Stellenbosch University

Home / Customer Stories / Stellenbosch University

Stellenbosch University uses Pomerium to securely expose internal resources with centralized access control as an alternative option to a VPN

Stellenbosch University’s Computer Science department needed a scaling solution for exposing internal applications and resources to the internet. The solutions from Information and Communication Technology services were not well suited to meet all of Computer Science’s requirements; notably the VPN solutions would have added too large a layer of complexity for students. After testing out remote proxy solutions and briefly considering CloudFlare Access, Stellenbosch became drawn to Pomerium’s solution as a VPN-alternative.

Now, Stellenbosch University uses Pomerium to provide secure and centralized access to Computer Science websites and resources for students and researchers alike.

Secures Applications Without Built-in Security

Pomerium gives additional layered IAM capabilities to applications so Stellenbosch University students and developers don’t need to dedicate time building in security features.

Authenticates Identity Providers

Built with identity and context-driven access in mind, Pomerium allows Stellenbosch University to authenticate user sessions based on any identity provider and provide the correct level of access.

Deployed at Edge

Pomerium is managed by Stellenbosch University, therefore Stellenbosch University is not vulnerable to third-party breaches and retains full control over their certificates and traffic flow.

Andrew James Collett

Senior Technical Officer & System Administrator

“Pomerium allows great control, speed and flexibility when it comes to securing and exposing internal web applications and services. It is far better to expose a few services, than to allow someone blanket access to internal resources. Pomerium makes it simple to wrap any website that you might normally have left exposed (even internally) in a good layer of encryption with access control, lowering the barrier to achieving good security.”

Company Background

Stellenbosch University (SU) is a proud knowledge hub that serves South Africa and the African continent through excellent education, research, and innovation. SU’s vision is to be Africa’s leading research-intensive university, globally recognized as excellent, inclusive and innovative, where SU advances knowledge in service of society. With approximately 32,000 students, 3,300 staff, and world-class academic environments, SU is not only counted among South Africa’s leading higher education institutions, but among the top universities in the world. SU’s ten faculties – AgriSciences, Arts and Social Sciences, Economic and Management Sciences, Education, Engineering, Law, Medicine and Health Sciences, Military Science, Science, and Theology – are located across five campuses in the Western Cape province of South Africa.

Stellenbosch University’s Challenges

Research in Computer Science changes as fast as the IT industry, if not faster. There are new ideas, research requirements, and student projects every week. Enabling good research and learning without compromising on security requires a flexible, safe, and “batteries included” solution.
Andrew James Collett, Senior Technical Officer & System Administrator

Stellenbosch University’s students and staff members are constantly testing new projects that need to be exposed to the internet. Unfortunately, these applications and services are not persistent enough to warrant an unending number of support tickets to their Information and Communications Technology (ICT) department for each use case. Additionally, Computer Science has internal services and websites, such as JupyterHub, that they need to expose for their users to collaborate in a consistent and redundant environment. Therefore, Computer Science began looking for a scaling access solution that could secure their apps and services without the headaches of a VPN.

Journey Away From the VPN

The VPN solutions offered at the time gave inconsistent experiences across different platforms. During COVID, the Computer Science department recognized that the VPN works to grant access in, but they really needed a way to securely expose services outwards.

Stellenbosch initially began to use NGINX as a reverse proxy with the CAS plugin for authentication, but found that this solution did not scale with their large numbers of students. They needed a solution that could group users together instead of individual identifiers, and also did not want to use generic passwords shared among the students. After the Computer Science department tested OAuth2-proxy several times, they settled on Pomerium’s flexible features to serve their needs.

Full VPN’s should be the last idea implemented to give access to internal resources. Especially when there are alternatives that expose only select services with greater security, like the zero-trust implementation in Pomerium.
Andrew James Collett, Senior Technical Officer & System Administrator

Simplifying and Saving Infrastructure

Stellenbosch enjoys cost savings on cloud and infrastructure because Pomerium is deployed directly on their hardware, right in front of the services and applications they need to protect. Not only has this saved Stellenbosch’s Computer Science department time and resources, it provides a better user experience when it comes to latency and speed.

Compliance and Security Standards

Considering most browsers suggest, and sometimes even require ever higher security standards, I would not be surprised that more and more sites and services are forced to use better security with more standardized authentication flows in order to stay relevant.
Andrew James Collett, Senior Technical Officer & System Administrator

Because HTTP encryption is integrated directly into Pomerium along flexible header settings, Stellenbosch can easily comply with website certificate and security standards. Their users trust them and the university enjoys a professional “brand” when it comes to their online presence.

Future Outlook

Stellenbosch is already evaluating whether the university should place more applications, websites, and services behind Pomerium for easier management, access control, and better user experience.

I look forward to a more unified way of accessing sites and resources, that doesn’t require new credentials for each service, and keeps everything that is exposed to the same high standard.
Andrew James Collett, Senior Technical Officer & System Administrator

To learn how your company can also benefit from deploying Pomerium on your infrastructure, get started here.

Stellenbosch University is a leading research-intensive university from South Africa.

Infrastructure

Ubuntu/Redhat on Bare Metal

Platform

RKE2 (Rancher Kubernetes Engine)

Proxies

NGINX on Kubernetes, otherwise Pomerium on edge

Provisioning

SaltStack/Puppet/Others

DNS

CoreDNS on Kubernetes

Service Discovery

Kubernetes Service Discovery on Rancher

Raw Data / Semi-structured Data Storage

LongHorn on Kubernetes, Others for ICT Services

CI/CD Pipelines

GitLab CI/CD, Atlassian Stack for ICT Services

Batch Job Scheduler

PBS for HPC

Logging and Monitoring

Elasticsearch, Graylog, Prometheus, Grafana