Over the past few decades, securing remote access has become monumentally more complex. Remote work, with all of its benefits, has also furthered the threats of shadow IT and unauthorized remote access.
Companies now need to secure their systems by guarding five pillars: identities, applications, devices, data, and networks.
Even so, there’s a gap between the people, devices, and applications that we trust to access sensitive data, and those that actually do in practice (this is called the “Access-trust Gap”). As such, we created 1Password Extended Access Management® to give companies complete visibility and control over the user identities and devices that access their resources.
When it comes to securing data at the network level, companies have various options to add to their security stack. Two such options are Tailscale and Twingate.
Tailscale and Twingate each take different approaches to better fortify remote network access. Where Tailscale seeks to improve and modernize VPN security, Twingate seeks to replace it altogether. While different, each of their offerings is a best-in-class approach to Zero Trust Network Access (ZTNA).
As such, we couldn’t be more excited to announce that both Tailscale and Twingate have new integrations with 1Password Extended Access Management’s Device Trust solution. Here, we’ll explore how these integrations work and how they enable all of our products to better secure the complex systems of the modern workplace.
1Password Device Trust and Tailscale
Tailscale improves on legacy VPN options through techniques like peer-to-peer connections, secure mesh networks, and WireGuard encryption. Their “Tailnet lock” also ensures that new nodes can’t be added to a network unless they’re cryptographically signed by the network admins.
How the Tailscale integration works
Tailscale’s engineers have designed an integration that allows Tailscale Enterprise accounts and 1Password Device Trust plans to communicate and ensure that the network is secured from untrusted or noncompliant devices.
For the user
When an end user tries to access a network resource, they start by trying to connect to their company’s Tailscale network (or “tailnet”).
At that point, Tailscale queries 1Password Device Trust, which runs a series of posture checks on that user’s device. These checks are designed to ensure that this end user device–whether a managed company computer or a BYOD device–is compliant with company security policy.
1Password Device Trust has a library of over 100 pre-built checks, including:
- Device OS is up-to-date.
- Browsers and other critical apps are updated.
- The device has antivirus enabled.
- The device itself is trusted and matches the device registered to your taillnet.
If a user’s device fails one of these checks–for instance, if the OS isn’t updated–then the device isn’t allowed to access the network until the user resolves the issue. (And as always, whenever the device trust agent blocks a user, it also provides detailed remediation instructions, so they can get unblocked and back to work.)
For the admin
On the admin side, setting up this integration is simple. Admins begin in their 1Password Device Trust console, where they generate an API Key and assign an administrator to be responsible for how the key is used.
Then, they open Tailscale’s Admin Console. In the Device Management page, they can select the option to Configure the API Key to connect to 1Password XAM.
Once they’ve done so, they can:
- Inspect individual machines.
- Adjust the access rules for Tailscale.
- Schedule regular device posture synchronizations.
- Start generating audit logs.
In a nutshell: this integration enables admins to make sure that only trusted users and healthy devices are able to access their Tailnet.
1Password Device Trust and Twingate
Where Tailscale seeks to improve on legacy VPN offerings, Twingate provides an alternative to them altogether. Their ZTNA solution relies on four components:
- The Controller: This serves as the central admin coordination console for managing access.
- The Client: The client is the Twingate software component installed on user devices.
- The Connector: This is a mirror component of the client, which verifies the integrity of inbound client connections before forwarding the connection to managed resources.
- The Relay: This establishes unique, hash-based IDs for clients, and serves as the connection point between Clients and Connectors.
Twingate also works by generating Access Control Lists (ACLs), a list of the resources that individual Clients and Connectors are able to access. As they put it, this means that “…Twingate allows access to be granted on a per application basis.”
This allows for the implementation of least-privileged network access, and reduces the potential scope of breaches. Essentially, users are only able to access the resources that they’ve been authorized to access, and only once they’ve been granted access through those four components.
How the Twingate integration works
Through its new integration with 1Password Device Trust, Twingate admins can also ensure that those resources are only being accessed by trusted and healthy devices.
In many ways, this integration works similarly to the one with Tailscale.
For the user
When users attempt to access one of their work applications, they follow the standard Twingate authentication flow.
However, their company has also “delegated device trust” to 1Password Device Trust. This means that their device can only authenticate to those resources if it’s also authenticated through 1Password Device Trust.
If that user is using an unknown device, they won’t be able to authenticate until they’ve registered it as “trusted.” If they’re using an unhealthy device, they won’t be able to authenticate until they’ve remediated any issues and made sure it passes all of their company’s posture checks.
For the admin
For admins, setting up the integration will again require generating an API Key through their 1Password Device Trust console.
In Twingate, they should navigate to “Settings,” then “Device Integrations,” and select “Connect” next to the 1Password Device Trust option. They can then input the API Key, and Twingate will be able to access the authentication information for each device registered in 1Password Device Trust.
After this, admins need to configure the integration into “Device Security Trusted Profiles.” They will create a Trusted Profile, and select 1Password Device Trust as a “Verification Requirement.” Then, they can incorporate that profile in the “Security Policies” required to authenticate with Twingate.
Better together: enhance Zero Trust through integration
We’ll borrow a metaphor from Twingate: “In the physical world, walled castles have been replaced by borderless cities…”
In a modern remote company, systems are sprawling and amorphous, borders are ever-changing, and security needs to be able to secure every entrypoint possible.
That’s why these partnerships are so valuable. By integrating 1Password Device Trust with Tailscale or Twingate, teams can take a holistic view of security and unify their Zero Trust architecture. Together, we can ensure that networks are only accessed by trusted and compliant devices. That can make a world of difference in preventing attacks, and ensuring that sensitive data stays secure.
We extend our huge thanks to the teams at Tailscale and Twingate for their work in making these integrations happen. Here’s to all of us being able to do even more to secure the companies we serve!
Want to learn more about how your team can integrate 1Password Device Trust with your existing security systems? Reach out for a demo!
Do you have an idea for more amazing integrations with 1Password Device Trust? Shoot us an email to start building with us! tech-partnerships@agilebits.com
Tweet about this post