Introducing Pomerium Zero

June 18, 2024

Today we are proud to announce the launch of Zero, Pomerium's NextGen Access Platform for building secure clientless connections to web applications and services. We built Pomerium for enterprises to make their access infrastructure:

  • Measurably faster than any hosted solution on the market

  • Demonstrably safer when every action is verified before execution

  • Noticeably better for workflows and productivity with clientless access

Fortune 100 companies and even other cybersecurity companies like ExtraHop are securing access to their internal applications and services with Pomerium to great success. This is because Pomerium's application-centric approach directly addresses each of the ongoing limitations of traditional access control.

Limitations of Traditional Access Control

The modern workplace has adapted to incorporate remote or hybrid work for enhanced operational agility and workflow efficiency. However, the network-centric “castle and moat” approach no longer meets the requirements for securing remote access.

These have been the primary reasons cited by major companies:

  • Unstable connections with latency issues have negative impact on productivity and workflow

  • Perimeter-based defense is unable to limit lateral movement within segmented networks

  • Existing tunneling solutions fail to continuously verify ongoing actions in each session

  • 3rd-party provider breaches are exposing sensitive corporate data at risk

  • Adding access control is a manual process prone to errors and security gaps

Individually, these are critical pain points for a company’s developers, DevOps, and security teams. Collectively, leaving access control unsolved has negative impacts on everything from hiring and onboarding to branding and legal repercussions.

The Perimeter Problem

BeyondCorp and Zero Trust architecture originates from one single question: “The network can’t be trusted, now what?”

Organizations adopted the perimeter-defense when it made sense: everything outside is scary and untrusted, while everything inside is safe and trustworthy. Enforcing access controls correctly at the perimeter ensures that nothing dangerous should ever get inside the network.

But this has three problems:

  • You can only defend a perimeter you can define

  • Tunneling past your own defenses defeats your own solution

  • Insider threats — how do you defend against what’s already inside?

The Perimeter Problem acknowledges the impossible task of securing a network perimeter in modern digital infrastructure. The rise of remote work, cloud services, and BYOD policies has rendered traditional perimeter defenses ineffective when access comes in from anywhere and crosses multiple networks.

NextGen VPNs/SASE didn't evolve from the VPN problem: Tunnels

There’s a strong case against using Layer 4 security tools. VPNs arose as an answer to remote access within perimeter-defense: you built a wall around your castle, and now you build tunnels into that wall to give certain people access. 

But this setup posed several problems:

  • Management burden: Client-based access meant installing and managing clients on all devices

  • Workflow impact: Tunneling solutions introduce poor latency and dropped connections

  • Connection-based sessions: VPN solutions only verify when establishing the connection, leaving security gaps in established sessions

These pain points are often cited by companies as they try to replace their VPN. Unfortunately, the above problems originate from the fundamental design of VPNs: tunnel-based connections.

Most importantly, companies replacing their VPN tunnel with NextGen VPNs and SASE solutions will find themselves back in the same position if the architecture still relies on layer 4 tunneling.

Limiting Lateral Movement

Lateral movement refers to hackers using initial access into a network to progressively gain more access as they search for critical or sensitive data and assets to compromise. This problem exists because of the Perimeter Problem where resources on a network are assumed to be only accessible by authenticated and authorized users. 

Measures like software-defined wide area networks (SD-WANs) or software-defined perimeters (SDPs) have been introduced to artificially segment networks through micro-segmentation. The network segmentation approach for limiting lateral movement arose because traditional access control solutions functioned off the network-centric perimeter-defense model. This results in the perimeter-defense model employed in a more localized manner with a direct tradeoff between management overhead and security.

In theory, this minimizes the blast radius of data breaches by limiting the movement of threat actors in your network. It fails in practice because organizations struggle to find the correct balance with segmentation.


The benefits

The problem

Minimal segmentation:

Applications and services are rarely segmented off

Little maintenance overhead, all applications in the ecosystem are swimming in the same ocean.

Maximum lateral movement, any breach can result in extreme costs

Medium segmentation:

Applications and services are grouped together into their own segments

Grouped applications can speak to each other without problem.

No limited lateral movement within that segment. Apps requiring external resources require facilitated network traffic

Maximum segmentation:

Every application and service gets its own micro-segmented network

Maximum security for each application. Breaching a segmented network doesn’t compromise the rest of the company’s network.

All network traffic needs to be facilitated in and out of the isolated segment. High overhead and maintenance.

Maximum segmentation is where security wants to be. However, it's often infeasible from a resource and maintenance perspective. But wait — maximum segmentation in a network-centric model is the same as Pomerium's application-centric approach!

As a result, companies are adding Pomerium's application-centric approach to their infrastructure models for all the benefits without any of the associated problems.

Application-First with Pomerium

The status quo has existed for so long these unnecessary tradeoffs have almost become commonly accepted. While most companies are aware of different approaches such as Google’s BeyondCorp and zero trust architecture, it’s often assumed that these approaches are too difficult to implement correctly.

Pomerium was founded on the premise that access control required fundamental rethinking in a world where networks can no longer be trusted. The fundamental pillars of faster, better, and safer guide the technical underpinnings of our zero trust reverse proxy to secure applications and services for teams of all sizes and deployments of any kind in any environment.

