VPN Alternative: Tata Sons’ Shift to NetFoundry’s Zero Trust AppNets

VPN Alternative: Tata Sons’ Shift to NetFoundry’s Zero Trust AppNets

NetFoundry | VPN Alternative: Tata Sons' Shift to NetFoundry’s Zero Trust AppNets

Tata Sons is the principal investment holding company and promoter of Tata companies, India’s only value-based corporation – a visionary, a pioneer, a leader, since 1868. Tata group is a global enterprise comprising 13 companies across ten verticals. The group operates in 100 countries across six continents. 66% of the equity share capital of Tata Sons is held by philanthropic trusts, which support education, health, livelihood generation, and art and culture.

We wanted a VPN alternative to have an easy-to-use, seamless and secure solution for our users to connect to apps hosted across clouds from anywhere.

Case Study Highlights

Software-only, Zero Trust NetFoundry Cloud replaces multiple point solutions

The NetFoundry Cloud has enabled Tata Sons to replace SSL VPNs, jumpshots, MPLS VPNs and SDWANs with a single Zero Trust overlay network and application-specific AppNets without the need for any hardware. NetFoundry Cloud is a Network As A Service offering of the NetFoundry Ziti Platform hosted and managed by NetFoundry experts.

Global, Secure Network with Distributed Users and Applications

Tata Sons employees, along with other users, seamlessly access applications hosted across private and public clouds, as well as hosted data centers, from any location. Leveraging a zero trust network overlay, they achieve the highest levels of security, control, and visibility, with full adherence to zero trust principles. Whether on Windows or Mac devices, users assigned to NetFoundry AppNets are granted least-privilege, microsegmented network access to specific resources, ensuring secure connectivity to essential systems from any location.

Tata Sons needed a VPN alternative to improve its security across distributed environments.  It required a zero trust architecture and transitioned from VPNs to NetFoundry AppNets. 

Challenge

Overcoming security concerns and optimizing network design

Tata Sons wanted to improve the IT security posture, moving away from vulnerable VPN technology and multiple point solutions that hampered performance. The goals were to find a VPN alternative that provided seamless and secure access for apps to users from the office or anywhere with consistent application performance. Tata Sons had deployed, SSL VPN for remote access, IPSEC or MPLS VPN and P2P links to connect offices and employees working from anywhere to apps hosted in private DC, Azure public cloud and hosted DC. Tata Sons wanted to improve security posture and overcome performance bottlenecks due to VPNs and point solutions. With the advent of zero trust architecture and software defined networks, Tata Sons wanted to explore alternative solutions that would help meet the security, performance, agility and visibility goals and be ready for future growth 

VPN alternative and network for the future: Distributed apps and users with complete visibility and control

Tata Sons had moved apps to Azure and a hosted cloud provider while some apps are hosted at the private DC. Tata Sons employees access apps from the branch locations or anywhere. There was also a requirement to connect the clouds viz Azure cloud / DC / hosted cloud. With COVID 19 changing the future of work culture, Tata Sons wanted to provide a seamless and productive experience to the users; wherever they were located. The new solution is required to support users connecting with a variety of devices including personal (BYOD) laptops and desktop PCs along with corporate supplied laptops. The existing internet connections and infrastructure at offices, private data centers, and hosted clouds had to be utilized for the new solution, while remote users could connect using any available home internet service. The old approach would not be secure enough. Tata Sons need a VPN alternative.

With NetFoundry Cloud implementation, Tata Sons experienced the following gains:

3 solutions replaced by NetFoundry Cloud

SSL VPNs for remote users, MPLS VPN for branches, DC and cloud & SDWAN

99.999%

uptime in the last 4 years

70%

reduced cost compared to point solutions

NetFoundry Cloud Zero Trust Architecture

Inherent Features By Design

1. Secure by default private, Zero trust fabric overlay renders all Apps and resources invisible to the Internet with no listening or open firewall ports or IPs

2. Routers on HA with automated load sharing of traffic ensure highest availability at Azure Cloud and private DC

3. Communication is outbound only requiring no listening IPs or ports and no firewall holes. Service binding via reverse communication is only permitted by AppNet association

