EdTech Case Study

How Pomerium enables remote access without a VPN

John Cantu is a Senior Security Engineer. His role includes planning IT security strategies and policies as well as developing technical solutions to automate testing and auditing. After obtaining a BS in Computer Information Science, John went on to serve in the US Air Force as a Nuclear and Missile Operations Officer and as a Space Operations Officer, leaving the service as a Captain. John also received a master’s degree in Information Assurance while serving in the military.

Company background

John acts as the security lead for a Seattle-based educational technology company focused on making math fun for K-8 students. The company’s online math program adapts to each student’s skill level and helps students increase their competencies through fun and engaging lessons.

Challenges

Prior to using Pomerium, John’s organization had relied on presence within the company’s internal network to control employee’s access to internal applications. However, as the company began to mature, John and the security team wanted to implement better access control mechanisms across the organization. During this transitory phase, John discovered Pomerium and decided to try using it to authenticate and authorize internal applications. Pomerium has allowed John to achieve (1) secure, remote access without a VPN, (2) federated identity in conjunction with Okta, and (3) least-privileged, role-based access control. 

Why Pomerium?

Enables remote access without a VPN

Before implementing Pomerium, John and his organization relied on a full-tunnel VPN for remote access. However, when forced to quickly transition to a fully remote workforce in March 2020 due to COVID-19, John found their current VPN solution lacking. With a VPN, all traffic is routed to a company’s servers and then back out to the internet, but when employees are working across the country, this makes for a frustrating and unwieldy user experience. Depending on the application, John’s team now uses either an AWS split-tunnel VPN or Pomerium to gate their internal resources. This goes against the common myth that zero trust adoption has to be all or nothing. Right now, in their digital transformation, using a combination of a perimeter-based VPN and context-aware proxy for internal access has allowed them to achieve lower latency in their internal network, greater cost-savings, and an overall more productive workforce.

When we started working remotely…the entire company was trying to use our VPN connection and it just couldn’t handle the traffic. This forced us to accelerate our transition away from the corporate VPN.

John Cantu, Senior Security Engineer

Helps achieve federated identity

One of the organization’s broader security initiatives in the past year has been to achieve federated identity — the linking of a user’s electronic identity across multiple identity management systems. As part of this strategy, John needed to find a context-aware proxy that integrated with their identity provider of choice, Okta. Using Pomerium’s comprehensive Okta documentation, John was able to easily configure Pomerium with Okta and take his company a step closer to achieving federated access across all of their applications.

The fact that Pomerium was able to integrate with our preferred identity provider was significant for us.

John Cantu, Senior Security Engineer

Fulfills ISO 27001 compliance with role-based access controls

ISO 27001 is a common compliance requirement in the security industry that enforces the proper management of information security and risk controls within an organization. One of ISO’s essential security requirements is ensuring users are only provided with access to the network and services they have been specifically authorized to use. According to John, he uses Pomerium’s configuration settings to prove compliance during their annual audits:

Anywhere I have to demonstrate that we use role-based access control, I can use the group-based Pomerium configuration policy as evidence.

John Cantu, Senior Security Engineer

How Pomerium has paid off in the field

John has received great feedback from all different levels and departments in his organization after implementing Pomerium, but one specific example stood out to him. The sales and professional development teams are constantly traveling around to different schools to demonstrate their product and check-up on existing customers; however, before Pomerium, they had to demo the product using a VPN connection. John described the inefficiency of this approach:

They had to be on the VPN, but the VPN was not always reliable – especially when doing a video presentation and trying to use Zoom at the same time.

John Cantu, Senior Security Engineer

After getting rid of the VPN for almost all non-core IT services, the sales and professional development teams were able to demo and provide support for their product without any annoying latency or complicated set-up.

Now, they can access this internal facing application like any other web application.

John Cantu, Senior Security Engineer

Thank you very much to John and his team for their support of Pomerium, we look forward to our partnership in the future!