Hard-Earned Lessons in Access Control at Scale: Enforcing Identity and Policy Across Trust Boundaries with Reverse Proxies and mTLS

TL;DR

This paper discusses implementing a Zero Trust security architecture using reverse proxies, mTLS, and centralized SSO to improve secure access in distributed enterprise environments, highlighting lessons learned and practical challenges.

Contribution

It introduces a scalable, Zero Trust-aligned access control solution combining reverse proxies, mTLS, and centralized SSO, with insights from real-world deployment.

Findings

Enhanced security through per-device and per-user authentication

Centralized policy enforcement improves manageability

Lessons learned inform best practices for deployment

Abstract

In today's enterprise environment, traditional access methods such as Virtual Private Networks (VPNs) and application-specific Single Sign-On (SSO) often fall short when it comes to securely scaling access for a distributed and dynamic workforce. This paper presents our experience implementing a modern, Zero Trust-aligned architecture that leverages a reverse proxy integrated with Mutual TLS (mTLS) and centralized SSO, along with the key challenges we encountered and lessons learned during its deployment and scaling. This multidimensional solution involves both per-device and per-user authentication, centralized enforcement of security policies, and comprehensive observability, hence enabling organizations to deliver secure and seamless access to their internal applications.