Zero Trust for Tailscale
Zero Trust for Tailscale
Make your tailnet device-aware: only endpoints that meet your live posture baseline can reach CI runners, secrets, and internal apps — even if they’re authenticated.
Identity
Verified Developer
SSO-bound, trusted user
Device
Secure Endpoint
Patches, EDR, encryption
Policy
EDAMAME Trust
Continuous access decisions
Platform
Tailscale
Tailnet, ACLs
Blocks rogue devices
Virtual air gap around crown jewels
Developer-friendly rollout
Built for security teams protecting CI runners and internal services over Tailscale.
The Risk
Your crown-jewel services are one device away from a breach.
Mesh VPNs make access easy — but a stolen or compromised laptop with valid identity can still reach your runner, secrets, and internal apps. Credentials prove who, not whether the endpoint is safe right now.
Authenticated devices can still be unsafe (posture drift).
Malware turns an enrolled laptop into an attacker workstation.
CI runners and internal services become pivot points.
Device trust often covers login, not tailnet access to internal IPs.
SECURITY GAP
The Device Trust Gap
VPN enrollment validates identity at join time. Access persists long after — even as endpoints drift out of posture.
Once an attacker is on an enrolled device, the mesh becomes their route to crown jewels. Continuous verification must happen in-network.
The Solution
Zero Trust, enforced at the mesh layer.
EDAMAME continuously verifies every connection — not just enrollment. For every session, we evaluate identity, device posture, and context before allowing access.
Identity: SSO-bound, verified developer accounts.
Device: OS patches, encryption, EDR, firewall, and integrity checks.
Context: IP, environment, CI runner state, and access patterns.
Only when all signals pass do we allow the connection. Everything else is blocked — authenticated devices alone are no longer enough.
ARCHITECTURE
EDAMAME orchestrates your mesh’s native controls (ACLs, tags, and allow rules) so that crown jewels are only reachable from verified users on secure devices.
Developer Device → EDAMAME Trust Engine → Tailscale
No inline proxies. No custom tunnels. Just native enforcement inside your mesh.
Core Capabilities
Everything you need to secure Tailscale without slowing developers.
EDAMAME brings Zero Trust to your tailnet — from laptops to CI runners — while keeping workflows fast and familiar.
Comparison
EDAMAME delivers the security guarantees of on-prem and air-gapped systems — with the speed and flexibility of modern cloud development.
More than VPNs, mesh ACLs, or IP allowlists.
Rollout
Five-minute rollout.
Enroll endpoints, connect Tailscale, set your posture policy, and protect CI runners and internal apps — without redesigning networks.
Step 01
Install EDAMAME
Enroll developer laptops and workstations. Establish a baseline posture score.
Step 02
Connect your tailnet
Paste a Tailscale API token into EDAMAME Hub. Peers are mapped automatically.
Step 03
Define posture policy
Set rules like score ≥ 4 and disk encryption enabled. Violations revoke access instantly.
Step 04
Protect crown jewels
Gate CI runners, secrets, and internal apps behind posture-aware mesh ACLs.
Step 05
Expand coverage
Reuse the same posture policy across mesh access and SaaS (Entra / Google) for one control plane.
Threat Scenarios
Real attacks, blocked by design.
EDAMAME neutralizes the most common SDLC attack paths — before they reach your code.
Scenario
Stolen personal access token
Without EDAMAME
Attacker uses the token from any device to clone private repos.
With EDAMAME
Device not verified or out of posture → GitHub rejects all requests using that token.
Scenario
Compromised developer laptop
Without EDAMAME
Malware pushes or exfiltrates code using existing GitHub credentials.
With EDAMAME
Posture deteriorates → device automatically removed from allowlist → GitHub access revoked.
Scenario
Rogue CI/CD runner
Without EDAMAME
Malicious runner pulls secrets and injects backdoors into builds.
With EDAMAME
Runner fails posture or integrity checks → denied before accessing repos or secrets.
Trust & Impact
Security leaders choose EDAMAME to harden their SDLC.
Combine the assurance of air-gapped systems with the agility of GitHub Cloud. EDAMAME lets you enforce Zero Trust without sacrificing developer velocity.
Stop supply-chain attacks at the source — your repos.
Strengthen compliance for SOC 2, ISO 27001, NIS2, DORA, and more.
Win developer trust by making security feel invisible.
EDAMAME gave us the confidence to move to GitHub Enterprise Cloud with the security guarantees we used to get from air-gapped infrastructure — without slowing our teams down.
Platform Security Lead
Global SaaS Company
