> What Tailscale doesn't solve is access to the data that web app serves if the user's machine is compromised, as tailscale is just determining "can the user hit the webserver on port 443?" and does nothing to evaluate the state of the user's host.
Tailscale has some cybersecurity integrations to configure access depending on the device posture. For example, blocking access to a webserver if the device is out of date, or if malware is detected, or if the firewall is disabled, etc. But I don't use any of those integrations and can't speak to them.
The posture implementation is quite easy to work with. There’s a growing list of integrations, and you can also roll your own with the posture API. I’ve used Kolide so far and will be integrating with Kandji on another tailnet. They also have Intune, JAMF, Crowdstrike, and SentinelOne.
The same posture API can be used to restrict access to devices in your inventory or to set up just-in-time access to a sensitive asset. For the latter, you can use a Slack app provided by Tailscale or integrate with an identity governance workflow to set a posture attribute with a limited TTL. Your tailscale policy just needs to condition the relevant access on the attribute.
Tailscale has some cybersecurity integrations to configure access depending on the device posture. For example, blocking access to a webserver if the device is out of date, or if malware is detected, or if the firewall is disabled, etc. But I don't use any of those integrations and can't speak to them.