Solve infrastructure access challenges, stop lateral movement and avoid complex SSH key, password and credential management.
Learn How Passwordless Auth and Multiple Roots of Trust Are Transforming Infrastructure Access.
Avoid the hassle of managing SSH keys and advance your security posture by using Bastion Zero for zero trust SSH.
Read unique technical insights from the BastionZero team
Learn more about BastionZero from our resource center
Learn how BastionZero works and get it working in your environment
Download BastionZero's Windows agent and Windows ZLI here
October 31, 2023
Single Sign-On (SSO) has become one of the most common ways for users to access applications and infrastructure. While there is a standard authentication protocol for SSO called OpenID Connect (OIDC), it’s missing a crucial security feature: the ability to bind public keys to identities. That’s why we created OpenPubkey — an open source project that enhances SSO security by introducing a cryptographic object known as a PK Token that binds public keys to identities. In this post, we’ll introduce OpenPubkey and share a few of its early use cases from Docker and BastionZero.
October 26, 2023
Making sure databases are secure is a non-negotiable part of a security team’s job. To make that happen, companies need zero trust failsafes to ensure only the right users get into the right databases. Unfortunately, while security teams build these systems with the best intentions, the systems themselves often become so complicated and have so many nested login requirements that they become liabilities of their own.
It’s not an exaggeration to say that databases are the lifeblood of data-driven companies. Your company likely couldn’t run without them, and yet their importance makes them a constant liability. There’s a reason why so many compliance regulations (ranging from the ISO 27001 to SOC 2 to industry-specific ones like HIPAA) touch on keeping databases safe from abuse. This is where zero trust security controls come into play. You can’t automatically grant anyone access to your databases; everyone has to be checked on each access attempt. Yet most “zero trust” strategies require placing trust in something outside your control, putting databases at risk. Here’s why zero trust database access is not as straightforward as you might think and what to do to achieve safety and accountability.
October 25, 2023
Security professionals across industries (you likely included) agree on at least one thing: SSH key management is a real problem. It’s a massive time sink that keeps security and infrastructure teams from achieving maximum productivity, and management challenges open the door to security risks. Good news: There is an easier, more secure and more scalable way to leverage SSH. BastionZero’s technology eliminates SSH keys and supports least privilege access without impacting the user experience. Here’s why it’s time to modernize your security architecture if you’re using SSH.
When your goal is to protect your customers' data and your application infrastructure, paranoia abounds. If everyone and everything you know is vulnerable to being compromised, who do you trust? No one. Especially not your business VPN, which has experienced a major fall from grace.
September 18, 2023
In a cybersecurity landscape that's evolving at an unprecedented pace, the concept of lateral movement has become a focal point of concern. This process enables attackers to traverse a network after gaining initial entry, often culminating in data breaches and other cyber incidents. Traditional security measures, particularly perimeter-based defenses like VPNs, are increasingly proving inadequate. These conventional methods may gate access to a network but offer little control over activities within, making them susceptible to lateral movement attacks.
July 21, 2023
In a world of constant cyber threats, it’s no wonder companies seek the most secure remote access tools to ensure that only the right people have access to the right infrastructure. Yet even the best-intentioned security team can go about implementing remote access in ways that ultimately leave them vulnerable to infiltration. There are two big mistakes that companies make when it comes to controlling infrastructure access: Thinking that a VPN is sufficient. Using an access management solution that relies on a single root of trust, providing an easy target for potential attackers. In this blog we will explore what each of these mistakes entails, and how to move past them by implementing zero trust technology with multiple independent roots of trust.
July 6, 2023
In the dynamic landscape of modern IT infrastructure, managing access control can often feel like an uphill battle. With an ever-growing array of systems, platforms, and clouds, the process of onboarding and offboarding can become a convoluted maze of VPNs, SSH keys, and IAM roles. Fortunately, solutions like BastionZero are designed to address these circumstances, offering a centralized, security-focused platform that streamlines these processes while fortifying your infrastructure.
