Zero Trust for Tailscale
Zero Trust for Tailscale
Make your tailnet device-aware: only endpoints that meet your live posture baseline can reach CI runners, secrets, and internal apps — even if they’re authenticated.
Identity
Verified Developer
SSO-bound, trusted user
Device
Secure Endpoint
Patches, EDR, encryption
Policy
EDAMAME Trust
Continuous access decisions
Platform
Tailscale
Tailnet, ACLs
Blocks rogue devices
Virtual air gap around crown jewels
Developer-friendly rollout
Built for security teams protecting CI runners and internal services over Tailscale.
The Risk
Your crown-jewel services are one device away from a breach.
Mesh VPNs make access easy — but a stolen or compromised laptop with valid identity can still reach your runner, secrets, and internal apps. Credentials prove who, not whether the endpoint is safe right now.
Authenticated devices can still be unsafe (posture drift).
Malware turns an enrolled laptop into an attacker workstation.
CI runners and internal services become pivot points.
Device trust often covers login, not tailnet access to internal IPs.
SECURITY GAP
The Device Trust Gap
VPN enrollment validates identity at join time. Access persists long after — even as endpoints drift out of posture.
Once an attacker is on an enrolled device, the mesh becomes their route to crown jewels. Continuous verification must happen in-network.
The Solution
Zero Trust, enforced at the mesh layer.
EDAMAME continuously verifies every connection — not just enrollment. For every session, we evaluate identity, device posture, and context before allowing access.
Identity: SSO-bound, verified developer accounts.
Device: OS patches, encryption, EDR, firewall, and integrity checks.
Context: IP, environment, CI runner state, and access patterns.
Only when all signals pass do we allow the connection. Everything else is blocked — authenticated devices alone are no longer enough.
ARCHITECTURE
EDAMAME orchestrates your mesh’s native controls (ACLs, tags, and allow rules) so that crown jewels are only reachable from verified users on secure devices.
Developer Device → EDAMAME Trust Engine → Tailscale
No inline proxies. No custom tunnels. Just native enforcement inside your mesh.
Core Capabilities
Everything you need to secure Tailscale without slowing developers.
EDAMAME brings Zero Trust to your tailnet — from laptops to CI runners — while keeping workflows fast and familiar.
Verified developer identity
Bind every device to a corporate identity via SSO/IdP. Tokens, SSH keys, and CLI access are always tied back to a real, verified person.
Continuous device posture
Enforce encryption, patches, EDR, firewall, and integrity. If a device drifts out of compliance, its tailnet access is revoked in real time.
Native Tailscale enforcement
Use your tailnet’s native ACLs and tags as the enforcement point. EDAMAME keeps them up to date based on live device posture.
Protect CI runners & internal services
Gate runner IPs, build agents, and admin surfaces behind posture-aware mesh access. Drift out of compliance and access is revoked in real time.
Developer-friendly experience
Lightweight agents and clear remediation guidance. Engineers keep their tools and workflows — security runs in the background.
Works with your stack
Integrates with your IdP, VPN, EDR, MDM/UEM, secrets managers, and CI tooling. No rip-and-replace.
Comparison
EDAMAME delivers the security guarantees of on-prem and air-gapped systems — with the speed and flexibility of modern cloud development.
More than VPNs, mesh ACLs, or IP allowlists.
Alternative
Tailscale (default posture)
Once a device connects, it’s often trusted for too much. Posture is coarse, and internal services stay reachable even as endpoints drift.
With EDAMAME
Every connection to crown-jewel IPs is gated by live device posture. Drift out of compliance and access is revoked instantly.
Alternative
Network segmentation / bastions
Segmentation controls where, not whether an endpoint is safe right now. A compromised laptop inside the mesh can still pivot to runners and secrets.
With EDAMAME
Per-device, per-session enforcement inside the mesh. Access is continuously verified and revoked on drift.
Alternative
Static allowlists
Hard to maintain. Developer IPs change. No visibility into which device is behind an IP.
With EDAMAME
Dynamic, per-device allow rules. Crown jewels are only reachable from currently trusted endpoints.
Rollout
Five-minute rollout.
Enroll endpoints, connect Tailscale, set your posture policy, and protect CI runners and internal apps — without redesigning networks.
Step 01
Install EDAMAME
Enroll developer laptops and workstations. Establish a baseline posture score.
Step 02
Connect your tailnet
Paste a Tailscale API token into EDAMAME Hub. Peers are mapped automatically.
Step 03
Define posture policy
Set rules like score ≥ 4 and disk encryption enabled. Violations revoke access instantly.
Step 04
Protect crown jewels
Gate CI runners, secrets, and internal apps behind posture-aware mesh ACLs.
Step 05
Expand coverage
Reuse the same posture policy across mesh access and SaaS (Entra / Google) for one control plane.
Threat Scenarios
Real attacks, blocked by design.
EDAMAME neutralizes the most common SDLC attack paths — before they reach your code.
Scenario
Stolen personal access token
Without EDAMAME
Attacker uses the token from any device to clone private repos.
With EDAMAME
Device not verified or out of posture → GitHub rejects all requests using that token.
Scenario
Compromised developer laptop
Without EDAMAME
Malware pushes or exfiltrates code using existing GitHub credentials.
With EDAMAME
Posture deteriorates → device automatically removed from allowlist → GitHub access revoked.
Scenario
Rogue CI/CD runner
Without EDAMAME
Malicious runner pulls secrets and injects backdoors into builds.
With EDAMAME
Runner fails posture or integrity checks → denied before accessing repos or secrets.
Trust & Impact
Security leaders choose EDAMAME to harden their SDLC.
Combine the assurance of air-gapped systems with the agility of GitHub Cloud. EDAMAME lets you enforce Zero Trust without sacrificing developer velocity.
Stop supply-chain attacks at the source — your repos.
Strengthen compliance for SOC 2, ISO 27001, NIS2, DORA, and more.
Win developer trust by making security feel invisible.
A VPN gives you network isolation, but it doesn’t tell you whether the device itself should be trusted. With EDAMAME all endpoints accessing the code and secrets are truly within the perimeter.
CTO
Global Telecom Company
