Solve infrastructure access challenges, stop lateral movement and avoid complex SSH key, password and credential management.
Learn How Passwordless Auth and Multiple Roots of Trust Are Transforming Infrastructure Access.
Avoid the hassle of managing SSH keys and advance your security posture by using Bastion Zero for zero trust SSH.
Read unique technical insights from the BastionZero team
Learn more about BastionZero from our resource center
Learn how BastionZero works and get it working in your environment
Download BastionZero's Windows agent and Windows ZLI here
Frequently asked questions about OpenPubkey
Documentation on OpenPubkey SSH
OpenPubkey on Github Repo
Blogs, Videos, Webinars and OpenPubkey links to communities, slack channel and TSC meetings
Use OpenPubkey today to SSH to machines on your network without SSH keys.
Documentation onOpenPubkey SSH
April 30, 2024
BastionZero has been deliberately designed to work with ephemeral infrastructure. When we say ephemeral infrastructure, we mean compute resources that are created dynamically and destroyed as needed, rather than being persistent and long-lived. Despite this, even with ephemeral infrastructure, your engineering and DevOps teams may still require access to infrastructure to support debugging and forensics. Teams need to be able to work through production issues, react to security events, or observe the infrastructure as it interacts with production workloads. Luckily, you can use BastionZero for this.
April 23, 2024
A few days ago, Richard Barnes (from Cisco) and I submitted a new internet draft to the Internet Engineering Task Force (IETF)’s OAuth working group. (This is the very first step on the long road to publishing an RFC in the IETF internet standards process.) In the draft we introduce PIKA: Proof of Issue Key Authority, to solve a problem relevant to OpenPubkey, OpenID Connect (OIDC) and JWTs (JSON Web Tokens) in general. PIKAs allow us to cache and redistribute an OpenID Provider (OP)’s public keys. In this blog, I’ll introduce the OpenPubkey issue that led me to get interested and start working on PIKAs, explain what PIKAs are, and show how they allow OPs to provide long-lived bindings of public keys to identities. And why PIKAs apply to much more than just OpenPubkey.
April 16, 2024
When we first released OpenPubkey, it was interoperable with many OPs (like Google and GitHub), but not with all of them. In fact, when we started this project, there was an actual technological limitation that prevented OpenPubkey from working with certain OPs, including GitLab’s OP. And support for GitLab’s OP was one of our most requested features. Well, today I’m happy to announce that last week’s release of OpenPubkey v0.3.0 smashes through this limitation. OpenPubkey now interoperates with any OpenID Provider.
April 11, 2024
I’m happy to announce we have a new release of OpenPubkey (Release v0.3.0). I want to thank all 10 contributors whose hard work got this release over the finish line: @asamborski @EthanHeilman @lgmugnier @mrjoelkamp @jonnystoten and especially the new contributors: @johncmerfeld @kipz @tg123 @ymarcus93. OpenPubkey is a protocol for leveraging OpenID Providers (OPs) to bind identities to public keys. It adds user- or workload-generated public keys to OpenID Connect (OIDC), enabling entities to sign messages or artifacts under their OIDC identity.
April 8, 2024
Last week, we blogged about a high-availability feature for Kubernetes (“multi-replica support for k8s”), that ensures your cluster is accessible even if a bzero agent is inadvertently evicted from your cluster. Specifically, the feature supports multiple replicas of the bzero agent on a single cluster. Today, we continue our series on the high-availability features of BastionZero with a similar feature for databases and other virtual targets.
April 1, 2024
For the last few years, our customers have been using BastionZero for zero-trust access to their Kubernetes clusters. BastionZero allows you to take your Kubernetes API off the public internet, limiting the risk of unauthorized access or scans by attackers. (If you search shodan.io for Kubernetes clusters you’ll find almost 1.4 million clusters open to the Internet! Just take them off. Why do you want to worry about attackers probing them for CVEs?)
February 16, 2024
Giving people the ability to sign messages under their identity is extremely powerful. For instance, this functionality lets you SSH into servers, sign software artifacts, and create end-to-end encrypted communications under your single sign-on (SSO) identity. The OpenPubkey protocol and open source project brings the power of digital signatures to both people and workloads without adding trusted parties. OpenPubkey is built on the OpenID Connect (OIDC) SSO protocol, which is supported by major identity providers, including Google, Microsoft, Okta, and Facebook. This article will explore how OpenPubkey works and looks at three use cases in detail.
