Criteria Uses Twingate ZTNA to Empower Growth
Criteria uses Twingate to secure its 100% remote workforce’s access to critical resources, making it easier to meet Criteria customers’ demanding compliance expectations.
“Twingate is a zero trust solution that lets you manage secure access into any resource, demonstrate compliance, and minimize your risk exposure. Reporting to my board is much simpler with Twingate because I can demonstrate these things more easily.”
Mark Calle
Information Technology Manager
Empowering a global, remote workforce
Criteria is a SaaS solution that helps companies make better hiring decisions through a suite of interviewing and assessment tools. Mark Calle joined the company in 2018 as Criteria was transitioning to a remote-first operating model. That process accelerated in 2020, making Criteria almost fully remote with a workforce distributed across Central Asia, Australia, and the United States.
“Five years ago, we were an on-premises company,” Calle recalled. “We had servers on-site. We had in-house infrastructure. It was just so archaic and bulky. Now, we have such a light profile. It’s basically about enabling sales and marketing people to do their jobs super efficiently without downtime.”
VPN became a single point of failure — that failed
Remote access was a critical weakness in Criteria’s physical network architecture. The VPN feature of their WatchGuard firewalls controlled access to Criteria’s on-premises networks. Remote employees would connect through the firewalls to access server-based resources as well as the company’s expanding cloud assets.
Calle explained how Criteria’s legacy VPN solution made onboarding and offboarding users extremely unproductive. “Onboarding employees required a one-on-one session of about thirty minutes to set them up in the VPN. Then they had to get their resources set up as well.”
Complicating matters further, Criteria has two identity providers. Microsoft 365 controls access to Outlook and other applications, while AWS Identity Access Management controls privileged users’ access to development and production environments.
“When an employee was offboarded,” Calle said, “you would have to go around knocking them out of systems one by one. If they didn’t get removed from AWS, they weren’t truly offboarded.”
Between an employee’s arrival and departure, their VPN access was a constant headache. Calle’s team had to field ten to twenty support tickets monthly to fix users’ VPN issues.
Although Criteria’s VPN productivity impacts caused mounting frustration, that wasn’t the final straw.
“The firewall was a single point of failure,” Calle said. “If it went down or you lost the internet connection, that’s it. Employees were locked out of our intranet and AWS sites. It did go down, and the CEO was screaming bloody murder about why his two hundred-person company was down because of some rinky-dink setup.”
Twingate was a no-brainer
Twingate replaces VPN’s brittle network access model with direct, encrypted connections between each user’s device and the specific resource they need for their work. With a software-based approach, customers can implement zero trust principles and apply role-based, least-privileged access policies to make sensitive resources more secure.
“When we got the directive to get off of VPNs,” Calle said, “my peer in Australia described Twingate to me. I was 100% on board. Replacing VPN with Twingate is a no-brainer as far as I’m concerned.”
Onboarding cycle times dropped by 83% once the team switched to Twingate from their previous solution. Twingate centralizes user setup and app-like provisioning downloads the client to user devices without requiring complex system configuration.
“The average user has one group with limited access but the engineers have very siloed access. The minute a new hire signs into 365, the Twingate client installs automatically. They can literally work five minutes into being hired.”
Calle said that Criteria gained similar efficiencies when offboarding users. “I go into Azure and block sign-in. That’s it. They’re out of everything in five seconds.”
Introducing Twingate slashed the volume of access-related support tickets by an estimated 95%, going from as many as twenty a month to a single monthly call. “It’s very easy to troubleshoot — either they’re not connected to Twingate, or they have a password issue.”
Calle expended little effort convincing Criteria’s leadership that switching from the firewall’s “free” VPN to Twingate’s solution made sense.
“Obviously, we spent more money on Twingate. But the overall ease of training and use, deployment simplicity, and reduced employee downtime more than pays for itself. What we spend with Twingate is money well spent.”
Twingate enhances Criteria’s compliance programs
Calle soon discovered that Twingate’s benefits extend beyond access management and productivity. “The biggest pain point in the company right now is compliance. We need ways to show our security to customers, and Twingate enables that.”
Criteria customers collect personally identifiable information from prospective, current, and former employees. Controlling who has access to that data and where is among the most critical factors in compliance with data privacy regulations in California, Europe, and Australia no.
Even that isn’t enough. Although Criteria maintains ISO 27001 certification, the strict compliance standards in industries like finance and defense make it impossible for the company to land new business without documenting its security controls.
“Our salespeople come to us because they cannot close deals without these requests in place,” Calle said. “The problem is, there’s no standardization around how companies ask for this information. We’re constantly inundated with security questionnaires. It’s turned into a full-time role.”
Calle sees our Ephemeral Access feature as a promising way to manage Criteria’s third-party relationships by granting contractors limited-duration access to specific resources. Other ways Twingate streamlines security compliance include:
Controlling access to resources rather than networks to eliminate public-facing VPN gateways and hide resources from the public internet.
Protecting each resource with granular, least-privileged access rules that combine user roles, device posture checks, time-limited access, and other policies.
Audit logs of user and network activity to help meet compliance obligations
“The easier any application is to use and document compliance, that’s a big win,” Calle said. “Twingate makes audits much easier. We can find out who’s in there, for how long, and then manage the entire thing with SSO groups from Azure.”
Request a demo to learn more about Twingate’s compliance benefits and how to protect resources with our streamlined Zero Trust Network Access solution. Try it yourself with our free Starter tier for individuals and small teams.