Zero trust with reverse proxy
Priyanka Vergadia
Staff Developer Advocate, Google Cloud
Max Saltonstall
Senior Developer Relations Engineer, Google Cloud
A reverse proxy stands in front of your data, services, or virtual machines, catching requests from anywhere in the world and carefully checking each one to see if it is allowed.
In order to decide (yes or no) the proxy will look at who and what.
Who are you (the individual making the request)? What is your role? Do you have access permission (authorization)?
What device are you using to make the request? How healthy is your device right now? Where are you located?
At what time are you making the request?
This issue of GCP Comics presents an example of accessing some rather confidential data from an airplane, and uses that airplane as a metaphor to explain what the proxy is doing.
Reverse proxies work as part of the load balancing step when requests are made to web apps or services, and they can be thought of as another element of the network infrastructure that helps route requests to the right place. No one can access your resources unless they meet certain rules and conditions.
If a request is invalid or doesn’t meet the necessary criteria set by your administrators, either because it is from an unauthorized person or an unsafe device, then the proxy will deny the request.
Why might the proxy say no to my request? When assessing the user making the request, denial of access could be due to reasons such as:
- I'm in Engineering, but I am trying to access Finance data.
- I'm not even a part of the company.
- My job changed, and I lost access.
Looking at the device originating the request, the proxy could deny access due to a number of factors, such as:
- Device operating system out of date
- Malware detected
- Device is not reporting in
- Disk encryption missing
- Device doesn’t have screen lock
Leveraging identity and device information to secure access to your organization’s resources improves your security posture.
Resources
To learn more about proxies and Zero Trust, check out the following resources:
- Overview of Identity-Aware Proxy
- Extending Zero Trust models to the web
- Creating a device-based access level
- How to set up a proxy for on-premises apps
- BeyondCorp Enterprise Quickstart Guide
Want more GCP Comics? Visit gcpcomics.com & follow us on medium pvergadia & max-saltonstall, and on Twitter at @pvergadia and @maxsaltonstall. Be sure not to miss the next issue!
