If you’re looking to implement a zero-trust model for your organization, you’ve probably encountered the term “Identity-Aware Proxy” or “IAP.” But what does it really mean? Which tools are best for implementing it? Is it affordable for small to medium-sized businesses, or does it come with a hefty price tag? In this article, we answer all these questions about identity-aware proxy with real-life examples. Let’s explore.
Identity Aware Proxy: Meaning
An Identity-Aware Proxy is a security mechanism that continuously approves or denies access to resources based on contextual information, such as the user's location, IP address, device, role within an organization, authorization level, and more instead of relying only on credentials.
Identity-aware proxies are considered a key pillar of the zero-trust model due to their three main features.
Contextual factors
Role-based access
Continuous verification
To understand identity-aware proxy, these three concepts are important to grasp. We have simplified these concepts by providing IAP examples in layman’s terms.
Feature 1: Contextual factors
An Identity-Aware Proxy verifies the user against multiple factors, instead of relying only on user ID and password.
For example:
Let’s say an employee named Bob is trying to access a sensitive system admin file from the IT department’s server. His login credentials are correct, but there are some red flags.
Normally, Bob works from New Jersey, USA, but this request is coming from an IP address in Iran.
His typical working hours are 8 a.m. to 5 p.m. EST, yet the request was made at 11 p.m. EST, outside his usual hours.
He also typically logs in from his organization-issued Mac, but this time he’s using an unfamiliar Android phone.
Since these factors don’t match Bob’s usual behavior, the identity-aware proxy system denies his access, even though his credentials are correct. If the organization has integrated MFA along with IAP, it’d prompt Bob to complete additional authentication steps, like biometric verification or a security code sent to his phone.
Feature 2: Role-based access
Another important aspect of an Identity-Aware Proxy is role-based access control (RBAC). With this, the identity-aware proxy software allows organizations to set fine-grained access policies that determine which employees and external parties (such as vendors, third-party agencies, customers, etc.) have access to which specific resources.
Example:
In the above example, let’s assume all of Bob’s contextual factors match—he’s accessing the system from New Jersey at 9 a.m. EST on his company-issued MacBook. However, since Bob works in the marketing department, company policy restricts his access to IT system admin files. Therefore, the identity-aware proxy software will deny his access.
A robust IAP solution enables organizations to set detailed rules and policies for access control. For instance, even within the IT department, not all employees can access system admin files. Only specific roles, such as the system administrator, CTO, and selected engineers, are granted this level of access.
Feature 3: Continuous verification
An Identity-Aware Proxy (IAP) system continuously monitors and verifies a user’s identity and access permissions, rather than relying on a single sign-in event to grant ongoing access. This approach, often referred to as continuous authentication, helps ensure that users remain authorized as their session progresses. It helps organizations prevent session hijacking risks.
Example:
Consider Bob, who logs into the company’s network from New Jersey at 9 a.m. EST on his organization-issued MacBook. Initially, he was granted access based on his location, device, and time of login. However, the identity-aware proxy system doesn’t stop checking after the initial sign-in.
If, during his session, Bob’s behavior suddenly changes—say, he attempts to access a restricted IT system admin file (which he isn’t authorized for based on his role in marketing) or his location shifts to a different region unexpectedly—the IAP system will detect these anomalies.
In response, it might prompt Bob to verify his identity again through a secondary method, like entering a code sent to his phone, or it may simply deny access to the restricted resource.
This continuous authentication approach ensures that only authorized users maintain access, adapting security based on real-time contextual changes.
Identity Aware Proxy Pricing
The concept of an Identity-Aware Proxy sounds great, but your next question must be: is it going to break the bank? You might be surprised to know that you can start implementing an identity-aware proxy for free.
The advanced identity-aware proxy software like Pomerium is open-source and free for personal use. For businesses, it has a flat rate of $7/user/mo. and can include up to 1,000 users. Pomerium is able to implement an identity-aware proxy to almost all types of applications, databases, Kubernetes clusters, and other resources.
In a similar way, Google IAP is free for applications and resources hosted on Google Cloud. But for other resources, it has “pay-as-you-go” pricing, which is gated.
Identity Aware Proxy Solutions
There are three of the most popular solutions available in the market for implementing identity-aware proxy.
1. Pomerium
Pomerium is an open-source Identity-Aware Proxy that offers flexibility and robust security controls for modern, distributed systems. It is designed to handle access policies based on identity and allows secure access to applications across different environments, including on-premises and multi-cloud setups.
Pomerium is particularly valuable for organizations that need to manage access to self-hosted applications and are looking for a vendor-neutral solution. It also integrates with various identity providers, like Okta and Active Directory, enabling a seamless user experience across different systems. Since it’s open-source, Pomerium is often more budget-friendly than other proprietary solutions, making it an attractive option for small and medium-sized businesses. Please note that it is highly scalable and works fine with large enterprises as well.
2. Google Cloud Identity-Aware Proxy
Google Cloud’s Identity-Aware Proxy is a widely used IAP solution designed to provide secure access control for applications hosted on Google Cloud. It allows organizations to enforce identity and contextual verification for every access attempt, supporting a zero-trust model by default. With Google Cloud IAP, organizations can manage access based on user identity and device details, which provides an additional layer of security. It integrates seamlessly with Google’s ecosystem, making it a go-to option for companies already using Google Cloud. However, its tight integration can be a drawback for multi-cloud environments that require interoperability with other providers.
3. AWS Identity and Access Management (IAM) with Amazon Cognito
While not a traditional IAP, AWS IAM combined with Amazon Cognito provides a powerful solution for controlling access to AWS-hosted applications based on user identity. IAM allows administrators to define detailed permissions, while Cognito adds user authentication and authorization, making it suitable for organizations heavily invested in AWS infrastructure. This setup enables fine-grained control over access policies, supporting zero-trust security principles within AWS environments. For organizations that primarily operate in the AWS cloud, this combination offers a robust solution, though it may not be ideal for multi-cloud or hybrid environments due to its AWS-specific focus.
