BastionZero is built on a zero-trust cryptographic messaging protocol for remote access. It eliminates single points of compromise and is so secure, scalable, and invisible that you and your users won't even notice it's there.
The BastionZero token has signatures from two independent roots of trust: the BastionZero cloud service, and your Single Sign On Provider (SSO). Targets validate each access against both roots of trust, ensuring that neither BastionZero’s cloud service, nor your SSO, become a single point of compromise for your infrastructure.
Each time a user Alice logs into BastionZero, she chooses a fresh key that she stores locally on her machine. Her key is then certified (in the BastionZero token) by the two roots of trust: the BastionZero cloud service and the SSO. Alice then uses her key to sign all her messages. This ensures that our cloud service cannot tamper with Alice’s messages or inject its own commands to your targets.
Our cloud service is not granted privileged access to your targets. Every message in the MrTAP protocol includes the hash of the previous message and the signature of the dispatching party. This prevents the cloud service from altering messages or injecting its own commands.