FedRAMP, Airgapped, Self-hosted, oh my!
Recently, we’ve had a lot of conversations with folks regarding whether or not Pomerium has achieved FedRAMP. We wanted to take some time to point out that while FedRAMP doesn’t apply to self-hosted software like Pomerium Core or Enterprise, there are actually specific parts of NIST SP 800-53 and FedRAMP compliance requirements that Pomerium can help you achieve.
Does Pomerium need to be FedRAMP compliant?
No. According to fedramp.gov, "FedRAMP provides a standardized security framework for cloud products and services recognized by executive branch federal agencies." Since Pomerium Core and Enterprise are fully self-hosted, they fall outside the FedRAMP certification scope.
Can I use Pomerium in my highly sensitive, airgapped environment?
Yes! Pomerium is an ideal solution for sensitive environments. As a fully self-hosted solution that doesn't route traffic outside your network, it offers robust security for organizations with stringent data protection requirements. Many of Pomerium’s customers are using on-premise IdPs plus Pomerium in highly sensitive, regulated environments to add additional layers of authorization on top of their existing authentication mechanisms. Pomerium is a great way to upshift your security posture with a secure, self-hosted solution.
Ok, but I still need to understand how Pomerium supports FedRAMP requirements. No problem! We’ve pulled together some of the relevant NIST SP 800-53 controls below to show how Pomerium can help support compliance with FedRAMP.
Section | What FedRAMP requires | What Pomerium provides |
Access Control (AC) |
AC-2 | Account Management
“The organization manages information system accounts, including establishing, activating, modifying, disabling, and removing accounts as needed.” | Pomerium provides real-time integrations with your identity providers (IdPs) to manage user accounts and enforce role-based access control (RBAC). With Pomerium, administrators can also implement fine-grained policy controls. |
AC-17 | Remote Access
“The information system uses cryptographic methods to protect the confidentiality and integrity of remote access sessions.” | Unlike nearly every other solution available, Pomerium provides clientless remote access that incorporates user context, device context, and any other context you want to provide, with every single request being verified and logged, providing you with insights across the entire lifecycle of the user’s sessions. We also enforce TLS encryptions on all connections which you can read more about here. |
AC-19 | Access Control for Mobile Devices
“The organization establishes usage restrictions and implementation guidance for mobile devices to reduce associated risks.” | Policies in Pomerium can restrict access based on the device from which the user is requesting access, as well as on device posture, adding enforcement mechanisms to the policies set by your MDM solutions. |
Audit and Accountability (AU) |
AU-2 | Auditable Events
“The organization determines that the information system must generate audit records for the events that are relevant to the security of the system.” | Pomerium creates an audit trail and log for every single request giving you full visibility into exactly what the user is trying to access, and whether they are in compliance with your policies when attempting each request. |
AU-12 | Audit Generation
“The information system provides audit record generation capability for the organization-defined auditable events.” | Pomerium logs provide a full chain of custody that capture the entire lifecycle of a user’s requests giving you full context into what users are doing |
Identification and Authentication (IA) |
IA-2 | User Identification and Authentication
“The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).” | Pomerium integrates directly with and serves as a centralization point for your IdP(s), HRIS, and any other source of context, letting you limit access based on a number of factors, for example, removing access if a user is supposed to be on vacation. |
IA-5 | Authenticator Management
“The organization manages information system authenticators by ensuring authenticator quality, changing default authenticators, and protecting authenticators from unauthorized use.” | Using your IdP plus Pomerium policies ensures that you can enforce SSO and MFA compliance in order for users to successfully access protected resources. |
System and Communications Protection (SC) |
SC-12 | Cryptographic Key Establishment and Management
“The organization establishes and manages cryptographic keys for required cryptography employed within the information system.” | Pomerium uses cryptography to secure data in transit, at rest, and to provide guarantees around confidentiality, authenticity, and integrity between its services and upstream servers for which it manages access. The following docs links provide more information on Pomerium’s cryptography and security practices.
|
SC-28 | Protection of Information at Rest
“The information system protects the confidentiality and integrity of information at rest.” | Whether in transit or at rest, Pomerium encrypts all sensitive data. This applies to all data in the databroker, including: Session, user, and directory data; as well as any other identity or contextual data. Service secrets (TLS certificates or identity provider credentials).
Learn more about our cryptography and security practices. |
System and Information Integrity (SI) |
SI-4 | Information System Monitoring
“The organization monitors the information system to detect unauthorized access and facilitate system protection.” | Pomerium’s access logs can be integrated with monitoring solutions to detect anomalies or breaches. |
In summary, Pomerium is fully allowed within FedRAMP environments because Pomerium can be fully self-hosted, making FedRAMP requirements somewhat irrelevant to Pomerium. However, Pomerium’s security model follows many of the risk management requirements laid out in NIST SP 800-53.
Pomerium is a great fit for any FedRAMP-compliant environment because Pomerium is infrastructure agnostic, meaning that regardless of which vendor you choose as your cloud service offering (CSO), Pomerium can sit in front of one or multiple CSOs and centralize authentication and authorization across all your infrastructure (cloud, on-premise, virtual machines, and more).
Interested in learning more about deploying Pomerium into highly secured environments? Contact us.
