Pomerium is a self-hosted zero-trust access proxy that secures access to applications, services, and infrastructure. Zero trust is a security model built around the idea that no user, device, or system should be implicitly trusted. Every request must be authenticated, authorized, and evaluated before access is granted.
We recently added SSH session recording to help organizations meet security and compliance requirements while applying zero-trust principles to one of their most sensitive sources of evidence.
In this post, we’ll explore the security model behind Pomerium’s SSH session recording system and how we applied zero-trust principles to the creation, storage, and verification of recorded sessions. We’ll also examine the mechanisms Pomerium uses to provide first-class evidence for the authenticity of those recordings.
Zero trust doesn't necessarily stop at access control. The systems responsible for producing and storing session recordings are part of the trust boundary as well. Since session recordings often become critical evidence during audits and security investigations, users need strong guarantees that those recordings are authentic, complete, and tamper-evident.
Our system must be able to answer fundamental questions; if a malicious actor gains some amount of privileged access:
Can they delete a recording?
Can they modify an existing recording?
Can they replace a legitimate recording with another one?
Can they create a fake recording that appears authentic?
If the answer to any of these questions is yes, then the recording can no longer be treated as reliable evidence of what has happened.
As a self-hosted solution, Pomerium follows a bring-your-own-infrastructure approach to Zero-Trust, integrating with external and self-hosted blob stores for querying and replaying recordings. Because storage is customer-controlled infrastructure with its own access paths and administrative controls, Pomerium cannot rely on the storage layer alone to establish trust in a recording. Instead, Pomerium provides built-in features that make unauthorized modifications detectable, auditable, and independently verifiable.
At a baseline, our recording security model is built around four principles:
Access to recordings within Pomerium is explicitly authorized.
Every access to recordings is auditable.
The integrity of recordings is independently verifiable.
Trust should not depend on a single administrator or operator doing the right thing.
Pomerium treats recordings as immutable objects. Once any data associated with a recording is written, it is never modified in place. Any subsequent change to the underlying object must originate outside of Pomerium’s handling of recordings.
Many storage providers offer additional protections such as object locking, legal holds, and retention policies. When enabled, these controls provide the necessary requirements for many PAM regulatory compliance standards.
Because Pomerium never rewrites recordings, object versioning and storage audit logs provide a straightforward way to identify modifications that occurred outside of Pomerium's custody.
Recordings carry their own integrity proof. The SSH reverse proxy independently generates a digest for the session data, which is verified against the final stored recording after it passes through the upload pipeline. If the digests do not match, the recording is rejected, ensuring that any modification during processing or storage is detectable.
Pomerium Enterprise emits detailed audit events for storage operations associated with recordings, including metadata retrieval, replay, and download operations. Each event carries a unique access identifier and the hash of the user’s identity.
When Pomerium makes requests to the storage layer, it embeds immutable information in the cloud provider audit log - in particular the unique access identifier and the hash of the user’s identity for correlation with Pomerium’s own logs.
Any access to the storage layer missing these markers indicates it was accessed outside of Pomerium’s custody.
Pomerium helps organizations meet regulatory compliance requirements while providing verifiable evidence that recorded sessions are authentic and have not been tampered with.
Interested in trying Pomerium SSH session recording? Visit the docs to learn more or contact us if you’re ready to get started.
Stay up to date with Pomerium news and announcements.
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
Use Cases
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.