Pomerium's mission is to transform access control in today's enterprises by providing an adaptable, seamless, and secure access solution for all internal applications and services. Central to this mission is the principle that access control should enhance productivity. We’re uplifting conventional perimeter-based security through enabling an easy shift towards a Zero Trust approach: where every action is continuously verified for identity and context to ensure only authorized users are accessing internal applications and services.

Central to Pomerium's mission is the commitment to providing organizations with the tools they need to stay ahead of emerging threats and comply with evolving regulations. Pomerium understands the importance of maintaining data privacy and security in today's interconnected world and works tirelessly to ensure that organizations can trust their access control solution to safeguard their most sensitive assets.

By enabling organizations to streamline access management, enhance security, and improve user experience, Pomerium aims to be the trusted partner that organizations turn to for their access control needs, today and in the future.

Better with Clientless Access

Security is usability. A solution hampering user workflow will only result in your users looking to defeat your own access controls. Companies value Pomerium's clientless access for frictionless security, resulting in better user experience while reducing management overhead. 

User Experience

  • Intuitive: No more logging in to a client for access to the internet.

  • No additional credentials: Users no longer need to memorize an additional set of credentials to gain access.

Reduce burden of management

  • No need to install: Client-based access requires a client on the user's device and a counterpart in the infrastructure. This is usually known as the agent, connector, or daemon.

  • No need to update: Clients require a minimum supported version to function. This also adds additional management burden and is a user pain point, in addition to being a problem at scale.

Faster with Edge Deployments

Everyone loves fast connections! Your VPN replacement should be undeniably faster to boost productivity. Latency issues can significantly disrupt workflow and reduce productivity. When scaled across an entire organization, hours can be lost waiting for actions to register or pages to load.

Since Pomerium is self-hosted, it can be deployed at the edge, right where the secured application resides. This provides the fastest possible connection when users can access resources without jumping through additional servers, which not only add latency but also serve as potential points of compromise.

No hosted provider will be able to compete. Their solutions are inherently slower than Pomerium due to their tunneling architecture, which requires passing data through their servers. Avoid unnecessary layovers for your users and give them direct connections!

Safer with Continuous Verification

Zero trust means continuous verification: where every single action is continuously verified for authentication, authorization, and contextual factors before accepted or denied.

This is not the case for most solutions on the market. They will process authentication, authorization, and occasionally context-awareness when a user requests the start of a session. After the session begins, they use session recording for audit logging in case any bad activities happen.

But this leaves a critical gap: why not stop the bad actions before they happen?

Continuous verification mitigates the possibility of malicious insiders or hackers using stolen credentials by verifying each user action and request. Stolen credentials are the most common form of breaches. Having access to an authorized account should not mean the user gains unmitigated access if other contextual factors do not make sense.

Pomerium blocks an authorized account if it attempts to take actions that do not make sense within the context of that user. For example, an authorized account's credentials could be stolen and logged in on an authorized device, but from the wrong IP address. In such a scenario, that account could still be logged in but severely limited in its permissions, minimizing any potential damage.

Upgrading Access Control

We wanted to bring the benefits of Pomerium to more companies and organizations, so we built Pomerium Zero for users who asked for a managed version of Pomerium that brought the best of both worlds of an on-premise and hosted solution.

Fast, secure, and reliable clientless access for all users from any device or location.

Managing self-hosted Pomerium instances through our Zero console gives companies the benefits of both hosted and on-premise solutions. This architecture results in:

  • Easier management. Manage users, routes, and policies with ease in Zero’s web-based UI.

  • Intuitive API. Developer teams can add access control the same way they ship code.

  • Let your users take the direct flight. No extra hops means every user's request is faster and also cheaper because there are no ingress or egress costs.

  • Administer at scale. Native multi-tenancy and clustering supports even the largest and most heterogeneous infrastructure environments.

  • Simple implementation. Deploy into any infrastructure or heterogeneous environment

And of course, the expected security benefits of a true zero trust enabling solution:

  • Better access: Replacing tunneling solutions with clientless access from any device, anywhere.

  • Secured apps and services: Enforcing centralized access policies at scale using Pomerium.

  • Limit lateral movement: A breached route or application doesn’t allow for lateral movement into other parts of your network infrastructure.

  • Keeping your data private: You host the proxy, so we can’t see anything you don’t want us to.

That’s it. DevOps teams only need to configure Pomerium once through Zero then give API access to development teams. Developers can then add Pomerium to their applications for access control and deploy to production with full confidence that the company’s security policies are being enforced. Finally, users can now access applications using the browser just like they would with any other website while Pomerium continuously verifies each action against identity and context.

Beautiful, isn’t it? To date, Pomerium has surpassed more than 1 billion Docker pulls, and millions of requests are handled through the platform to serve access for thousands of users daily.

We invite you to try out Pomerium today!


More Blog Posts

See All Blog Posts
Skip the SSO tax with Pomerium
Announcing Pomerium v0.26
4 Trends Shaping the Future of Access Control

Your Security

Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.

Pomerium logo
© 2024 Pomerium. All rights reserved