4. Least privileged micro-segmented app connections for users and admin to access each application hosted across multiple cloud / DCs

5. Exceeds guidelines provided by NIST for zero trust architecture. Implemented with mutual TLS (mTLS), Poly 1305 cha cha 20 encryption and bi-directional X.509 certificate-based identity and authentication

6. Authenticate before connect: If a registered endpoint is not permitted to access a resource, it will never communicate to, or have awareness of, the provider of the resource unless provisioned to it

Solution

Achieving critical security across the organization with AppNets, a VPN alternative

The integration of NetFoundry Cloud into Tata Son’s infrastructure and apps allowed the company to immediately remove its complex dependencies on VPNs, mitigate issues with multiple point solutions and achieve deep insights into metrics such as application and endpoint utilization, dial logs, etc. With little to no friction, users and apps were migrated to the NetFoundry Cloud platform from the existing set up. The ability to embed zero trust networking for various use cases such as: (1) Remote access for employees to distributed apps, (2) Connectivity from branches to distributed apps, and (3) Hybrid cloud connect for data center and public cloud interconnect enabled the company to achieve unparalleled security and optimal performance. 

The Tata Sons IT security architecture now exceeds the NIST framework on zero trust architectures for the network layer. NetFoundry Cloud authorizes each end-to-end encrypted session for least privileged access – creating microsegmented networks for each user group that prevents lateral movement of attacks between AppNets (microsegmented networks). Unlike the former complexities associated with the use of VPNs that exposed the vulnerabilities of the public internet, NetFoundry’s solution closes all inbound ports at the customer edge. The apps and endpoints are dark to the internet. This approach by itself keeps most internet originated attacks at bay. 

Simple, efficient and performant 

NetFoundry Cloud eliminated Tata Son’s complex and expensive “bolted-on” infrastructure and reduced the wait times to onboard apps and users. The smart routing fabric provides the least latency path over the Internet between any two communicating endpoints. The network can be globally extended to anywhere in the world on demand. The routers are deployed with high availability at Azure cloud and hosted cloud. The NetFoundry Cloud HA routers provide default load sharing of traffic so that the resources are optimally utilized while providing redundancy.

Operational simplifications and consistently high uptime

Tata Sons has been using the NetFoundry Cloud platform for 4 years since 2020 and over the years, there has been a proven track record of > 99.999% uptime. User friendly UI for admins, use of attributes for identities and services in the service policies has greatly simplified operations for the admins in the IT team. The user group and role level controls with specific micro-segmented AppNets (service policies) and least privilege access helps the security team with all the required control and exceeds any audit and compliance requirements of any globally recognized security control or standard. The NetFoundry Cloud metrics provides deep insights to the Tata Sons IT team. With the NetFoundry Cloud zero trust mesh network available across all DC, branch, user device / Cloud and hosted cloud locations, Tata Sons has complete reach of a military grade zero trust network that can scale on demand, expand globally and available across any new edge or cloud. NetFoundry Cloud has made Tata Son’s network security, “Future Ready”.

 

“We made the right choice by selecting NetFoundry. The platform is user-friendly, allowing our users with swift connections to accomplish tasks. Also, the solution works well with least overheads, enabling our users to connect seamlessly even with low bandwidth networks.”Royen Fernandes, Tata Sons IT

Tata Sons achieved enhanced security by replacing VPNs with NetFoundry’s zero trust platform and AppNets, enabling seamless management and performance.

About NetFoundry

Networking was once a barrier to app innovation and automation with dependencies on after-the-fact security and performance engineering. NetFoundry is shifting the paradigm in cybersecurity by embedding zero trust networking and security as code. Our NetFoundry Cloud solution embeds zero trust as software into apps, APIs, IoT devices, and other valuable assets rendering critical infrastructure invisible to the internet – and unreachable by potential attackers. It is the world’s first programmable, cloud native, zero trust network with near unlimited scale concurrency, and performance. NetFoundry Cloud represents a new art of the impossible by enabling developers, network engineers, DevOps, and cloud teams to programmatically control private, zero trust, high performance networking. NetFoundry Cloud is built on NetFoundry’s Ziti platform which is part of the OpenZiti project, the world’s most used and widely integrated open source networking platform.