One of the core components of the zero trust security model is device identity, which is the ability for a device to have a unique identity that can be authenticated and factored into access control decisions. I find it fascinating to see how Kubernetes now sits at the core operation of so many diverse forward-thinking companies. Pomerium integrates with cert-manager to provide automation of certificate issuance in Kubernetes environments, enabling developers to develop "fastsecure." Just to chew the fat, I got into a conversation with Pomerium to discuss how modern device identity solutions are using machine identity management with cert-manager to help drive their particular vision for zero trust.
Pomerium recently completed the integration of their Ingress controller with cert-manager as part of the Machine Identity Management Development Fund. I had the opportunity to meet with Colin Mo, who is the DevRel (Developer Relations) Manager of Pomerium, about the benefits the joint solution will deliver to users
Tell us about Pomerium and the role machine identities play in your solution
Colin: Sure! Pomerium is a context-aware gateway that enables secure access to internal applications. It provides a standardized interface to add access control to applications regardless of whether the application itself has authorization or authentication baked in. Pomerium gateways both internal and external requests and can be used in situations where you'd typically reach for a VPN. With access decisions based on contextual information, we provide that full zero trust philosophy throughout the organization.
Our latest release offers authenticating device identity leveraging the open standard WebAuthN. This enables organizations using Pomerium to enforce and attest to device state without forcing end users to install any special client on the device.
If you're talking about what's on the horizon, then what does the future of identity driven access look like to Pomerium?
Colin: At a high level, we've been looking more at context-driven vs identity-driven, because we see identity as a subset of context. So the person making the network request might be real and validated and completely fine, but what about their device? What about their network access rights? These are all the things that surround the context of their request. The person might be fine. They might not be compromised. But their device is a separate piece of the overall context of the request. If you knew an untrusted third-party might be listening in on a sensitive conversation between you and someone else you would say and reveal things in a different manner. So all of that should play a part in access decisions in the future and this is how we're thinking about it.
Do you see the work that you do with cert-manager evolving in that direction a bit more than from where it is today?
Colin: cert-manager does a specific part of that context driven access that I mentioned earlier. Our Kubernetes Ingress controller will work with cert-manager to issue certificates. Until now, Pomerium administrators were not easily able to automate the provisioning and renewal of the TLS certificates supporting the identities of Pomerium’s public facing services. To address this gap, Pomerium has added capabilities which enable seamless integration with the automation provided by cert-manager. Organizations will no longer lose developer productivity or expose themselves to security gaps while manually issuing certificates.
That will certainly improve speed and security for developers – what Venafi calls “fastsecure.”
Colin: Yes, the benefits are multiple. With Pomerium Ingress and cert-manager working together, we can prevent outages due to certificate misconfiguration or expiration. We can ensure Kubernetes resources adhere to company security policy, and users can implement Zero Trust and ensure that sensitive services are only accessed by authenticated and authorized users.
The Pomerium Machine Identity Management project has integrated Pomerium Ingress with cert-manager and is compatible with TLS Protect for Kubernetes and TLS Protect Cloud. You can learn more about Pomerium on the Venafi Marketplace.
This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Ecosystemis evolving above and beyond just technical integrations.
- Open Source Makes Machine Identities on Kubernetes Accessible for All
- Google CAS Supports cert-manager and TLS Protect for Kubernetes for Cloud Native and Private PKI
- Pulumi Policy-as-Code for cert-manager Simplifies Machine Identity Management
- Open-Source Community: CNCF Sandbox Accepts Cert-Manager
Learn more about machine identity management. Explore now.