In the realm of managed services, deploying applications in a customer’s environment presents a unique set of challenges. Your engineers and operators want access to those applications, but this can be difficult when the application is deployed to an environment that you don’t control. Your customers do not want to provide your team with identities and VPN access to their environments, nor do they want to deploy a specific VPN and network access for you to get to your applications. (After all, most IT and security people remember that third-party contractor access to an environment was the reason Target got breached in 2014.)
Ideally your engineers could access your applications when they are deployed in a customer’s environment, without asking that customer for access. Ideally, you could demonstrate that your team’s access maintains stringent zero trust security standards, and provide your customers with real-time visibility into your team's operations. And ideally, it wouldn’t take your team days or months to roll out and maintain such an access solution. This is where BastionZero steps in.
BastionZero, underpinned by its unique zero trust architecture, eliminates the complexities and security risks commonly associated with deploying services in uncontrolled networks. Once the BastionZero agent is deployed as part of your application, secure and passwordless access to the necessary applications and targets in your customer’s environment is promptly established. Your engineers can directly authenticate to each target, eliminating the need for a perimeter VPN and enabling fine-grained control over each engineer's roles for each target. Moreover, BastionZero's real-time visibility into user activity increases your customers' trust in your services.
Key BastionZero Features That Support Zero Trust for Managed Services
Zero Trust Architecture for Customer Installations
BastionZero is founded on the principles of zero trust. This model meticulously authenticates every user and connection within your customer's infrastructure before granting access. No long-lived credentials are held by users or clients, and all human access to infrastructure targets is fortified by Single Sign-On (SSO) authentication and Multi-Factor Authentication (MFA). This rigorous verification process ensures customer confidence and peace of mind.
MrZAP Protocol to Rule Out Software Supply-Chain Risks
BastionZero utilizes MrZAP, the Multi-Root Zero-trust Access Protocol, to control access to your applications hosted in your customers’ environment. This open-source cryptographic protocol ensures that BastionZero's cloud service cannot tamper with the messages transmitted between clients and targets, or create its own connections to targets. The MrZAP protocol operates using two two roots of trust — BastionZero's cloud and your Identity Provider (IdP) — to cryptographically ensure that a compromise of the BastionZero cloud does not lead to a compromise of your customer’s infrastructure. This protocol eliminates the single point of compromise inherent in traditional zero trust solutions. It also reassures your clients that BastionZero is not a software supply chain risk for their environments. (Check out this video to learn more about BastionZero’s unique zero trust security model!)
No VPNs on Open Ports Required
BastionZero's unique agent doesn't require modifications to firewall rules or opening inbound ports for remote access. Instead, targets phone home to the BastionZero cloud and are autodiscovered. This heightens security while simplifying the deployments, all without asking your customers to provide you with VPN access to their environments.
Easy Connections to All Types of Targets through BastionZero Agents
Secure connections to resources like databases, web applications and Windows remote desktops can be easily established through BastionZero's agents. This flexibility allows your team to securely access a variety of systems and services in customer environments without establishing a separate access management system for each one.
Manage access permissions to all your customer's infrastructure from a single centralized platform with BastionZero. Whether your preference is command line, API, web client or our desktop app, BastionZero offers a streamlined solution for access management that reduces the learning curve for your team and boosts productivity.
Just-In-Time Centralized Access Management
Grant your engineers with short-lived access to targets. Or use our optional multi-user approval workflow to grant access for a specific time duration or during a specific incident.
Real-Time Visibility with BastionZero Audit Logs
Give your customers visibility into everything your engineers are doing. BastionZero audit logs track who logs into what, under what role and when. Session recordings capture the sessions and commands they run on servers. Sharing these real-time audit logs with your customers gives them visibility and confidence in everything your teams are doing in their environments.
Zero Trust Application Access for Managed Service Providers
In today's dynamic and security-conscious business environment, deploying managed services in uncontrolled environments necessitates a robust, flexible and secure solution. BastionZero, with its zero trust model and the MrZAP protocol, provides just that. It offers ease of use, secure connections and real-time visibility into user activities, enabling your team to deliver zero trust managed services efficiently, while enhancing your customers' confidence in your offerings.
See BastionZero in Action
BastionZero connects teams to resources and requires no additional infrastructure to deploy or manage. It is the first—and only—cloud-native solution for trustless access providing multi-root authentication while maintaining zero entitlements to your systems.
With BastionZero, you can reclaim your architecture from over-privileged third parties and ensure that the right people have access to the right resources at just the right time—every time.
Schedule a demo now to see how you can trust less and access more with BastionZero.