Frequently asked questions
What Is Infrastructure Access?
Modern infrastructure is what runs the business. It’s the databases, Kubernetes clusters, servers, and web servers that power applications and user experiences. It’s the most critical underpinning and a popular target for attackers, so every zero trust strategy needs to start at infrastructure access — who accessed what targets and exactly what happened when that access was granted?
Is BastionZero Zero Trust Network Access?
Although Zero Trust Network Access is a good thing, it’s not the only (or even the best) way to provide zero trust access to infrastructure. With BastionZero, you access targets, not networks. It removes the traditional network edge and eliminates the need for your users to hold long-lived credentials. Unlike ZTNA solutions, BastionZero doesn’t store your credentials or have privileged access to your targets. Instead, it requires two independent roots of trust to grant access to a user, which prevents bad actors from getting into your infrastructure, even if one root of trust is compromised.
How Does BastionZero Fit into a Zero Trust Architecture Strategy?
Zero trust principles outlined by NIST and others highlight the critical need to eliminate over-privileged and long-lived credentials. BastionZero is a great way to accelerate your zero trust strategy while dramatically reducing your attack surface. Our security model uniquely uses two roots of trust (BastionZero and your IdP), so even if one is compromised, your infrastructure remains secure. Want to learn more? Check out Definitive Guide to Zero Trust Access.
How Does BastionZero Simplify Zero Trust Access Management?
BastionZero is a modern zero trust infrastructure access solution that works with your IdP and existing workflows. Our Zero Trust Access Management deploys in seconds, auto-discovers infrastructure targets, and enforces your fine-grain policy controls across clouds, databases, servers, and web servers. All without juggling server, database, and cloud passwords, keys, jump hosts, or other outdated approaches. And as your infrastructure, users, and policies change, BastionZero continuously evaluates your authorization controls and allows you to instantly revoke access when needed.
Don’t My Single Sign-On (SSO) and Identity Provider (IdP) Do This?
IdPs are a critical piece of the security stack; however, they are highly privileged, and they don’t solve the last-mile problem: how you get access to different roles on servers, containers, clusters, web, and database infrastructure across different cloud and on-prem environments. IdPs don’t provide just-in-time access or controls for accessing individual roles on specific targets, and they don’t create the command logs and session recordings that satisfy important compliance requirements.
BastionZero works with your IdP to create two roots of trust that simplify access without disrupting your workflows. Our unique security architecture ensures that your infrastructure is secure even if your IdP is compromised.
What Are BastionZero’s Auditing Capabilities?
BastionZero generates many types of events that can be viewed from the administrator’s UI or exported through our API. You can see different types of events, ranging from shell commands (including from Kubernetes exec), full session recordings, user and service account connection events, as well as audit events. Retrieve these as full logs, or apply criteria-based filterings, such as SSO user, target user, target name or time of day — just to name a few.
How Does BastionZero Help with SOC 2 and ISO 27001 Compliance?
BastionZero makes it easy to address common criteria around controlling identities, access, monitoring, and audit logs that are essential for popular compliance frameworks. And for good reason; your auditors know that infrastructure access is one of the most popular vectors for breaching an organization, and they want to know that you have it locked down.
Is BastionZero a VPN Alternative for Secure Remote Access (SRA)?
Absolutely. VPNs provide network access, and still require you to build an infrastructure access system behind the VPN. BastionZero provides access without a VPN, and solves the “last mile” problem of managing credentials to servers, Kubernetes, web or database infrastructure. It easily delivers access to infrastructure targets with authentication, authorization, and audit logging built in. Learn more about BastionZero vs. VPNs here.
Can You Tunnel Any Protocol Over BastionZero?
Yes! BastionZero’s secure authenticated tunnel never terminates and reinitiates the connection in our cloud service, which can harm performance and limit the set of protocols that can run through the service. With BastionZero’s connection architecture, any protocol can be tunneled through the secure connection. BastionZero’s authentication, authorization, and policy service are all applied to a user connecting to an application, whether it’s based on OFTP (1986, trust us, it works!) or a modern web app.
Can BastionZero Deliver Secure Database Access?
Yes. BastionZero provides native support for secure database access without the mess of distributing and managing database passwords to your users. With BastionZero, you have the option to utilize JIT policy-based access control and instant revocation, which is difficult to achieve with jumphosts and VPN architectures.
How Does BastionZero Handle Multi-Cloud Access Management?
BastionZero is completely cloud agnostic, providing centralized policy and zero trust access across clouds and accounts. You can write fine-grained policies that control access to your targets via a single web console or API endpoint. BastionZero makes it easy to control exactly which user can assume which role/account on which target, across all your different clouds and environments.