July 29, 2022

BastionZero: The Best VPN Alternative

Sharon Goldberg, PhD.

CEO of BastionZero

An image showcases the differences between the robust BastionZero zero trust architecture and a traditional VPN.

BastionZero vs VPNs

A VPN provides access to a private network. BastionZero provides access to infrastructure targets (servers, containers, k8s, dbs) with authentication, authorization and audit logging built in. So you can improve security while avoiding the need to build an infrastructure access system behind your VPN.

BastionZero’s Zero Trust Architecture

An image showcases BastionZero's zero trust architecture and security model.

BastionZero has a CLI
that sits on your developer’s laptop, the BastionZero cloud service and an agent that sits on your targets (servers, containers, clusters, dbs). It also integrates with your identity provider for SSO. The BastionZero cloud service does not store or control any credentials to your targets (SSH keys, server passwords, IAM roles, etc.).

VPN Architecture

A VPN gates access to your private network, but access to individual targets still needs to be built out using bastion hosts, SSH keys, IAM roles, proxies or other tools and approaches.

Connect with our OpenPubkey experts!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
BastionZero:  The Best VPN Alternative
The 4As BastionZero VPN
Access From user to target
(server, container, k8s, dbs, etc)
From user to private network
Authentication Authenticate to the target via SSO and an independent MFA Authenticate to the network via SSO or via long-lived credentials
Authorization Just-in-time access
Authorize user to role on a target.
(e.g., "Alice has access to cluster-admin role on k8s-cluster-123 for 2 hours")
Audit Log which role on what target is accessed by what user, and what commands that user ran X

Why choose BastionZero as an alternative to VPN?

  • A VPN only solves part of the problem. With a VPN, you still need a system in place to support access to individual targets (e.g. IAM roles, SSH keys, SSO integrations, bastion hosts, proxies, database keys, secret vaults, etc).  BastionZero is an all-in-one SaaS which provides access directly to your targets, integrates with your SSO, eliminates management of credentials and passwords, and provides audit logs of each access and command, along with session recording. 

  • Perimeter-based security is outdated, and has failed over and over again. Having just one perimeter VPN to protect your assets, but no other defenses, is akin to basing your corporate security posture around giving keys to office buildings but not to individual offices. Once the attacker enters the building, they can get into any office and no one can stop them from doing whatever they want. In other words, VPNs provide mediocre access control -- they can control which private networks a user Alice is allowed to access, but not which targets or roles she’s able to access while she’s inside that network. Failures like the recent Colonial Pipeline breach are one reason why the US federal government is deprecating VPNs in favor of a zero-trust security posture, where users are required to authentication every time they wish to access a target. BastionZero provides zero-trust access directly to your sensitive infrastructure targets, so you can control exactly which engineers have access to what roles and targets, and audit the commands that they run.  

  • Prevent privilege creep. BastionZero supports just-in-time authorization, so you can provide a developer with time-limited access to a specific role (“cluster-admin”) on a specific target (“k8s-cluster-123”). This prevents privilege creep, where all your developers eventually gain privileged access to all your targets.  It also gives you visibility into who has access to what, and when. A VPN just gates access to your network, without supporting authorization to your targets.

  • Eliminate password management. BastionZero’s model of passwordless access eliminates key management and rotation. With a VPN, you still need to manage SSH keys, IAM roles and database passwords.

  • Support audit logging. Unlike a VPN, BastionZero collects identity-aware logs of the commands that your developers execute on your targets, along with session recordings and access logs..

  • Close your open ports. With BastionZero, you can close open ports (e.g. SSH ports) on your targets.  If you use a VPN with SSH or k8s, you need to have an open SSH port or exposed k8s API,  which increases the risk of lateral movement by adversaries.

Reduce risk of compromise, because BastionZero provides zero trust access to infrastructure without creating an overprivileged single point of compromise in your infrastructure. In a traditional zero-trust approach, the focus is on eliminating long-lived credentials held by users or clients; so that a compromise of a user does lead to a compromise of the infrastructure. Usually, this is done by introducing a single, centralized root-of-trust that is given the power to determine which user has properly authenticated into the system. But if we put all credentials in a single centralized root-of-trust, that root-of-trust becomes a single point of compromise. If attackers own centralized root-of-trust because itf the attack is successful, the own all the infrastructure behind it.  BastionZero uses multiple independent roots-of-trust to control access to your targets. This eliminates single points of compromise because if one root-of-trust is compromised but the other root-of-trust is not, then your targets remain secure.   Traditional VPNs, homegrown access systems, and zero-trust solutions do not provide this level of security and risk reduction.  Learn more here.

Future-proof your cloud security strategy

Try BastionZero for free today and see why fast-growing companies trust us over any other identity provider.