Written by Matthew Staver on March 21, 2019
Verdant Undergoes VPN Replacement with a Software Defined Perimeter
Matthew Staver talks about why Verdant Services selected Cyxtera AppGate SDP as a VPN replacement for secure remote access across their hybrid environments and implementing a Zero-Trust model.
Verdant is a consulting, hosting, and software solutions firm – my team is responsible for internal IT and public and private cloud hosting clients. Customers turn to us to host data for applications and to deliver those services across AWS and on-premise infrastructure.
Secure Access: VPN vs SDP
As longtime customers of AppGate Insight, we found AppGate SDP while seeking a VPN replacement. Our goals were to implement a zero-trust model, move away from an AnyConnect VPN, gain granular control of remote network access across offices, and support our remote employees’ work while at customer sites or travelling.
We began looking at micro-segmentation between applications, but weren’t able to fully support it from our endpoints. This was our main stumbling block. Managing many different user profiles to granularly control access on our VPNs was time consuming and difficult. This solution wasn’t scalable, and was also challenging for change management. Furthermore, we needed to support a wide range of customer environment architectures, which included private and public cloud and hybrid architectures. For example, we often got requirements at the last minute for additional technical resources, but it was difficult to onboard without giving too much access. We could make sure they could only authenticate to the applications they needed, but they still had access to unneeded servers. We couldn’t easily restrict access to just the specific resources needed for each role. It was a significant security concern.
We wanted to employ a Zero Trust model with users only allowed to view the resources they were entitled to access. We also needed a solution for hybrid environments, including AWS and on-premises, that was also provider agnostic and a full stack solution.
Evaluating a Software-Defined Perimeter: AppGate SDP
We looked at other vendors but found that they included many restrictions: being limited to specific vendor clouds or even being limited to web-based applications. We needed support for all protocols, including RDP and SSH. At this point, we ran a proof-of-concept (POC) with AppGate SDP. The test environment was built in two days and ran for another two; based on the success of the POC, our cloud infrastructure team went to a production implementation in a matter of days.
AppGate SDP provided us an identity-centric secure access solution with granular controls. We were particularly impressed with AppGate SDP’s cloud-friendly build and its use of single packet authorization, a technology used for hiding network resources from attackers. In addition, Live Entitlements allowed us to quickly define the resources users could access via cloud resolvers supporting AWS tags. Live Entitlements are very flexible, easy to define, and easy to build – we created half of our Live Entitlements in a single day.
Benefits of AppGate SDP
- Single security construct across hybrid architectures: AppGate allows for user access entitlements and policies to work across our data centers and cloud environments. This prevents us from having to manage different security schemas for our hybrid environments.
- AppGate SDP resolvers for AWS: AppGate lets us define dynamic entitlements. When new servers are deployed into AWS, resolvers discover them and grant users entitled to their tags access. This is more flexible than hardcoded, IP-specific rules and saves hours of configuration every time we modify the environment.
- Offload user traffic from backhaul connections. With AppGate, gateways sit at the edge of workloads, eliminating the need to connect multiple environments through site-to-site VPNs so users can traverse into them. With AppGate, deployed users ingress into the environment through the closest gateway, eliminating the need to traverse through backhaul connections.
As a managed service provider, our customers trust us to secure their data. We are always looking to improve our security posture. AppGate SDP helped us achieve this goal.