Defining InfoSec’s role in the organization

Shortly after joining Zappi, Hatitye Chindove joined the cloud infrastructure team to work on the platform’s security features — a great fit for his prior experience in digital forensics. Soon, Zappi CTO Brendon McLean tapped Chindove to lead the company’s information security and privacy efforts.

Chindove’s journey shaped his view of security’s relationship with both end users and the business. For users, that means putting yourself in their shoes.

“What got me into software in the first place was solving problems for humans at scale,” said Chindove. “With InfoSec tools, people expect a bit of a hassle to get in, but not too much. Otherwise, they start to look for ways to circumvent the process. So you want to strike this fine balance.”

“Security is a necessary evil” is the mindset Chindove instills in his team for understanding security’s role in the organization. “You don’t start a business to run a security department,” Chindove explained. “You’re in the business of selling something. We are here to add assurances to the business.”

Zappi’s test-driven security vendor selection

When Chindove took on his security role, Zappi’s growth strategy depended on larger clients that would expect vendors to have strong security controls. However, the company did not have a centralized access control system. Access to a Redshift data warehouse went through a VPN, but most of Zappi’s infrastructure was a mix of public cloud and SaaS services that engineers accessed directly.

One of the biggest challenges was developing and enforcing policies that combined rules based on users, devices, and public SaaS applications.

“You could write a policy, but to police it without being overly invasive was quite hard,” said Chindove. “We started looking for solutions that could fit, adopting test-driven development principles by writing down the expected behavior before deploying them in the field. That way we can recognize emerging outcomes like people getting frustrated with the technology.”

Ultimately, Chindove decided Zappi needed to implement a secure access solution based on Zero Trust principles. “Our small organization has a mobile-first, cloud-first workforce,” he said. “If we can’t get people behind a perimeter, what could we do? I researched Zero Trust when doing my master’s, so I focused there.”

Simplifying and unifying access with Twingate

Twingate’s Zero Trust Network Access (ZTNA) solution replaces the hub-and-spoke topology of legacy technologies with direct, encrypted peer-to-peer connections between each user’s device and the specific resources they work on. This software-based approach consolidates on-premises and cloud access control within a single tool so that admins can streamline access management.

Other vendors Chindove considered offered interesting features but would make life more difficult for his team. Some required dual access gateways and the infrastructure to support them. Others required migrating Zappi’s IdP and SSO capabilities to the vendors’ infrastructure. In either case, the complexity quickly mounted.

When Chindove began evaluating Twingate, he saw something different. “With Twingate, you set up the Connector and just put it behind the gate. That’s it. Within a month, we had our development pipeline covered with very low risk.”

Flip ROI discussions from security to the business

Quickly gathering evidence in the field made it easier for Chindove to show how Twingate was the right choice for Zappi’s security infrastructure. Chindove’s business-focused view of InfoSec’s role shapes how he makes the case for security investments. 

“The value of security is hard to demonstrate in a data-driven way,” Chindove explained. “You don’t say it’s a security risk, but flip it as a business risk. We articulate clearly security’s operational, legal, capital, and liquidity-related impacts. If you aren’t stating the business problem, your negotiations for any investment are going to be very hard.”

For instance, the financial impact of a security breach may not be directly measurable. However, showing business owners that having an asset inaccessible to X number of people for Y amount of time puts the risk in perspective. 

Understanding the power of Twingate

Easy implementation was one benefit of choosing Twingate, but Twingate’s approach to secure access also aligns with Chindove’s philosophy of solving human problems. The Twingate Client runs transparently on a user’s device, integrates with Zappi’s identity provider, and seamlessly enforces access policies. After the single sign-on, a user can access any assigned resource without juggling multiple credentials.  

“If you want your engineers to love you, give them something that is harder to circumvent,” said Chindove. “That’s what Twingate gave us — it’s easier to do the right thing than the wrong thing.”

Since Zappi’s infrastructure spans multiple cloud platforms and SaaS providers, Twingate’s ability to protect server-to-server communication tunnels was invaluable. Previously, his InfoSec team would have to wait for Zappi’s infrastructure team to set things up. 

The Twingate experience is much different. Service accounts let DevOps teams incorporate consistent, centrally managed access controls in applications and CI/CD pipelines. Headless clients and service keys let teams automate the service’s access to authorized resources so, for instance, SaaS applications can communicate with private resources.

“An engineer said to me, ‘Now I understand the power of Twingate.’ It took him thirty minutes to connect part of our EC2 infrastructure with ClickHouse across an untrusted network. In my opinion, this quick time to value is Twingate’s key differentiator.”

Building a long term partnership

As Twingate continues to expand its platform of Zero Trust tools, Chindove remains impressed with Twingate’s commitment to bringing simplicity to customers’ security stacks. “Simplicity has been your mark of genius at Twingate,” he said.

One new product area the Zappi team has begun experimenting with is Twingate Internet Security. When the team began testing Twingate’s DNS-level security and content filtering capabilities, Chindove called it a “jaw dropping, near perfect solution.” 

Request a demo to learn how quickly Twingate returns value, or sign up for Twingate’s free Starter tier for individuals and small teams to test Zero Trust Network Access on your infrastructure.