mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-05 21:36:02 +02:00
c886b924e7
* authenticate: set cookie secure as default. * authenticate: remove single flight provider. * authenticate/providers: Rename “ProviderData” to “IdentityProvider” * authenticate/providers: Fixed an issue where scopes were not being overwritten * proxy/authenticate : http client code removed. * proxy: standardized session variable names between services. * docs: change basic docker-config to be an “all-in-one” example with no nginx load. * docs: nginx balanced docker compose example with intra-ingress settings. * license: attribution for adaptation of goji’s middleware pattern. |
||
|---|---|---|
| .. | ||
| examples | ||
| gitlab | ||
| microsoft | ||
| okta | ||
| signed-headers | ||
| examples.md | ||
| identity-providers.md | ||
| readme.md | ||
| signed-headers.md | ||
Overview
What
Pomerium is an open-source, identity-aware access proxy.
Why
Traditional perimeter securityhas some shortcomings, namely:
- Insider threat is not well addressed and 28% of breaches are by internal actors.
- Impenetrable fortress in theory falls in practice; multiple entry points (like VPNs), lots of firewall rules, network segmentation creep.
- Failure to encapsulate a heterogeneous mix of cloud, on-premise, cloud, and multi-cloud environments.
- User's don't like VPNs.
Pomerium attempts to mitigate these shortcomings by adopting the following principles.
- Trust flows from user, device, and context.
- Network location does not impart trust. Treat both internal and external networks as completely untrusted.
- Act like you are already breached, because your probably are.
- Every device, user, and application's communication should be authenticated, authorized, and encrypted.
- Policy should be dynamic, and built from multiple sources.
Resources
Books
- Zero Trust Networks by Gilman and Barth
Papers
- Forrester Build Security Into Your Network's DNA: The Zero Trust Network Architecture
- Google BeyondCorp 1 An overview: "A New Approach to Enterprise Security"
- Google BeyondCorp 2 How Google did it: "Design to Deployment at Google"
- Google BeyondCorp 3 Google's front-end infrastructure: "The Access Proxy"
- Google BeyondCorp 4 Migrating to BeyondCorp: Maintaining Productivity While Improving Security
- Google BeyondCorp 5 The human element: "The User Experience"
- Google BeyondCorp 6 Secure your endpoints: "Building a Healthy Fleet"
Posts
- Google Securing your business and securing your fleet the BeyondCorp way
- Google Preparing for a BeyondCorp world: Understanding your device inventory
- Google How BeyondCorp can help businesses be more productive
- Google How to use BeyondCorp to ditch your VPN, improve security and go to the cloud
- Wall Street Journal Google Moves Its Corporate Applications to the Internet
Videos
- USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers
- What, Why, and How of Zero Trust Networking by Armon Dadgar, Hashicorp
- O'Reilly Security 2017 NYC Beyondcorp: Beyond Fortress Security by Neal Muller, Google
- Be Ready for BeyondCorp: enterprise identity, perimeters and your application by Jason Kent