Small 2 person startup going to market that has to comply with GDPR, PCI DSS, and a slew of other compliance requirements.
It is rather frustrating that multiple vendors require minimum 5 seats for business VPN plans. I only need to license 2 users, but I’m happy to do multi-year commitments. I hate the idea of unused licenses sitting around just to get through the door, and I’ll happily even do 3-5 year deals to avoid that waste.
The things I’m really wanting:
- SCIM (centrally managing via Azure AD)
- Single Sign On (via Azure AD)
- Reporting, logging, are all a plus.
Do you need VPN specifically, or could you use other tools like e.g. Twingate?
I ditched VPN and started using Twingate (free up to 5 users IIRC) earlier this year, and I won’t go back. Remote Desktop connections with high quality settings, and the delay is barely noticeable.
I don’t know about Azure AD integration, though. However, with just the two of you, that might not be as big of a problem?
I’m not 100% exactly how you expect the VPN to be used (neither GDPR nor PCI explicitly require a VPN) but Tailscale is an excellent piece of software and I believe it’s free up to 3 users.
Are the resources on-prem or cloud? Some firewalls come with two SSL-VPN licenses, but virtual appliances are often prohibitively expensive. For cloud, AWS has client VPN, and I think Azure has an equivalent think but I’m an AWS guy.
As long as the VPN uses SAML I’m not sure how SCIM would come into play - you just control access to the app in AAD. I haven’t messed with SCIM though, so not my specialty.
I second Tailscale for a very quick VPN that’s also very performant and free for small use cases. It uses Wireguard so if devices are on a local network, traffic between them is routed locally.
It has SSO, I don’t know what SCIM is, but their docs and support are excellent.
Edit: it has built-in support for “guest” access to networked devices too. I’ve used this for sharing access to an internal NAS. Not sure if it meets your security requirements or if you have other needs for the AD side.
I don’t have anything to recommend, but my two cents is that migrating later on is always a lot more work than people think and when you grow fast, it is the kind of thing that never get prioritized as there is always something else more important. So I wouldn’t make being startup-friendly a big criteria unless the pricing is really out of whack. Try to pick something for the long tun.
Need VPN. I can’t risk our traffic being MITM’d, intercepted clear, or leaked.
The AAD integration is also important. Our organization is being designed to accommodate contractors and employees which should have a real-time onboarding process that is centrally managed/audited.
Thanks for the suggestion though! I was unfamiliar with Twingate.
Current resources are all cloud based. I’m not trying to use the VPN for gateway access, just to encrypt end user traffic within the org.
SAML facilitates SSO, but it doesn’t handle user lifecycle/license management, which is part of what I’m after. I’ll have a revolving door of contractors, and it’s important that their access is tied to a centralized governance mechanism.
No solution is 100% secure, but I like the way Twingate set up their security systems. If you use MFA for every user and every connection, then you should be quite safe.
Maybe it’s possible to successfully play MITM, but:Twingate operates on a zero-trust network, and uses application-level filters for user-identity-based authentication — not network-level. This means that whenever you access a resource, you’ll only be given access to that file, not the entire network. In case of a security breach, only that specific resource would be compromised.
And no incoming ports open on the firewall!
With VPN, users typically get access to the whole network.
Like you have an on-premise server and you want to provide access to remote users? Or you mean like run all users web browsing traffic through a VPN for some reason? I don’t understand the threat model here.
I’d definitely focus more on securing end user devices against malware than worrying about MITM of network traffic.
I understand, thanks. I already have an alternative implementation for zero trust architecture. I’m purely focused on securing end-user traffic; not using VPN to gate access to internal resources.
You can still use Twingate for that. Give it a go and do a “test-drive”.Check the speed difference with normal VPN, and also: it will only use this connection for the resources you’re accessing, i.e. you could run downloads in your background, they won’t be routed. This also reduces the impact on your business Internet connection.
FYI: not affiliated, no referral program, just a happy customer (using a free account)
