Stellenbosch University Secures Internal Assets with Pomerium
Stellenbosch University’s Computer Science department needed a scaling solution for safely exposing internal applications and resources to the internet. The solutions from Information and Communication Technology (ICT) services were not well suited to meet all of Computer Science’s (CS) requirements; notably, the VPN solutions would have added too large a layer of complexity for students. After testing out remote proxy solutions and briefly considering CloudFlare Access, Stellenbosch became drawn to Pomerium’s solution as a VPN-alternative.
Now, Stellenbosch University uses Pomerium to provide secure and centralized access to CS websites and resources for students and researchers alike.
Stellenbosch’s Challenges
Stellenbosch University’s students and staff members are constantly testing new projects that need to be exposed to the internet. Unfortunately, these applications and services are not persistent enough to warrant an unending number of support tickets to their ICT department for each use case. Additionally, CS has internal services and websites, such as JupyterHub, that they need to expose for their users to collaborate in a consistent and redundant environment. Therefore, CS began looking for a scaling access solution that could secure their apps and services without the headaches of a VPN.
“Pomerium allows great control, speed and flexibility when it comes to securing and exposing internal web applications and services. It is far better to expose a few services, than to allow someone blanket access to internal resources. Pomerium makes it simple to wrap any website that you might normally have left exposed (even internally) in a good layer of encryption with access control, lowering the barrier to achieving good security.”
Andrew James Collett, Senior Technical Officer & System Administrator
Journey Away From the VPN
The VPN solutions offered at the time gave inconsistent experiences across different platforms. During COVID, the CS department recognized that VPNs work to grant access into their network, but the department really needed a way to securely expose services outwards. Furthermore, VPNs inherently grant broad access to students, a security gap that made the department hesitate to continue.
Stellenbosch University initially began to use NGINX as a reverse proxy with the CAS plugin for authentication, but found that this solution did not scale with their large numbers of students. They needed a solution that could group users together instead of individual identifiers, and also did not want to use generic passwords shared among the students. After the CS department tested OAuth2-proxy several times, they settled on Pomerium’s flexible features to serve their needs.
“Full VPNs should be the last idea implemented to give access to internal resources. Especially when there are alternatives that expose only select services with greater security, like the zero-trust implementation in Pomerium.”
Andrew James Collett, Senior Technical Officer & System Administrator
Why Pomerium?
Authenticates Identity Providers
Built with identity and context-driven access in mind, Pomerium allows Stellenbosch University to authenticate user sessions based on any identity provider and provide the correct level of access.
Secures Applications Without Built-in Security
Pomerium gives additional layered IAM capabilities to applications so Stellenbosch University students and developers don’t need to dedicate time building in security features.
Deployed at Edge
Pomerium is managed by Stellenbosch University, therefore Stellenbosch University is not vulnerable to third-party breaches and retains full control over their certificates and traffic flow.
Compliance and Security Standards
Because HTTP encryption is integrated directly into Pomerium along flexible header settings, Stellenbosch University can easily comply with website certificate and security standards. Their users trust them and the university enjoys a professional “brand” when it comes to their online presence.
Simplifying and Saving Infrastructure
Stellenbosch enjoys cost savings on cloud and infrastructure because Pomerium is deployed directly on their hardware, right in front of the services and applications they need to protect. Not only has this saved Stellenbosch’s CS department time and resources, it provides a better user experience when it comes to latency and speed.
Future Outlook
Stellenbosch is already evaluating whether the university should place more applications, websites, and services behind Pomerium for easier management, access control, and better user experience.
“I look forward to a more unified way of accessing sites and resources, that doesn’t require new credentials for each service, and keeps everything that is exposed to the same high standard.”
Andrew James Collett, Senior Technical Officer & System Administrator
