Brief product summary

Google’s Identity-Aware Proxy (IAP) realizes part of the premise as set out in their original BeyondCorp paper. Part of the Google Cloud Platform bundle, Google’s IAP aims to improve an organization’s security posture through enforced access-control policies. The service eliminates the need for a VPN by providing access for cloud administrators and remote workers.

Google sells an enterprise solution under the name BeyondCorp.

Google IAPPomerium
Context-aware gateway
Device identityYes, using Chrome Enterprise.Yes.
Supports any cloud or infrastructureOnly GCP is supported unless you want to configure site-to-site VPNs (yes, really).Deployed at edge wherever your apps and servers are.
Data tenancy & privacyExpansion of information boundary, decrypts your data.You have full control over your data and information.
Continuous verification
Identity Provider Support, only Google.Any identity provider
Authorization PolicyOnly simple access rules are supported.Declarative policy and policy-as-code is supported.
TCP Protocol Support
LatencyGood. Google has a massive globally distributed network of edge servers. However, the additional hops still add latency, especially so if you are split between on-prem or multi-cloud.Best. No additional latency or bandwidth costs are incurred. Pomerium is deployed directly where your apps and services actually live.
Layer77
Open Source

Our Recommendation

Being Google’s own reverse proxy, IAP receives first-class treatment and integration with GCP and other Google tools. You may want to consider using Google’s IAP if you are fully integrated with GCP and have no plans to ever deviate from Google’s ecosystem.

If you want a reverse proxy that is cloud service agnostic because you have other clouds (such as AWS or Azure) or supports a hybrid infrastructure, you will want to self-host Pomerium to avoid bandwidth and latency costs. Being self-hosted and deployed at edge means your infrastructure gets all of the benefits stated in the original BeyondCorp papers, not just the bits Google wants to have control over.

Use Cases

  • Access Proxy Google IAP adds authentication and access control to the following:
    • App Engine standard environment and App Engine flexible environment apps.
    • Compute Engine instances with HTTP(S) load balancing backend services.
    • Google Kubernetes Engine containers.
    • Cloud Run apps with HTTP(S) load balancing backend services.

Strengths

  • Two paths well traveled — Like Pomerium, Google IAP supports both HTTP and TCP based services.
  • All in the family — Being a Google product, IAP is easy to integrate with other Google Cloud Platform services and tools. In fact, if you are already fully vendor-locked and have no plans to stray from the GCP ecosystem in the future, IAP may be a good solution.

Weaknesses

  • Big Data is Watching — For IAP to inspect traffic, it must first decrypt your data. This exposes everything through a period of being clear-text on Google’s side, including passwords and cookies. The only way to avoid that is to self-host.
  • Wizard required — Additional configuration and maintenance is required to use IAP with multi-cloud apps. In fact, you shouldn’t use IAP with multi-cloud, because…
  • All that for a tunnel? To support on-prem infrastructure, you will need to subject your infrastructure to a Virtual Private Cloud to make IAP work. This makes you backhaul data with a site-to-site tunnel, defeating the purpose of IAP.
  • Not deployed at edge — You will incur hidden latency and bandwidth costs when using Google’s IAP to secure applications and services not in the GCP ecosystem.
  • Poor authorization logic — Google IAP is limited to very simple authorization policies. This is in contrast to Pomerium’s rich authorization capabilities.
  • Doesn’t always work with itself — At time of writing (October 2023), IAP cannot be used with Cloud CDN, which is a confusing lack of self-compatibility.

Evaluators Should Know

“Pomerium is the technology that everybody would want to use, but only Google has at this point.”

— An ex-Googler Customer in the Fortune 500 (we can’t name them yet, but check back soon!)

Pomerium traces its lineage back to the original BeyondCorp and UberProxy. It is worth noting that IAP is not UberProxy.