February 7, 2024
Modern enterprises have thousands of SSH targets that administrators must manage access to. Manually tracking, rotating and validating the SSH keys that grant access to those targets is stressful in the best of circumstances and nearly impossible in the worst. Consider the layoffs, re-organizations and mergers that many companies experience, and this stressor quickly snowballs into serious risk.
Sure, SSH keys are better than passwords, but they come with their own set of risks. At the core of these risks is that accumulating multiple keys over time is common and can easily lead to loss, theft or misuse. Managing SSH keys is a hassle, and mishandling or exposing them can result in compromised security, as demonstrated by the case of Github's SSH private key exposure in a public repository just last year. Read more on SSH key rotation best practices.
January 16, 2024
What if you could SSH without having to worry about SSH keys? Without the need to worry about SSH keys getting lost, stolen, shared, rotated or forgotten? In this blog, I’ll walk you through how you can SSH to your remote Docker setups with just your email account or Single Sign-On (SSO). Or, for more instant gratification, you can find complete, no-nonsense instructions for setting up OpenPubkey SSH in our documentation.
January 11, 2024
To get a better understanding of OpenPubkey SSH and see it in action, check out today’s webinar with me and Ivan Pedrazas from Docker! We will introduce OpenPubkey SSH and provide a demonstration of its setup and usage.
December 21, 2023
OpenPubkey is the web's new technology for adding public keys to standard SSO interactions with Identity Providers (IdPs) that speak OpenID Connect (OIDC). OpenPubkey works by essentially turning an IdP into a Certificate Authority (CA). A CA is a trusted entity that issues certificates that cryptographically bind an identity with a cryptographic public key. With OpenPubkey, any OIDC-speaking Identity Provider can bind public keys to identities today.
December 19, 2023
Secure Shell (SSH) is a cryptographic network protocol that provides a way to securely communicate over unsecured networks. It uses encryption to safeguard data from unauthorized access or tampering, which is why it’s the standard for secure remote access, file transfer, tunneling and port forwarding.
October 31, 2023
Single Sign-On (SSO) has become one of the most common ways for users to access applications and infrastructure. While there is a standard authentication protocol for SSO called OpenID Connect (OIDC), it’s missing a crucial security feature: the ability to bind public keys to identities. That’s why we created OpenPubkey — an open source project that enhances SSO security by introducing a cryptographic object known as a PK Token that binds public keys to identities. In this post, we’ll introduce OpenPubkey and share a few of its early use cases from Docker and BastionZero.
October 26, 2023
It’s not an exaggeration to say that databases are the lifeblood of data-driven companies. Your company likely couldn’t run without them, and yet their importance makes them a constant liability. There’s a reason why so many compliance regulations (ranging from the ISO 27001 to SOC 2 to industry-specific ones like HIPAA) touch on keeping databases safe from abuse. This is where zero trust security controls come into play. You can’t automatically grant anyone access to your databases; everyone has to be checked on each access attempt. Yet most “zero trust” strategies require placing trust in something outside your control, putting databases at risk. Here’s why zero trust database access is not as straightforward as you might think and what to do to achieve safety and accountability.
Making sure databases are secure is a non-negotiable part of a security team’s job. To make that happen, companies need zero trust failsafes to ensure only the right users get into the right databases. Unfortunately, while security teams build these systems with the best intentions, the systems themselves often become so complicated and have so many nested login requirements that they become liabilities of their own.
October 25, 2023
When your goal is to protect your customers' data and your application infrastructure, paranoia abounds. If everyone and everything you know is vulnerable to being compromised, who do you trust? No one. Especially not your business VPN, which has experienced a major fall from grace.
Security professionals across industries (you likely included) agree on at least one thing: SSH key management is a real problem. It’s a massive time sink that keeps security and infrastructure teams from achieving maximum productivity, and management challenges open the door to security risks. Good news: There is an easier, more secure and more scalable way to leverage SSH. BastionZero’s technology eliminates SSH keys and supports least privilege access without impacting the user experience. Here’s why it’s time to modernize your security architecture if you’re using SSH.
September 18, 2023
In a cybersecurity landscape that's evolving at an unprecedented pace, the concept of lateral movement has become a focal point of concern. This process enables attackers to traverse a network after gaining initial entry, often culminating in data breaches and other cyber incidents. Traditional security measures, particularly perimeter-based defenses like VPNs, are increasingly proving inadequate. These conventional methods may gate access to a network but offer little control over activities within, making them susceptible to lateral movement attacks.
