Redefining zero trust access to cloud infrastructure

With BastionZero, infrastructure teams can easily configure, manage and secure fine-grained access controls to infrastructure targets in any cloud or on-prem environments.

Learn more about our secure infrastructure access solution

Download PDF

Got 6 minutes?

Learn how our security model works from our CEO

Frequently asked questions

What if BastionZero is compromised?

If BastionZero’s cloud service is compromised, then the adversary’s options are limited. The adversary can drop messages as they traverse the cloud service, but they cannot execute commands or set up tunnels to the target. This follows because the attacker does not have a valid user account on the Identity Provider (SSO) associated with the target. The targets validate each access against the SSO; so if the SSO has not validated the access, the target will not accept the connection!

What if the user’s SSO is compromised?

Targets are still secure as long as the user’s independent MFA to the BastionZero cloud service is not compromised.

What if BastionZero and the user’s SSO are both compromised?

An adversary can compromise the system only if the BastionZero cloud service was compromised along with a valid user SSO. This scenario is improbable because it means the attacker has compromised multiple independent systems: BastionZero’s cloud service AND the SSO. The increase in attack complexity is the desirable consequence of our MrTAP protocol, which uses multiple roots of trust to eliminate single points of compromise.

Who designed and built your zero trust access protocol?

We did. Our team includes multiple PhD cryptographers who have collectively authored over 30 peer-reviewed papers in security and cryptography. You can learn more about our protocol by reading our whitepaper or visiting our open-source repositories!

A no-compromise cloud service for zero trust access

Our cryptographic multi-root trustless access protocol allows us to offer you a cloud service for remote access, without needing privileged access to your targets. So you can simplify your life without having to compromise on security.

Zero Trust Access via SSO + MFA

BastionZero automatically integrates with your existing SSO, so you can easily control users’ access to your targets in any cloud or on-prem environment via SSO. An additional independent MFA to BastionZero’s cloud service ensures that your targets are secure even if your user SSO is compromised.

Multiple roots of trust

BastionZero splits control of your targets between two independent roots of trust: your Single Sign On (SSO) and our cloud service. No one can access your infrastructure without the consent of both roots of trust. That means you can outsource remote access to our cloud service, without worrying that our cloud service will create a point of compromise for your infrastructure.

Centralized policy management

You can write fine-grained policies that control access to your targets via a single web console or API endpoint. BastionZero makes it easy to control exactly which user can assume which role/account on which target, across all your different clouds and environments.

Centralized logging

BastionZero’s cloud service logs who accessed which role/account on a target, along with what they did to the target. We support your forensics and compliance requirements by providing searchable command logs along with session recordings. And we even log what your users are doing inside kubectl exec.

BastionZero QuickStart: Deploy in seconds

Install the zli
The zli pulls a list of your targets from your existing SSH config
Authenticate to your SSO
This automatically creates your BastionZero account.
Autodiscover your targets
The zli deploys the bz-agent to your targets, which then phone home to the BastionZero service.
Add the BastionZero charts repository to helm
Install bctl-agent chart
Autodiscover the cluster!
The bz-container phones home to our cloud service. Users can connect to the cluster via kubectl or our zli!
Add to our repo to helm
This configures a open-source bz-container on your cluster
Set up SSH config on your local machine
Start the tunnel
Access with your db client
Set up local port forwarding
Start an SSH tunnel to your DB
Access without changing your existing DB workflow

BastionZero autodiscovers your targets

No more open ports or VPNs

Each target phones home to the cloud service via a secure TLS websocket. That way, BastionZero can discover targets that are invisible to the public Internet. The target is locked down (even without a VPN) because it does not accept incoming connections.

No more long-lived credentials

Configuring long-lived credentials for short-lived targets or infrastructure as code can be tricky to manage and secure. But with BastionZero, no keys are required. Instead, your targets phone home and are autodiscovered by BastionZero as they spin up.