Zero Trust at the Edge: Extending Cloud Identity Authority to On-Prem

Zero Trust at the Edge: Extending Cloud Identity Authority to On-Prem

Zero Trust at the Edge: Extending Cloud Identity Authority to On-Prem

Getting Zero Trust to actually work at the edge, not just in theory, meant solving a real operational problem: how do we extend cloud identity authority on-premises that can run autonomously? This talk covers how we bridged that gap using Tailscale.

Manual config is not an option for security posture and scalability between cloud and self-hosted compute. We run sensitive workloads on-premises that operate semi-autonomously from our cloud IAM, which is the source of truth for identity and access.

We'll walk through:

• ACLs in Git. Every Tailscale ACL change goes through peer review and CI/CD. The policy file is the only source of truth, even for infrastructure that never touches the cloud.
• Closed-Loop Identity Enforcement. Okta is our source of truth for identity and access. When an access request is fulfilled, Okta group membership updates, and Tailscale enforces it on-prem. The flow is automated from ticketing.