July 21, 2023
In a world of constant cyber threats, it’s no wonder companies seek the most secure remote access tools to ensure that only the right people have access to the right infrastructure. Yet even the best-intentioned security team can go about implementing remote access in ways that ultimately leave them vulnerable to infiltration. There are two big mistakes that companies make when it comes to controlling infrastructure access: Thinking that a VPN is sufficient. Using an access management solution that relies on a single root of trust, providing an easy target for potential attackers. In this blog we will explore what each of these mistakes entails, and how to move past them by implementing zero trust technology with multiple independent roots of trust.
July 6, 2023
In the dynamic landscape of modern IT infrastructure, managing access control can often feel like an uphill battle. With an ever-growing array of systems, platforms, and clouds, the process of onboarding and offboarding can become a convoluted maze of VPNs, SSH keys, and IAM roles. Fortunately, solutions like BastionZero are designed to address these circumstances, offering a centralized, security-focused platform that streamlines these processes while fortifying your infrastructure.
June 28, 2023
In today's dynamic world of cloud computing, businesses are no longer confining themselves to a single cloud provider. Instead, many are turning to multicloud strategies, which involve deploying services across multiple cloud environments such as Amazon Web Services (AWS) and Google Cloud Platform (GCP). This approach capitalizes on the unique strengths and features of different cloud providers, offering greater flexibility, optimizing costs, and reducing the risk of vendor lock-in.
June 15, 2023
In the realm of managed services, deploying applications in a customer’s environment presents a unique set of challenges. Your engineers and operators want access to those applications, but this can be difficult when the application is deployed to an environment that you don’t control. Your customers do not want to provide your team with identities and VPN access to their environments, nor do they want to deploy a specific VPN and network access for you to get to your applications. (After all, most IT and security people remember that third-party contractor access to an environment was the reason Target got breached in 2014.)
June 8, 2023
Today, we at BastionZero are thrilled to announce the expansion of our platform to a broad and critical new set of infrastructure access use cases: database access and Windows access. As part of this new feature drop we are also increasing the usability of the platform by introducing a new point-and-click end-user desktop app.
May 8, 2023
Kubernetes is more popular than ever, and many organizations have tens of clusters with tens (or even hundreds) of engineers accessing each cluster using tools like kubectl, lens and k9s. But securing access to your kubernetes cluster is hard. How do you make sure that outsiders can’t get into your cluster? How do you ensure that the right insiders have the right permissions to access the right parts of your cluster? How do you ensure that when people do access your cluster (using kubectl, k9s, lens or any other such tool), you have good visibility and audit logging of what they did with this access? If you have these problems, BastionZero can help.
May 3, 2023
Utilizing BastionZero for secure access to Kubernetes clusters is a game-changer as it empowers your teams (and service accounts) to access the API in a zero-trust manner while keeping your Kubernetes API off the public internet. BastionZero eliminates the technical debt associated with long-lived credentials, privilege creep and lack of observability (where you can’t tell who has access to what parts of the cluster, or what they did with that access). Deploying BastionZero with Kubernetes provides robust protection against unauthorized access and data breaches while streamlining access management. Whether you're looking to bolster your security posture, simplify remote access, or achieve regulatory compliance, BastionZero provides a comprehensive solution through its user-friendly and easy-to-deploy platform. That’s not all - the BastionZero platform is the only access solution on the market that doesn’t require privileged access to your cluster. This means you can rest easy, knowing that a compromise of the BastionZero service won’t lead to a compromise of your Kubernetes cluster.
May 1, 2023
We have been working to write up the cryptographic protocols which BastionZero uses to offer remote access. As part of this effort, we recently released a draft of our protocol, OpenPubkey: Augmenting OpenID Connect with User held Signing Keys. BastionZero uses OpenPubkey to cryptographically bind your public key to your identity at an OpenID Provider like Google.
April 25, 2023
BastionZero is a powerful and secure remote infrastructure access control solution designed to simplify and enhance the management of remote access to your backend systems. If you're considering replacing your legacy remote access tools like SSH with BastionZero, you can easily evaluate the platform by running BastionZero's free account alongside your existing SSH setup.
