Pomerium is an identity-aware access proxy. Pomerium can be used to:
- enable secure remote access to internal websites, without a VPN.
- provide unified authentication (SSO) using the identity provider of your choice.
- enforce dynamic access policy based on context, identity, and device state.
- aggregate access logs and telemetry data.
Perimeter security's shortcomings
- Perimeter security does a poor job of addressing the insider-threat and 28% percent of breaches are by internal actors.
- The impenetrable fortress theory of perimeter security is anything but in practice; most corporate networks have multiple entry points, lots of firewall rules, and constant pressure to expand network segmentation boundaries.
- Even defining "what" a perimeter is is difficult as corporate networks have come to consist of an increasingly heterogeneous mix of on-premise, public, and private clouds.
- VPNs frustrate end-users, give a false sense of security, and often fail to provide defense-in-depth.
Or for the visually inclined.
SSL added and removed here :^) - NSA
Pomerium -- and zero-trust more broadly -- attempts to mitigate these shortcomings by adopting principles like:
- Trust flows from identity, device-state, and context; not network location.
- Treat both internal and external networks as completely untrusted.
- Act like you are already breached, because you probably are.
- Every device, user, and application's communication should be authenticated, authorized, and encrypted.
- Access policy should be dynamic, and built from multiple sources.
Typically this approach to security is called either zero-trust or BeyondCorp-inspired. Here's a curated list of resources covering th
- Zero Trust Networks by Gilman and Barth
- Forrester Build Security Into Your Network's DNA: The Zero Trust Network Architecture
- Google BeyondCorp 1 An overview: "A New Approach to Enterprise Security"
- Google BeyondCorp 2 How Google did it: "Design to Deployment at Google"
- Google BeyondCorp 3 Google's front-end infrastructure: "The Access Proxy"
- Google BeyondCorp 4 Migrating to BeyondCorp: Maintaining Productivity While Improving Security
- Google BeyondCorp 5 The human element: "The User Experience"
- Google BeyondCorp 6 Secure your endpoints: "Building a Healthy Fleet"
- Google Securing your business and securing your fleet the BeyondCorp way
- Google Preparing for a BeyondCorp world: Understanding your device inventory
- Google How BeyondCorp can help businesses be more productive
- Google How to use BeyondCorp to ditch your VPN, improve security and go to the cloud
- Wall Street Journal Google Moves Its Corporate Applications to the Internet
- USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers
- What, Why, and How of Zero Trust Networking by Armon Dadgar, Hashicorp
- O'Reilly Security 2017 NYC Beyondcorp: Beyond Fortress Security by Neal Muller, Google
- Be Ready for BeyondCorp: enterprise identity, perimeters and your application by Jason Kent