Unfortunately, Google has a habit of keeping the best for themselves and selling a watered down version (Kubernetes is not Borg, Bazel is not the same as Blaze, etc.) . Luckily for non-Google organizations, Pomerium is the replacement being used by ex-Googlers to replace UberProxy.

But let’s talk about other limitations of IAP and BeyondCorp. We base our evaluation on a strict four-pillar criteria when evaluating access control solutions:

  • Usability: IAP provides clientless access for GCP-only infrastructure, making it worse than Pomerium.
  • Speed: IAP’s latency is on par with Pomerium for GCP-only infrastructure. Pomerium is considerably faster for non-GCP deployments.
  • Security: IAP decrypts all private information for inspection. Companies should be aware of this exposure to third party compromise.
  • Context-aware: IAP has limited context-aware access due to being limited to dynamic access using predefined conditions.

Usability

IAP is supposed to remove the need for tunneling, which is true if you don’t read the fine print. It bears repeating that you will need to subject your infrastructure to a Virtual Private Cloud to make IAP work for on-prem infrastructure. It even has IAP On-Prem Connector, which is just a client! Organizations are trying to shift away from tunnels, only to end up with a tunnel!

Why are tunnels bad? Well…

Speed

What incurs latency? Hops. What causes hops? Needing to backhaul data. When do you backhaul data? Tunnels.

While IAP is undoubtedly better within Google’s Cloud Platform, that advantage vanishes for any company with multi-cloud or hybrid on-prem infrastructure. To continue using IAP requires tunneling and that’s where additional latency adds up.

Security

Finally, Google’s a safe bet, right? But there’s a reason why after evaluating Google IAP and BeyondCorp, security-companies like ExtraHop chose to self-host Pomerium instead

A commonly overlooked aspect of 3rd-party hosted proxy solutions is SSL inspection. While any proxy must necessarily do this (it’s impractical to inspect encrypted data), you are directly subjecting yourself to a potential man-in-the-middle attack with hosted solutions. Your data is exposed in clear-text, including sensitive data like passwords and cookies.

Remember when Google’s cloud was hacked? It’s unnecessary exposures like these that put organizations at risk of 3rd-party compromise.

This is why Pomerium offers self-hosted options, where organizations can control where data goes.

Context-Aware

IAP has a limited context-aware access feature for provisioning dynamic access levels based on predefined IAM conditions and end-user or device attributes.

Context-aware access matters because it is no longer reasonable to make access decisions based on user identity alone. Instead, access control solutions should have access to data that would better inform the context surrounding otherwise legitimate user activity. The access policy should integrate that data into access decisions when deciding if an impending action should be executed, completing the full circle of all four pillars to your access solution.

While undoubtedly useful, this is just a small form of context compared to Pomerium’s full integration model, where all information available to the organization can be integrated to make context-aware access decisions.

Pulled Plug?

Have an added bonus to consider when evaluating: while Identity-Aware Proxy and BeyondCorp haven’t joined the Killed by Google list yet, evaluators should be aware of Google’s consistent rug-pulling track record.

Note: How fun that while writing this, Google announced the end dates for three products. Google Domains being sold off was not in our bingo sheet, but it goes to show that nothing is sacred.

With Google products enjoying an average life-span of 4 years, it would be a waste of resources to implement IAP or BeyondCorp only to need to undo it several months down the line. Pomerium is open-source and available forever — no rug-pulling.

Pomerium’s place as an open-source context-aware reverse proxy helps prevent ransomware attacks on internal services and resources. Whether you’re spinning up a new application or trying to add access control to a legacy service, Pomerium builds secure, clientless connections to internal web apps and services without a corporate VPN. The result is:

  • Easier with clientless access.
  • Faster by being tunnel-free and deployed where your apps and services are.
  • Safer because every single action is verified before allowed to execute.
  • Tailored to your organization’s needs by integrating all data for context-aware access.

Check out our open-source Github Repository or give Pomerium a try today!

Revolutionize Your Security: Achieve Compliance Hassle-Free!

Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.

Download Now
Download Now