Exposing your critical infrastructure to the public internet is never a good idea. Yet almost everyone does it. Ports, SSH bastion hosts, and connectors act as publicly available gateways to access private networks. This one decision means organizations have to stitch together a patchwork of security products to help safeguard their corporate network—increasing complexity, muddling visibility, and reducing agility for their development teams.
It doesn’t have to be that way! With Tailscale, organizations can easily create software-defined perimeters across their environments to enforce the principle of least privilege everywhere. And they can do so without ever exposing their private networks to the public internet.
Network architecture à la Tailscale
First, some background. Tailscale, built on top of the WireGuard® protocol, is a zero-trust network overlay that works across any infrastructure. We provide a control plane to facilitate secure and authenticated connections directly between your nodes, and our policy engine manages fine-grained authorizations using identity as the unit of enforcement.
That design means it’s easy to get started with Tailscale and to incorporate it into your network incrementally. No need to purchase any additional routers or pieces of hardware. Simply download the software; the device your organization installs Tailscale on becomes your very first corporate node.
It’s also easy to bring more resources onto your network using Infrastructure-as-Code (IaC) workflows your teams are probably already using. Just insert an auth key into your IaC plan, and (once applied and provisioned) the resource automatically joins the tailnet and starts communicating with other resources. In instances where you can’t install the client directly, like with embedded devices or large subnets, you can use our subnet routers to establish secure connectivity with these resources.
Unlike a traditional VPN, Tailscale doesn’t require you to architect out your entire network, having to determine where to place concentrators and gateways to guarantee high performance and throughput. Tailscale uses a combination of UDP tunnels and NAT traversal to facilitate direct connections. The hard work of architecting networks is abstracted away with Tailscale while improving performance and lowering latency. In those rare instances where it’s not viable to establish a direct connection, connections are relayed through our DERP servers spread across the globe to ensure connectivity in any circumstance.
Once you’ve established your organization’s universe of resources, Tailscale administrators can start populating users. Tailscale supports leading identity providers (IdP) like Okta or Microsoft Entrea ID. These IdPs support SCIM, allowing organizations to automate their user and group provisioning. Any changes made in the IdPs (such as onboarding or offboarding users) are reflected in the tailnet automatically, ensuring your organization’s tailnet always remains current. Administrators can then push Tailscale out to every authorized user using mobile device management (MDM) integrations. Now organizations can start executing their zero-trust strategies.
Defense in depth across any infrastructure
Identity is foundational to establishing defense-in-depth across the corporate network infrastructure. Tailscale is designed with this requirement in mind, and uses integrations with leading IdPs to provide secure and seamless user authentication workflows via SSO and MFA. Admins on the backend determine each user, role, and group resource access authorization using Tailscale’s policy engine.
That’s especially important as workloads have expanded from being exclusively on-premises to now being distributed across clouds and various runtimes. The network perimeter is gone. The traditional castle-and-moat architecture breaks down in a microservice world, as is evident in the evolving threat landscape. The CrowdStrike 2023 Global Threat Report found that threat actors are moving away from malware-based attacks to credential-based attacks to gain initial access to cloud environments.
Building on a foundation of identity allows organizations to enforce the principle of least privilege and segment their network without introducing friction into the user experience. It also makes it easy to incorporate more advanced Tailscale features to secure your team.
With App Connectors, organizations can scale the security of Tailscale to third-party SaaS applications across geo-distributed teams. When combined with Device Posture, admins can impose continuous verification to always gauge the trustworthiness of any device on your tailnet. If they fail to meet a defined set of attributes, an API instantaneously revokes their authentication for the network. The final piece to an effective defense-in-depth strategy lies in continuous monitoring with an emphasis on privacy.
A privacy-led approach to security
Security operations teams (SOC) protect their organizations with tools like SIEMs, XDRs, and UEBAs to surface anomalous activity and remediate threats. These tools are reliant on logs generated by countless devices, machines, and actions. They are analyzed by these tools and if something suspicious is caught, an alert is sent to the SOC for potential investigation. Here lies the problem.
There’s too much data being generated, leading to a deluge of alerts and an increase in analyst fatigue. IDC projects the amount of data being generated at every company is growing at a 28% compounded annual rate. More data doesn’t equal better security. Certain practices are undermining the security they seek to achieve.
Deep packet inspection (DPI) is a popular technique used by many enterprises today to decrypt packets that pass through a designated central point. DPI is intrusive, expensive, and mostly ineffective against tactics like insider abuse and intentional data fragmentation. External attackers aren’t likely to use your encryption keys, nor are they likely to go through the monitored endpoints that decrypt man-in-the-middle traffic. DPI also generates a lot of logs, which unintentionally create attack vectors for bad actors as they are often stored as plain text, but even when encrypted, it introduces unnecessary risk to your organization. Also, costs can spiral for long-term storage of logs once you start reaching petabytes and beyond.
Tailscale instead provides a layered approach to security. Encryption, a vital component, secures all communications within the private network. Tailscale manages the public key distribution, but all private keys remain on each resource, securing your data from any potential prying eyes—including us.
That means Tailscale audit logs are focused on information about configurations, network flow, and SSH session recordings: the essential elements a SOC needs to surface high-fidelity alerts, helping reduce alert fatigue and control ingest costs. As NIST put it in its recently updated Zero Trust Architecture publication:
"That does not mean that the enterprise is unable to analyze encrypted traffic that it sees on the network. The enterprise can collect metadata about the encrypted traffic and use that to detect an active attacker or possible malware communicating on the network. Machine learning techniques…can be used to analyze traffic that cannot be decrypted and examined."
Tailscale makes it possible to layer a privacy-led approach to security with proven defense-in-depth measures to protect against emerging threats without increasing complexity. The union of security and privacy means you reduce the likelihood of unintentional compliance violations while creating a safer enterprise overall that eliminates any implicit trust.
If you’re interested in improving the network security of your team, you can learn more about the benefits of bringing Tailscale to work.