Our Recommendation
Being Google’s own reverse proxy, IAP receives first-class treatment and integration with GCP and other Google tools. You may want to consider using Google’s IAP if you are fully integrated with GCP and have no plans to ever deviate from Google’s ecosystem.
If you want a reverse proxy that is cloud service agnostic because you have other clouds (such as AWS or Azure) or supports a hybrid infrastructure, you will want to self-host Pomerium to avoid bandwidth and latency costs. Being self-hosted and deployed at edge means your infrastructure gets all of the benefits stated in the original BeyondCorp papers, not just the bits Google wants to have control over.
Use Cases
- Access Proxy — Google IAP adds authentication and access control to the following:
- App Engine standard environment and App Engine flexible environment apps.
- Compute Engine instances with HTTP(S) load balancing backend services.
- Google Kubernetes Engine containers.
- Cloud Run apps with HTTP(S) load balancing backend services.
Strengths
- Two paths well traveled — Like Pomerium, Google IAP supports both HTTP and TCP based services like SSH and RDP.
- All in the family — Being a Google product, IAP is easy to integrate with other Google Cloud Platform services and tools. In fact, if you are already fully vendor-locked and have no plans to stray from the GCP ecosystem in the future, IAP may be a good solution.
- All on the tin — Being the origin of the BeyondCorp papers, Google’s IAP is designed to fulfill most of those tenets.
Weaknesses
- Big Data is Watching — For IAP to inspect traffic, it must first decrypt your data. This exposes everything through a period of being clear-text on Google’s side, including passwords and cookies. The only way to avoid that is to self-host.
- Wizard required — Additional configuration and maintenance is required to use IAP with multi-cloud apps. In fact, you shouldn’t use IAP with multi-cloud, because…
- All that for a tunnel? — To support on-prem infrastructure, you will need to subject your infrastructure to a Virtual Private Cloud to make IAP work. This makes you backhaul data with a site-to-site tunnel, defeating the purpose of IAP.
- Not deployed at edge — You will incur hidden latency and bandwidth costs when using Google’s IAP to secure applications and services not in the GCP ecosystem.
- Poor authorization logic — Google IAP is limited to very simple authorization policies. This is in contrast to Pomerium’s rich authorization capabilities.
- Doesn’t always work with itself — At time of writing (October 2023), IAP cannot be used with Cloud CDN, which is a confusing lack of self-compatibility.
Evaluators Should Know
“Pomerium is the technology that everybody would want to use, but only Google has at this point.”
— An ex-Googler Customer in the Fortune 500 (we can’t name them yet, but check back soon!)
Pomerium traces its lineage back to the original BeyondCorp and UberProxy. It is worth noting that IAP is not UberProxy.
Unfortunately, Google has a habit of keeping the best for themselves and selling a watered down version (Kubernetes is not Borg, Bazel is not the same as Blaze, etc.). Luckily for non-Google organizations, Pomerium is the replacement being used by ex-Googlers to replace UberProxy.
But let’s talk about other limitations of IAP and BeyondCorp first, with the categories of:
Easier
IAP is supposed to remove the need for tunneling, which is true if you don’t read the fine print. It bears repeating that you will need to subject your infrastructure to a Virtual Private Cloud to make IAP work for on-prem infrastructure. It even has IAP On-Prem Connector, which is just a client! Organizations are trying to shift away from tunnels, only to end up with a tunnel!
Why are tunnels bad? Well…
Faster
What incurs latency? Hops. What causes hops? Needing to backhaul data. When do you backhaul data? Tunnels.
While IAP is undoubtedly better within Google’s Cloud Platform, that advantage vanishes for any company with multi-cloud or hybrid on-prem infrastructure. To continue using IAP requires tunneling and that’s where additional latency adds up.
Safer
Finally, Google’s a safe bet, right? But there’s a reason why after evaluating Google IAP and BeyondCorp, security-companies like ExtraHop chose to self-host Pomerium instead.
A commonly overlooked aspect of 3rd-party hosted proxy solutions is SSL inspection. While any proxy must necessarily do this (it’s impractical to inspect encrypted data), you are directly subjecting yourself to a potential man-in-the-middle attack with hosted solutions. Your data is exposed in clear-text, including sensitive data like passwords and cookies.
Remember when Google’s cloud was hacked? It’s unnecessary exposures like these that put organizations at risk of 3rd-party compromise.
This is why Pomerium offers self-hosted options, where organizations can control where data goes.
Pulled Plug?
Have an added bonus to consider when evaluating: while Identity-Aware Proxy and BeyondCorp haven’t joined the Killed by Google list yet, evaluators should be aware of Google’s consistent rug-pulling track record.
Note: How fun that while writing this, Google announced the end dates for three products. Google Domains being sold off was not in our bingo sheet, but it goes to show that nothing is sacred.
With Google products enjoying an average life-span of 4 years, it would be a waste of resources to implement IAP or BeyondCorp only to need to undo it several months down the line. Pomerium is open-source and available forever — no rug-pulling.
Pomerium’s place as an open-source context-aware reverse proxy helps prevent ransomware attacks on internal services and resources. Whether you’re spinning up a new application or trying to add access control to a legacy service, Pomerium builds secure, clientless connections to internal web apps and services without a corporate VPN. The result is:
- Easier because you don’t have to maintain a client or software.
- Faster because it’s deployed directly where your apps and services are. No more expensive data backhauling.
- Safer because every single action is verified for trusted identity, device, and context.
Check out our open-source Github Repository or give Pomerium a try today!