June 28, 2023
In today's dynamic world of cloud computing, businesses are no longer confining themselves to a single cloud provider. Instead, many are turning to multicloud strategies, which involve deploying services across multiple cloud environments such as Amazon Web Services (AWS) and Google Cloud Platform (GCP). This approach capitalizes on the unique strengths and features of different cloud providers, offering greater flexibility, optimizing costs, and reducing the risk of vendor lock-in.
June 15, 2023
In the realm of managed services, deploying applications in a customer’s environment presents a unique set of challenges. Your engineers and operators want access to those applications, but this can be difficult when the application is deployed to an environment that you don’t control. Your customers do not want to provide your team with identities and VPN access to their environments, nor do they want to deploy a specific VPN and network access for you to get to your applications. (After all, most IT and security people remember that third-party contractor access to an environment was the reason Target got breached in 2014.)
June 8, 2023
Today, we at BastionZero are thrilled to announce the expansion of our platform to a broad and critical new set of infrastructure access use cases: database access and Windows access. As part of this new feature drop we are also increasing the usability of the platform by introducing a new point-and-click end-user desktop app.
May 8, 2023
Kubernetes is more popular than ever, and many organizations have tens of clusters with tens (or even hundreds) of engineers accessing each cluster using tools like kubectl, lens and k9s. But securing access to your kubernetes cluster is hard. How do you make sure that outsiders can’t get into your cluster? How do you ensure that the right insiders have the right permissions to access the right parts of your cluster? How do you ensure that when people do access your cluster (using kubectl, k9s, lens or any other such tool), you have good visibility and audit logging of what they did with this access? If you have these problems, BastionZero can help.
May 3, 2023
Utilizing BastionZero for secure access to Kubernetes clusters is a game-changer as it empowers your teams (and service accounts) to access the API in a zero-trust manner while keeping your Kubernetes API off the public internet. BastionZero eliminates the technical debt associated with long-lived credentials, privilege creep and lack of observability (where you can’t tell who has access to what parts of the cluster, or what they did with that access). Deploying BastionZero with Kubernetes provides robust protection against unauthorized access and data breaches while streamlining access management. Whether you're looking to bolster your security posture, simplify remote access, or achieve regulatory compliance, BastionZero provides a comprehensive solution through its user-friendly and easy-to-deploy platform. That’s not all - the BastionZero platform is the only access solution on the market that doesn’t require privileged access to your cluster. This means you can rest easy, knowing that a compromise of the BastionZero service won’t lead to a compromise of your Kubernetes cluster.
May 1, 2023
We have been working to write up the cryptographic protocols which BastionZero uses to offer remote access. As part of this effort, we recently released a draft of our protocol, OpenPubkey: Augmenting OpenID Connect with User held Signing Keys. BastionZero uses OpenPubkey to cryptographically bind your public key to your identity at an OpenID Provider like Google.
April 25, 2023
BastionZero is a powerful and secure remote infrastructure access control solution designed to simplify and enhance the management of remote access to your backend systems. If you're considering replacing your legacy remote access tools like SSH with BastionZero, you can easily evaluate the platform by running BastionZero's free account alongside your existing SSH setup.
April 19, 2023
We are excited to announce the release of the long awaited BastionZero Terraform Provider. Our team has been working hard to develop a seamless integration with Terraform, the widely used infrastructure-as-code (IaC) tool, to help you manage your BastionZero resources in a declarative fashion. With the BastionZero Terraform Provider, you can now define, provision, and manage your environments, targets, and other BastionZero resources using HashiCorp Configuration Language (HCL).
April 14, 2023
Managing SSH keys in a growing environment can be a challenging and time-consuming task. As the number of keys increases, so does the complexity of managing and securing them. Longstanding SSH keys, in particular, pose several security risks due to their static nature and potential for unauthorized access if not properly managed. To address these challenges and enhance the security of your remote access, BastionZero offers an innovative solution that streamlines key management and enforces robust security measures. In this technical guide, we will explore the benefits of managing SSH keys with BastionZero and demonstrate how its approach mitigates the risks associated with longstanding SSH keys. By the end of this guide, you will have a clear understanding of how BastionZero simplifies the key management process while ensuring the highest level of security for your remote infrastructure. Let’s get started.
