How a telecom software company secured a self-hosted, VPN-based SDLC with device-aware Zero Trust
An anonymized telecom software company secured a self-hosted GitLab SDLC behind a mesh VPN—then added EDAMAME to make the VPN conditional on continuously verified device posture across dev laptops and CI runners.
“A VPN gives you network isolation, but it doesn’t tell you whether the device itself should be trusted.”
CTO
Telecom software company
Challenge
An anonymized telecom software company runs sensitive, self-hosted infrastructure where full control over source code, secrets, and build systems is essential. To keep its SDLC private and independent, it operates a fully self-hosted GitLab environment that is reachable only via a private mesh VPN.
The VPN provided strong network isolation—GitLab and CI systems were not exposed to the public internet. But the security team identified an important limitation: VPNs protect networks, not devices.
Once a user was connected, any endpoint—compliant or not—effectively became part of the trusted perimeter.
The Challenge: VPN-based access without device trust
VPN access doesn’t validate endpoint security. Credentials could bring an unpatched, misconfigured, or compromised laptop into the trusted network.
Credential and token risk inside a trusted network. Developers used SSH keys and personal access tokens; if a credential was stolen or reused, the VPN didn’t prevent it from being used from the “wrong” device.
Supply-chain exposure in CI/CD. Self-hosted runners (Alpine-based) handled secrets and deployment credentials. Network isolation helped, but there was no continuous assurance that endpoints interacting with runners were trustworthy.
Mixed-device reality. The team worked across macOS, Windows, and Linux and needed a solution that strengthened security without restrictive MDM lockdown or removing developer autonomy.
Bottom line: the company needed to make its SDLC perimeter conditional on continuously verified device trust—not only identity and VPN connectivity.
Solution
The company implemented EDAMAME to turn its VPN-protected SDLC into a device-aware Zero Trust environment.
Rather than replacing the existing mesh VPN, EDAMAME extended it—shifting the trust boundary from “on the VPN” to “on the VPN and on a compliant device.”
Device-aware enforcement inside the VPN
EDAMAME continuously evaluates device posture across macOS, Windows, and Linux (baseline protections, patch posture, risky services, and other endpoint signals). That posture is then used to drive access decisions:
Only compliant devices are allowed to appear as trusted VPN peers for SDLC resources.
If a device falls out of compliance, access is revoked quickly—without waiting for manual intervention.
This transformed the VPN from a static network gate into a conditional, continuously validated perimeter.
Closing the token loophole
With device trust enforced at the network layer, stolen or reused Git credentials became far less useful unless they originated from a compliant device. Even valid credentials could no longer be used effectively from:
Unpatched machines
Personal devices outside policy
Compromised systems
Securing self-hosted CI runners
EDAMAME posture-based protections were extended to Alpine-based self-hosted runners so that:
Only trusted devices can reach runner endpoints.
Secrets aren’t exposed to unverified endpoints.
CI interactions from untrusted machines are blocked early, reducing supply-chain risk.
Developer-first, cross-platform
EDAMAME runs quietly across operating systems without changing developer workflows. Engineers keep control over their machines; enforcement happens transparently, in real time.
Results
A real device perimeter
The company transformed its VPN from a coarse network boundary into a fine-grained, device-aware security layer. Access to code and secrets now requires:
Valid identity
Valid credentials
A continuously verified, secure device
Reduced SDLC and supply-chain risk
By ensuring only trusted endpoints can interact with GitLab and CI infrastructure, the team reduced the likelihood of:
Token-based breaches from the wrong device
Compromised developer machines impacting builds
Unauthorized access to secrets inside CI/CD
No loss of autonomy or velocity
Developers continued working on macOS, Windows, and Linux with full productivity and minimal friction. Security improved without imposing heavy MDM control or workflow changes.
Leadership confidence
“We built our infrastructure for control and privacy. Device-aware enforcement gave us zero-trust assurance without sacrificing autonomy.”
Want to see EDAMAME on your environment?
We’ll help you validate posture-based access controls for repos, CI runners, and internal apps in days — not months.