephemeral Access policies when protecting Twingate Resources. Twingate customers can now set an expiration time for Groups that have been granted access to Resources. Once a Group’s expiration time has elapsed, access to the relevant Resource will automatically be revoked.

The expiration time for a particular access right can be set to any time from the next hour to one year from the current date. When the expiration time has elapsed, the Group will be removed from the Resource and users in that Group will no longer have access to that Resource.

This is an exciting step forward in making least privilege access fully automated, keeping your most sensitive resources protected, and reducing vectors of attack for malicious actors, all without adding time consuming overhead for admin teams.

If you have contractors who are only working with your team for a set amount of time, or have a break glass scenario that requires troubleshooting for today only, or maybe you just know that access to certain servers will only be needed until the end of the year, you can automate access provisioning so that you maintain strict access policies without adding extra work to already resource-strapped teams.

A quick history lesson

How long, exactly, has the concept of least privilege access been around? The short answer: a while. 

The principle of least privilege as it relates to access dates to the Multics operating system’s development in the 1960s, which was the first operating system to make the controlled sharing of information a design requirement. 

The official formulation is often credited to a 1974 article from MIT professor Jerome Saltzer, where he synthesized the concept into a single sentence:
“Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.”

Other than a trip down computer science memory lane, what’s the purpose of bringing up the history of least privilege access? The fact that the concept has been around for so many decades highlights a key problem that Twingate is trying to solve: it’s really hard to put into practice.

Making least privilege a reality

So why is least privilege so hard to do? 

The first problem we identified here at Twingate was that perimeter-based approaches to network security don’t cut it. For starters, a perimeter based approach means that once an attack gets the metaphorical keys, they can move laterally across resources. Then you have the issue of what a modern network actually looks like: on-prem servers, cloud environments, SaaS apps, and legacy applications. It can be incredibly difficult to have complete visibility into complex networks, which makes applying security controls challenging.

Twingate’s unique approach to network architecture leverages direct peer-to-peer connections that sit behind your firewall rather than centralized chokepoints, which has the double advantage of automatically limiting lateral network traffic while improving performance for end users. That’s one step closer to making least privilege a reality for organizations.

Next, you have the problem of granularity: you need robust data and powerful access controls to actually grant and restrict access. Historically this data is siloed and access policies are cumbersome to implement. 

Twingate supports fine-grain access policies based on identity, device, and context, with a rich library of integrations so you can deepen the impact of other tools in your security stack. In addition to integrations with major IdPs, MDMs, EDRs, and native device posture checks, you can apply Twingate’s universal MFA to any Resource, including things like RDP and SSH. With our user-friendly admin console, applying these granular access policies is simpler and faster than other ZTNA solutions.

You’ll notice that we’ve referenced usability and speed a few times. That’s another reason why least privilege access has been a challenge for many organizations. The fact is, people need access to stuff to get their work done. When remote access tools slow down the pace of business, take eons to actually deploy, and require heavy admin overhead to maintain, teams often have to sacrifice ideal-state security in the name of getting things done.

We’ve invested heavily in making Twingate a best-in-class user experience for both end users and admins. With deep investments in IaC tools like Terraform and Pulumi, plus Twingate’s API, you can programmatically deploy and manage access across your entire network.

Dynamic least privilege for a dynamic world

Let’s get back to Ephemeral Access, which is just one component of the next big problem of least privilege access that Twingate is working to solve. 

Organizations aren’t static, and neither are malicious actors, but access is often treated as such.  To implement true least privilege, admins would have to constantly audit network resources, users and groups, access lists, the application of access policies, and then spend time adapting access permissions accordingly. It’s neither realistic nor especially secure to expect admins to dedicate all of their time scrambling to manually update access.

Ephemeral access is just the first step Twingate is taking to enable organizations to implement dynamic least privilege access that keeps pace with our dynamic world. 

A key requirement of that is automating access provisioning and deprovisioning. With time-bound access expirations, admins can automate a number of key steps - no more calendar reminders to remove access, no extra provisioning work required.

You can find full details on Twingate’s Ephemeral Access on the documents page. Not a Twingate customer yet? If you’re interested in taking Twingate for a spin, you can request a personalized demo from our team or try it out yourself for free.