April 4, 2023
Jump hosts elicit a variety of strong feelings from engineers. Here are some things my team at BastionZero has heard from customers over the years: “I manage a bunch of bastion hosts that keep me up at night.” “I [just] discovered an SSH bastion ... that is on the public internet today. It was added to my SSH config on day 1 so I completely forgot it was there ... While digging [around my infrastructure] I realized there is a lot of complexity there and a fair bit of risk …”“We have a standing access bastion with a PAM Module on each remote host. I have to do authentication each time I log into a target. Can you imagine what that is like if I have to log into many targets in a row? It is horrible.”It doesn’t have to be this way. You can provision your engineers with access to your Linux hosts without losing sleep at night or harming the productivity of your developer teams.
March 21, 2023
In January, we received a stark reminder that the security of our CI/CD pipelines is a really big deal. Your CI/CD pipeline needs the power to deploy code into your infrastructure, but deployment requires a high level of privilege, which often includes the ability to SSH into servers, to talk to APIs, to push code into containers, and to spin infrastructure up and down. If your CI/CD pipeline gets compromised, those privileges fall into the hands of an adversary… which means that an adversary can push malicious code into your infrastructure… which is ~about the worst~ thing that can happen. In this blog, I’ll explain how to use BastionZero (BZ) Service Accounts paired with our Github Actions integration to secure your CI/CD pipeline’s access to your infrastructure.
March 7, 2023
Service accounts are an integral part of many modern workflows, especially those related to continuous integration, continuous delivery, and continuous deployment (CI/CD) tools. But managing their interconnectedness presents a unique challenge to IT and security teams. Elevated privileges enable these teams to execute applications with ease—but it is precisely this high level access that can create security risks if not managed correctly. In this blog post, we'll explore the benefits and risks associated with service accounts and how they impact your organization’s security posture.
March 1, 2023
Securing and managing a build pipeline is really complicated. And esoteric. In fact, I’m willing to bet that if you put 10 platform engineers from different organizations in a single room, you’d likely find that they work with at least 13 totally different flavors of CICD pipelines.
February 15, 2023
Well, CircleCI was breached. And many teams spent a large part of January rotating secrets and looking for indicators of compromise (IoCs). I think this breach is a really big deal, because it’s exposing the massive attack surface that can be created by our CICD pipelines. This is barely even about CircleCI --- this is mostly about a fundamental security issue that affects almost any CICD pipeline, whether it’s built on CircleCI or not.
February 14, 2023
February 10, 2023
If you're like most organizations, you've been focused on perimeter-based network activity within your office or corporate network. But with the rapid adoption of remote work paradigms and third-party vendors, that's all changed. And chances are, your IT and security policies haven't kept up.
February 1, 2023
As organizations continue to push the boundaries of innovation, remote access has become a cornerstone of growth and resiliency. However, when it comes to determining the total price of remote access, the answer cannot be discovered simply through a straightforward calculation.
January 23, 2023
Employees need access to technology, anywhere and anytime. But how can you balance risk with employees' need for access? Enter trustless access.
January 12, 2023
In this guest blog, we explore the key trends for remote access in 2023 according to Joe Stevens, former Chief Information Security Officer at Criteo.
December 14, 2022
In this article, we'll explore the threat of session cookie resale on the dark web and why it's a big deal. We'll also discuss how BastionZero limits the scope of these attacks.
December 12, 2022
Lessons learned from a workshop with the folks that run the Internet’s largest certificate authorities.
July 29, 2022
A VPN provides access to a private network. BastionZero provides access to infrastructure targets (servers, containers, k8s, dbs) with authentication, authorization and audit logging built in. So you can improve security while avoiding the need to build an infrastructure access system behind your VPN.
