Today, we at BastionZero are thrilled to announce the expansion of our platform to a broad and critical new set of infrastructure access use cases: database access and Windows access. As part of this new feature drop we are also increasing the usability of the platform by introducing a new point-and-click end-user desktop app.
Passwordless Access Control for Database Security
Ten million dollars. That’s the average cost of a data breach in the United States today. So far in 2023, these breaches have impacted a range of industries — from car manufacturers to pharmaceutical giants — and there’s no sign that attackers are slowing down. If companies want to protect their data, they have to protect the databases where that data lives. That’s why BastionZero is stepping up its game to introduce expanded access control to better secure databases via passwordless technology. Now, administrators can access databases via BastionZero without distributing database passwords to their users. Our new feature SplitCert uses cryptographic techniques, specifically secure multiparty computation (MPC), to strengthen the security of databases. This new feature makes it harder for bad actors, and easier for authorized users, to get in and access data in sensitive databases.
SplitCert: Passwordless Database Access with MPC
BastionZero’s new SplitCert feature introduces a new way to eliminate the operational overhead and security risk associated with database passwords. SplitCert avoids storing database passwords, credentials or secrets in a single location that could be compromised. By eliminating single points of compromise, SplitCert provides users with a true zero trust database access experience that eliminates the hassle of maintaining, securing and distributing database passwords.
SplitCert uses Mutual TLS (mTLS) and cryptographic multiparty computation (MPC) to provide ephemeral password-free authentication without storing any database passwords at all, making a new era for access control in database security.
The release of SplitCert demonstrates BastionZero’s commitment to continued innovation around providing true zero trust access to infrastructure. With SplitCert, our customers don’t need to trust anyone with their database passwords. Instead, SplitCert splits the database authentication factor into two shards, and stores each shard in an independent location. Then, cryptographic MPC is used to authenticate the user to the database by constructing ephemeral mTLS client certificates without ever putting the shards back together. These mTLS client certificates are then used to authenticate a user to a database.
SplitCert is invisible to end users and supports database access via popular existing database clients and workflows. BastionZero’s initial release of SplitCert supports access to two popular databases: self-hosted Postgres and MongoDB.
Passwordless Database Access to GCP Cloud SQL and AWS RDS
Organizations that use GCP Cloud SQL and AWS RDS databases can now also take advantage of BastionZero’s passwordless zero trust capabilities. BastionZero eliminates the overhead associated with password maintenance for database access by associating a BastionZero agent with an IAM service account that grants access to the databases. Administrators define policies to grant role-based access to databases and can revoke that access in real time. And audit logs let them see exactly what role accessed what target and when it did so.
Access to Microsoft Windows Infrastructure
Microsoft Windows users now benefit from two kinds of BastionZero support. The first is the ability to access targets from Windows using BastionZero’s command line interface, the Zero Trust Command Interface (ZLI). With ZLI and Windows PowerShell, users running Windows 11 or 10 (in the Pro or Home Edition) can connect to any target that BastionZero supports, including databases and Kubernetes clusters. We’re also introducing a new Windows agent that enables secure access to two more kinds of targets: Windows RDP and Windows SQL servers. The agent is completely cloud agnostic, and works for on-premise and Azure cloud (or other cloud) configurations.
The BastionZero Desktop App
We’re taking a big step to make our services more accessible to all users with the release of our desktop app. Windows, Mac and Linux users can all use this app to navigate to targets with simple point-and-click commands. The interface allows users to quickly assess whether targets are online and whether they permit just-in-time access. Users can filter, group or favorite targets for quick access, and designate an app to serve as the default to use whenever connecting to a target. Lastly, the desktop app lets users and admins easily send logs to BastionZero for help with debugging as needed.
Reduce the Probability and Impact of Compromise
It’s no secret that identity providers (IdPs) are regularly breached. So why would you trust them when it comes to access control for databases and other critical infrastructure? And why would you want to deal with a mess of passwords, credentials and keys? BastionZero works with your IdP to create two independent roots of trust. That way, even if your IdP is compromised, bad actors can’t access your databases or other critical infrastructure. These new BastionZero features make it easier to protect more — without the hassles of passwords, SSH keys or VPNs.