I led a pivotal project to migrate our company’s VPN infrastructure from a self-hosted OpenVPN server to Twingate, a third-party SaaS solution. This migration was instrumental in implementing Zero-Trust Network Access (ZTNA) principles across the organization.
- Enhance Security: Our existing OpenVPN setup lacked support for modern authentication standards like Single Sign-On (SSO) and Multi-Factor Authentication (MFA). Upgrading was essential to boost security and maintain SOC compliance.
- Network Segmentation: The old infrastructure grouped resources into just two networks, preventing proper segmentation and granting users excessive access. We aimed to adopt ZTNA best practices by segmenting resources more effectively.
- Reduce Maintenance Overhead: Managing the self-hosted OpenVPN server required frequent security patches and maintenance, diverting resources from other critical tasks.
Recognizing critical weaknesses in our existing VPN infrastructure, I took the initiative—without a directive from leadership—to:
- Identify and Analyze Issues: Noticed the lack of modern authentication, inadequate network segmentation, and high maintenance demands affecting our security posture and operational efficiency.
- Develop a Comprehensive Improvement Plan: Crafted a strategic proposal to overhaul our VPN system, focusing on enhancing security and user experience.
- Recommend Optimal Solutions: Researched and evaluated potential platforms, ultimately recommending Twingate as the best fit for our needs.
- Lead the Implementation: Orchestrated the migration process, ensuring a seamless transition with near-zero downtime.
In addition, I:
- Collaborated Cross-Functionally: Worked closely with the Cloud Platform team to develop Infrastructure as Code (IaC) using Terraform for Twingate deployment and to design the appropriate network architecture in AWS.
- Optimized User Experience: Developed custom automations and communication strategies to ensure the new solution was user-friendly for both technical and non-technical team members.
Challenges
- Zero Downtime Requirement: Our developers relied heavily on VPN access for their daily tasks, making uninterrupted connectivity crucial.
- Complex Coordination: The project required synchronization between multiple teams and integration of various technologies.
- User Adoption: With a diverse user base, the solution needed to be intuitive to minimize disruption and support requests.
Solutions and Achievements
- Seamless Migration: Achieved near-zero downtime during the transition, allowing uninterrupted productivity.
- Custom Automations: Developed in-house automation tools leveraging APIs from Twingate and our Mobile Device Management systems to guide users through the migration. This included real-time updates on software uninstallation, Twingate installation, and proactive alerts for any issues.
- Rapid Adoption: Successfully migrated 90% of team members within a single day due to efficient communication and user-friendly processes.
- Consolidation of VPN Services: Unified our AWS (development) VPN and corporate VPN under Twingate, simplifying management and reducing costs.
The project was completed in an impressive six-month timeframe from initial discussions to full deployment. We now have resource-level network segmentation directly tied to AWS IAM groups, enabling synchronized logical and network access provisioning. The end-user experience remains seamless, but we’ve significantly enhanced our security infrastructure and identity and access management capabilities. This holistic implementation of zero-trust networking has strengthened our organization’s security posture and operational efficiency.
- Company Built Technologies, Inc.
- Project Timeline March 2024 - August 2024