We started BastionZero to build a modern solution to the problem of giving engineering teams remote access into their backend and cloud infrastructure. Most teams we knew had to solve this problem one way or another. And most solutions they used relied on a single root-of-trust, which creates a point of compromise that is ripe for exploitation by attackers. We saw an opportunity to use cutting-edge cryptographic techniques to build a more secure and easy-to-manage approach for remote access.
Today, we are proud to announce the next step forward in our journey. We’ve raised a $6 million seed financing round led by Dell Technologies Capital with participation from Akamai, Digital Garage of Japan, and individual operators of security and dev-tools businesses. We are super excited to be backed by investors in innovative devops and security companies like JFrog, NS1, Twistlock, RedLock, Humio and Guardicore.
The support of our investors enables us to continue building BastionZero, a cloud service that helps teams manage, control and monitor access to each of their infrastructure targets (servers, clusters, databases, etc) in all of their cloud or on-prem environments.
Our founders met at Boston University, where CEO Sharon Goldberg is an infrastructure security and cryptography professor and CTO Ethan Heilman completed a PhD in information security.
We started our journey as a blockchain cybersecurity company (Arwen), and then pivoted into infrastructure cybersecurity. Like many startups, we had to build our own remote access tooling. Like many startups, we worried that this tooling could become a vector of attack, or cause us to fail our SOC2 audit. We soon realized that there was an opportunity to commercialize a tool that we wanted for ourselves. And, better yet, we could build the platform using the robust security models that we were working with as a blockchain company --- that is, the use of multiple roots-of-trust to limit the risk that our tool could be compromised.
Log into targets, not networks
When people think about remote access, they sometimes think about VPNs. But VPNs control access to specific networks. BastionZero controls access to specific targets. And not just any kind of targets -- but specifically to the infrastructure targets (servers, kubernetes clusters, databases, internal web applications) that backend and cloud engineering teams use to build and host their software services.
"VPN based access for (cloud) dev/devops environments does not scale well and is not agile for modern developers or cloud ops leaders. Today, they are forced to maintain different systems for every target in each of their cloud and datacenter environments. BastionZero is a drop-in replacement for all of those systems, and with a more robust and agile security model than anything that is currently on the market. It’s the future of remote access for developers and cloud ops.”
-Deepak Jeevankumar, Dell Technologies Capital
In the past, all of those functions were taken care of by a combination of VPNs, bastion hosts, and privileged access management (PAM) tools. In other words, by using lots of different tools that cloud security teams need to manage, maintain, and also usually self-host.
But it’s becoming increasingly difficult to cobble together these systems because
- Attackers are getting smarter.
- There are diverse types of targets to protect (Linux, Kubernetes, databases, etc.)
- There are diverse types of environments to consider (multi-cloud, hybrid cloud, etc.)
- Engineers are in diverse locations rather than confined to a known set of offices.
- The burden of running these systems is high because they are security critical and must also to be highly available (so that engineers can access the backend during incidents).
But there’s a paradox here. Even if you don’t want to build your own home-grown remote access tool, you probably also don’t want to trust a third-party cloud service to host one for you.
The BastionZero approach
So we decided to do three things
First, we built a zero-trust remote access tool that works in any cloud environment, supports access to different types of targets, manages the privileges that engineers are granted on those targets (e.g. root, read-only, cluster-admin), and logs and monitors each command that engineers execute on these targets.
Second, we decided to offer BastionZero as a third-party cloud service, to ease the operational burden on our customers.
And third, we went to great lengths to ensure that our cloud service does not become a point of compromise for our customers. So we can make our customers’ lives easier, without asking them to compromise on security. To offer this security guarantee, we designed and built the multi-root, zero-trust access protocol (MRZAP).
MRZAP is a cryptographic protocol. MRZAP uses two independent roots of trust to control access to each target: one root of trust is our customers’ Identity Provider (IdP), and the other is BastionZero cloud service. Because roots of trust are required to access any target, a compromise of our cloud service does not lead to a compromise of our customer’s infrastructure. You can learn more by reading about our security model here.
“BastionZero just runs itself. The amount that I haven't had to work with the tool is a really big bonus to me.”
- Sean, Head of Information Security, Appcues
As Sean, head of information security at Appcues put it, “BastionZero just runs itself.”
“It's very low touch. I don't have to log in and set up people with access all the time. That's just sort of automatically taken care of with their integrations. The amount that I haven't had to work with the tool is a really big bonus to me,” he said.
What’s Next For BastionZero
Several partners are already using our services in production. Our new funding allows us to continue building out the features of BastionZero, and devise new ways to ease the rollout of the tool across cloud teams and different types of infrastructure targets. Here are some of our newest features and future plans:
Autoconfiguration for users. Our customers have told us that it can take months to roll out other remote access tools to their users. That’s why we’re building tools that can automatically build out the configurations that users need to set up access to targets via BastionZero.
API. We follow an API-first philosophy. Every feature of our service is available via its API, which our customers can access directly to drive their own business logic programmatically. We're happy to announce that our API is now live.
Geographic diversity. User experience is critical to us. We have begun building out a geographically diverse network so that customers the world over can use BastionZero easily, and with low latency. Just this month we added support for nodes in Japan and Central Europe.
Opening the doors to everyone (self serve): Today you can get access to our tool following a demo from one of our experts. But in the future you’ll be able to use our self-service onboarding flow. Stay tuned into our blog and be the first to hear when this feature goes live!
Take the Next Step: Try BastionZero Free Today
At BastionZero, we make it easy for cloud teams to securely control access to their infrastructure (servers, containers, clusters, databases) in any cloud or on-prem data center.
Talk to our experts about how to future-proof your cloud security strategy. They’ll help you schedule a demo and learn more about simplifying your remote access processes and fortifying your security.