April 19, 2023
We are excited to announce the release of the long awaited BastionZero Terraform Provider. Our team has been working hard to develop a seamless integration with Terraform, the widely used infrastructure-as-code (IaC) tool, to help you manage your BastionZero resources in a declarative fashion. With the BastionZero Terraform Provider, you can now define, provision, and manage your environments, targets, and other BastionZero resources using HashiCorp Configuration Language (HCL).
April 14, 2023
Managing SSH keys in a growing environment can be a challenging and time-consuming task. As the number of keys increases, so does the complexity of managing and securing them. Longstanding SSH keys, in particular, pose several security risks due to their static nature and potential for unauthorized access if not properly managed. To address these challenges and enhance the security of your remote access, BastionZero offers an innovative solution that streamlines key management and enforces robust security measures. In this technical guide, we will explore the benefits of managing SSH keys with BastionZero and demonstrate how its approach mitigates the risks associated with longstanding SSH keys. By the end of this guide, you will have a clear understanding of how BastionZero simplifies the key management process while ensuring the highest level of security for your remote infrastructure. Let’s get started.
April 4, 2023
Jump hosts elicit a variety of strong feelings from engineers. Here are some things my team at BastionZero has heard from customers over the years: “I manage a bunch of bastion hosts that keep me up at night.” “I [just] discovered an SSH bastion ... that is on the public internet today. It was added to my SSH config on day 1 so I completely forgot it was there ... While digging [around my infrastructure] I realized there is a lot of complexity there and a fair bit of risk …”“We have a standing access bastion with a PAM Module on each remote host. I have to do authentication each time I log into a target. Can you imagine what that is like if I have to log into many targets in a row? It is horrible.”It doesn’t have to be this way. You can provision your engineers with access to your Linux hosts without losing sleep at night or harming the productivity of your developer teams.
March 21, 2023
In January, we received a stark reminder that the security of our CI/CD pipelines is a really big deal. Your CI/CD pipeline needs the power to deploy code into your infrastructure, but deployment requires a high level of privilege, which often includes the ability to SSH into servers, to talk to APIs, to push code into containers, and to spin infrastructure up and down. If your CI/CD pipeline gets compromised, those privileges fall into the hands of an adversary… which means that an adversary can push malicious code into your infrastructure… which is ~about the worst~ thing that can happen. In this blog, I’ll explain how to use BastionZero (BZ) Service Accounts paired with our Github Actions integration to secure your CI/CD pipeline’s access to your infrastructure.
March 7, 2023
Service accounts are an integral part of many modern workflows, especially those related to continuous integration, continuous delivery, and continuous deployment (CI/CD) tools. But managing their interconnectedness presents a unique challenge to IT and security teams. Elevated privileges enable these teams to execute applications with ease—but it is precisely this high level access that can create security risks if not managed correctly. In this blog post, we'll explore the benefits and risks associated with service accounts and how they impact your organization’s security posture.
March 1, 2023
Securing and managing a build pipeline is really complicated. And esoteric. In fact, I’m willing to bet that if you put 10 platform engineers from different organizations in a single room, you’d likely find that they work with at least 13 totally different flavors of CICD pipelines.
February 15, 2023
Well, CircleCI was breached. And many teams spent a large part of January rotating secrets and looking for indicators of compromise (IoCs). I think this breach is a really big deal, because it’s exposing the massive attack surface that can be created by our CICD pipelines. This is barely even about CircleCI --- this is mostly about a fundamental security issue that affects almost any CICD pipeline, whether it’s built on CircleCI or not.
February 14, 2023
February 10, 2023
If you're like most organizations, you've been focused on perimeter-based network activity within your office or corporate network. But with the rapid adoption of remote work paradigms and third-party vendors, that's all changed. And chances are, your IT and security policies haven't kept up.
February 1, 2023
As organizations continue to push the boundaries of innovation, remote access has become a cornerstone of growth and resiliency. However, when it comes to determining the total price of remote access, the answer cannot be discovered simply through a straightforward calculation.
January 23, 2023
Employees need access to technology, anywhere and anytime. But how can you balance risk with employees' need for access? Enter trustless access.
January 12, 2023
In this guest blog, we explore the key trends for remote access in 2023 according to Joe Stevens, former Chief Information Security Officer at Criteo.