July 21, 2022
We're honored to place Second in the 2022 RSAC Innovation Sandbox Contest!
July 12, 2022
Sharon spent part of her morning revising the submission of an academic paper on the cryptographic protocol behind BastionZero. The team wrote an extremely short abstract about the MRZAP protocol and figured this description of the cryptographic protocol would be worth sharing! Voila!
June 29, 2022
I read CISA’s Cloud Security Technical Reference Architecture. Here's what you need to know.
June 16, 2022
Organizations frequently struggle to find the best way to provide their engineers with access their backend infrastructure.
June 14, 2022
A few weeks ago, our CEO, Sharon Goldberg, had the pleasure of speaking with Melinda Marks on ESG’s Women in Cybersecurity Podcast. They talked about getting into cybersecurity, struggles and challenges of breaking into cybersecurity, and advice and resources for those entering the space.
June 13, 2022
A few weeks ago, our CTO, Ethan Heilman, had the pleasure of speaking with Steve Stonebraker on the Ephemeral Security Podcast. They talked about getting into information security, how BastionZero works, and BastionZero’s potential features.
May 3, 2022
We're honored to announce that we are a top ten finalist for the RSA Conference Innovation Sandbox Contest, as one of the most innovative early-stage cybersecurity startups of the year. Thank you to our tenacious team for getting us to this milestone. BastionZero Recognized for Innovative Cryptographic Approach to Zero-Trust Infrastructure Access.
April 4, 2022
We had the pleasure of joining Timothy Peacock and Anton Chuvakin on The Cloud Security Podcast from Google, a weekly news and interview show with insights from the cloud security community. We covered our favorite definitions of zero trust, Sharon's analysis of the federal government's zero trust memo, deprecating VPNs, and the future of cloud security! | Google Cloud Security Podcast: EP59 Zero Trust: So Easy Even a Government Can Do It?
March 29, 2022
This is a post I’ve been waiting almost two years to write, and it tells the story about how BastionZero was born. BastionZero is a pandemic baby. We started out as a blockchain company and then pivoted into infrastructure cybersecurity right after COVID hit.
March 22, 2022
SSO is fantastic and super convenient. But breaches happen. But we can mitigate these risks so that a breach of your SSO provider does not lead to a compromise of your targets.
March 3, 2022
We were honored to be a part of Enterprise Security Weekly #263!
March 2, 2022
We’re thrilled to announce that we raised $6m in seed funding led by Dell Technologies Capital. Here we share how we started and where we’re heading next.
February 8, 2022
When I first read the federal government’s memo on it’s “transition zero trust”, I was jumping out of my skin with excitement. There’s lots of great stuff in that memo (see my earlier blog post) but what excited me most was the memo’s stance on VPNs.
January 27, 2022
Yesterday, the Office and Management and Budget (OMB) released a memo:“Moving the U.S. Government Towards Zero Trust Cybersecurity Principles”. The memo advises the Federal Government on what steps each agency must take to improve its cybersecurity. It looks like the government is planning to position itself as a cybersecurity leader, while also pushing the private sector into a more robust cybersecurity posture. Also, if you get into it, this memo is actually about a lot more than zero trust.
January 26, 2022
PwnKit is a new vulnerability that breaks the security model around privileged access management (PAM) to Linux machines. It allows someone with access to a Linux machine to escalate their privileges to root, and then execute commands that exceed their privilege. This bug was likely present in the Linux kernel for 12 years. This has resulted in a few screamy headlines, but I’m fairly unsurprised.
December 7, 2021
As the new kid in the infrastructure and remote access space, we wanted to take a moment to introduce ourselves. We are a group of cryptography PhDs, engineering leaders, and infrastructure experts and enthusiasts who think the remote access industry needs some shaking up. In fact, we believe everything about infrastructure and remote access needs to be made simpler and more secure.
.png)
.png)
.png)
.png)
%20(1).png)
.jpg)
.jpg)
