BeyondCorp Implementation

We deploy an identity-aware proxy (IAP) in front of every internal application: Pomerium, Ory Oathkeeper, or Google Cloud IAP depending on your infrastructure. The proxy authenticates every request against your identity provider, checks device posture, evaluates context-based policies, and only then forwards the request to the backend. The backend application never receives unauthenticated traffic.

Access depends on device identity and posture, not just user identity. We set up device enrollment, certificate-based device authentication, and posture checks: Is the OS patched? Is disk encryption enabled? Is the device managed? Is endpoint protection running? Devices that fail posture checks get restricted access or no access. Lost or stolen devices are revoked from the trust registry immediately.

Access decisions consider context beyond identity: time of day, geographic location, network characteristics, risk score, and resource sensitivity. An engineer accessing source code from their enrolled laptop during business hours gets seamless access. The same engineer accessing production databases from an unknown device at 3 AM gets denied and triggers a security alert. Policies are defined declaratively and version-controlled.

We migrate applications to IAP-protected access incrementally. Start with low-risk internal tools (wikis, dashboards), validate the workflow, then migrate development environments, staging access, and finally production admin access. Each migration phase includes user training and fallback procedures. The VPN is decommissioned only after all applications are migrated and the team has operated without it for 30 days.