December 14, 2022
In this article, we'll explore the threat of session cookie resale on the dark web and why it's a big deal. We'll also discuss how BastionZero limits the scope of these attacks.
December 12, 2022
Lessons learned from a workshop with the folks that run the Internet’s largest certificate authorities.
July 29, 2022
A VPN provides access to a private network. BastionZero provides access to infrastructure targets (servers, containers, k8s, dbs) with authentication, authorization and audit logging built in. So you can improve security while avoiding the need to build an infrastructure access system behind your VPN.
July 21, 2022
We're honored to place Second in the 2022 RSAC Innovation Sandbox Contest!
July 12, 2022
Sharon spent part of her morning revising the submission of an academic paper on the cryptographic protocol behind BastionZero. The team wrote an extremely short abstract about the MRZAP protocol and figured this description of the cryptographic protocol would be worth sharing! Voila!
June 29, 2022
I read CISA’s Cloud Security Technical Reference Architecture. Here's what you need to know.
June 16, 2022
Organizations frequently struggle to find the best way to provide their engineers with access their backend infrastructure.
June 14, 2022
A few weeks ago, our CEO, Sharon Goldberg, had the pleasure of speaking with Melinda Marks on ESG’s Women in Cybersecurity Podcast. They talked about getting into cybersecurity, struggles and challenges of breaking into cybersecurity, and advice and resources for those entering the space.
June 13, 2022
A few weeks ago, our CTO, Ethan Heilman, had the pleasure of speaking with Steve Stonebraker on the Ephemeral Security Podcast. They talked about getting into information security, how BastionZero works, and BastionZero’s potential features.
May 3, 2022
We're honored to announce that we are a top ten finalist for the RSA Conference Innovation Sandbox Contest, as one of the most innovative early-stage cybersecurity startups of the year. Thank you to our tenacious team for getting us to this milestone. BastionZero Recognized for Innovative Cryptographic Approach to Zero-Trust Infrastructure Access.
April 4, 2022
We had the pleasure of joining Timothy Peacock and Anton Chuvakin on The Cloud Security Podcast from Google, a weekly news and interview show with insights from the cloud security community. We covered our favorite definitions of zero trust, Sharon's analysis of the federal government's zero trust memo, deprecating VPNs, and the future of cloud security! | Google Cloud Security Podcast: EP59 Zero Trust: So Easy Even a Government Can Do It?
March 29, 2022
This is a post I’ve been waiting almost two years to write, and it tells the story about how BastionZero was born. BastionZero is a pandemic baby. We started out as a blockchain company and then pivoted into infrastructure cybersecurity right after COVID hit.
March 22, 2022
SSO is fantastic and super convenient. But breaches happen. But we can mitigate these risks so that a breach of your SSO provider does not lead to a compromise of your targets.
March 3, 2022
We were honored to be a part of Enterprise Security Weekly #263!
March 2, 2022
We’re thrilled to announce that we raised $6m in seed funding led by Dell Technologies Capital. Here we share how we started and where we’re heading next.
February 8, 2022
When I first read the federal government’s memo on it’s “transition zero trust”, I was jumping out of my skin with excitement. There’s lots of great stuff in that memo (see my earlier blog post) but what excited me most was the memo’s stance on VPNs.
January 27, 2022
Yesterday, the Office and Management and Budget (OMB) released a memo:“Moving the U.S. Government Towards Zero Trust Cybersecurity Principles”. The memo advises the Federal Government on what steps each agency must take to improve its cybersecurity. It looks like the government is planning to position itself as a cybersecurity leader, while also pushing the private sector into a more robust cybersecurity posture. Also, if you get into it, this memo is actually about a lot more than zero trust.
January 26, 2022
PwnKit is a new vulnerability that breaks the security model around privileged access management (PAM) to Linux machines. It allows someone with access to a Linux machine to escalate their privileges to root, and then execute commands that exceed their privilege. This bug was likely present in the Linux kernel for 12 years. This has resulted in a few screamy headlines, but I’m fairly unsurprised.
December 7, 2021
As the new kid in the infrastructure and remote access space, we wanted to take a moment to introduce ourselves. We are a group of cryptography PhDs, engineering leaders, and infrastructure experts and enthusiasts who think the remote access industry needs some shaking up. In fact, we believe everything about infrastructure and remote access needs to be made simpler and more secure.
.png)
.png)
.png)
.png)
%20(1).png)
.jpg)
.jpg)
