Google’s Identity-Aware Proxy (IAP) realizes part of the premise as set out in their original BeyondCorp paper. Part of the Google Cloud Platform bundle, Google’s IAP aims to improve an organization’s security posture through enforced access-control policies. The service eliminates the need for a VPN by providing access for cloud administrators and remote workers.
| Google IAP | Pomerium | |
|---|---|---|
| Context-aware gateway | ||
| Device identity | Yes, using Chrome Enterprise. | Yes, with WebAuthn. |
| Supports any cloud or infrastructure | Only GCP is supported unless you want to configure site-to-site VPNs (yes, really). | Deployed at edge wherever your apps and servers are. |
| Data tenancy & privacy | Expansion of information boundary. | You have full control over your data and information. |
| Continuous verification | ||
| Identity Provider Support | Any identity provider | |
| Authorization Policy | Only simple access rules are supported. | Declarative policy and policy as code is supported. |
| TCP Protocol Support | ||
| Latency | Good. Google has a massive globally distributed network of edge servers. However, the additional hops still add latency, especially so if you are split between on-prem / or multi-cloud. | Best. No additional latency or bandwidth costs are incurred. Pomerium is deployed directly where your apps and services actually live. |
| Layer | 7 | 7 |
| Open Source |
IAP is a reverse proxy that receives first-class treatment and integration with GCP and other Google tools. You may consider using Google’s IAP if you are fully integrated with GCP and have no plans to ever deviate from Google’s ecosystem.
If you want to support a hybrid infrastructure or utilize other clouds (such as AWS or Azure) you will want to use Pomerium to avoid bandwidth and latency costs.
