Company Background
Stellenbosch University (SU) is a proud knowledge hub that serves South Africa and the African continent through excellent education, research, and innovation. SU’s vision is to be Africa’s leading research-intensive university, globally recognized as excellent, inclusive and innovative, where SU advances knowledge in service of society. With approximately 32,000 students, 3,300 staff, and world-class academic environments, SU is not only counted among South Africa’s leading higher education institutions, but among the top universities in the world. SU’s ten faculties – AgriSciences, Arts and Social Sciences, Economic and Management Sciences, Education, Engineering, Law, Medicine and Health Sciences, Military Science, Science, and Theology – are located across five campuses in the Western Cape province of South Africa.
Stellenbosch University’s Challenges
Research in Computer Science changes as fast as the IT industry, if not faster. There are new ideas, research requirements, and student projects every week. Enabling good research and learning without compromising on security requires a flexible, safe, and “batteries included” solution.
Andrew James Collett, Senior Technical Officer & System Administrator
Stellenbosch University’s students and staff members are constantly testing new projects that need to be exposed to the internet. Unfortunately, these applications and services are not persistent enough to warrant an unending number of support tickets to their Information and Communications Technology (ICT) department for each use case. Additionally, Computer Science has internal services and websites, such as JupyterHub, that they need to expose for their users to collaborate in a consistent and redundant environment. Therefore, Computer Science began looking for a scaling access solution that could secure their apps and services without the headaches of a VPN.
Journey Away From the VPN
The VPN solutions offered at the time gave inconsistent experiences across different platforms. During COVID, the Computer Science department recognized that the VPN works to grant access in, but they really needed a way to securely expose services outwards.
Stellenbosch initially began to use NGINX as a reverse proxy with the CAS plugin for authentication, but found that this solution did not scale with their large numbers of students. They needed a solution that could group users together instead of individual identifiers, and also did not want to use generic passwords shared among the students. After the Computer Science department tested OAuth2-proxy several times, they settled on Pomerium’s flexible features to serve their needs.
Full VPN’s should be the last idea implemented to give access to internal resources. Especially when there are alternatives that expose only select services with greater security, like the zero-trust implementation in Pomerium.
Andrew James Collett, Senior Technical Officer & System Administrator
Simplifying and Saving Infrastructure
Stellenbosch enjoys cost savings on cloud and infrastructure because Pomerium is deployed directly on their hardware, right in front of the services and applications they need to protect. Not only has this saved Stellenbosch’s Computer Science department time and resources, it provides a better user experience when it comes to latency and speed.
Compliance and Security Standards
Considering most browsers suggest, and sometimes even require ever higher security standards, I would not be surprised that more and more sites and services are forced to use better security with more standardized authentication flows in order to stay relevant.
Andrew James Collett, Senior Technical Officer & System Administrator
Because HTTP encryption is integrated directly into Pomerium along flexible header settings, Stellenbosch can easily comply with website certificate and security standards. Their users trust them and the university enjoys a professional “brand” when it comes to their online presence.
Future Outlook
Stellenbosch is already evaluating whether the university should place more applications, websites, and services behind Pomerium for easier management, access control, and better user experience.
I look forward to a more unified way of accessing sites and resources, that doesn’t require new credentials for each service, and keeps everything that is exposed to the same high standard.
Andrew James Collett, Senior Technical Officer & System Administrator
To learn how your company can also benefit from deploying Pomerium on your infrastructure, get started here.