BastionZero: The Best VPN Alternative

‍

Why choose BastionZero as an alternative to VPN?

‍

• A VPN only solves part of the problem. With a VPN, you still need a system in place to support access to individual targets (e.g. IAM roles, SSH keys, SSO integrations, bastion hosts, proxies, database keys, secret vaults, etc).  BastionZero is an all-in-one SaaS which provides access directly to your targets, integrates with your SSO, eliminates management of credentials and passwords, and provides audit logs of each access and command, along with session recording. 

• Perimeter-based security is outdated, and has failed over and over again. Having just one perimeter VPN to protect your assets, but no other defenses, is akin to basing your corporate security posture around giving keys to office buildings but not to individual offices. Once the attacker enters the building, they can get into any office and no one can stop them from doing whatever they want. In other words, VPNs provide mediocre access control -- they can control which private networks a user Alice is allowed to access, but not which targets or roles she’s able to access while she’s inside that network. Failures like the recent Colonial Pipeline breach are one reason why the US federal government is deprecating VPNs in favor of a zero-trust security posture, where users are required to authentication every time they wish to access a target. BastionZero provides zero-trust access directly to your sensitive infrastructure targets, so you can control exactly which engineers have access to what roles and targets, and audit the commands that they run.  

• Prevent privilege creep. BastionZero supports just-in-time authorization, so you can provide a developer with time-limited access to a specific role (“cluster-admin”) on a specific target (“k8s-cluster-123”). This prevents privilege creep, where all your developers eventually gain privileged access to all your targets.  It also gives you visibility into who has access to what, and when. A VPN just gates access to your network, without supporting authorization to your targets.

• Eliminate password management. BastionZero’s model of passwordless access eliminates key management and rotation. With a VPN, you still need to manage SSH keys, IAM roles and database passwords.

• Support audit logging. Unlike a VPN, BastionZero collects identity-aware logs of the commands that your developers execute on your targets, along with session recordings and access logs..

• Close your open ports. With BastionZero, you can close open ports (e.g. SSH ports) on your targets.  If you use a VPN with SSH or k8s, you need to have an open SSH port or exposed k8s API,  which increases the risk of lateral movement by adversaries.

Reduce risk of compromise, because BastionZero provides zero trust access to infrastructure without creating an overprivileged single point of compromise in your infrastructure. In a traditional zero-trust approach, the focus is on eliminating long-lived credentials held by users or clients; so that a compromise of a user does lead to a compromise of the infrastructure. Usually, this is done by introducing a single, centralized root-of-trust that is given the power to determine which user has properly authenticated into the system. But if we put all credentials in a single centralized root-of-trust, that root-of-trust becomes a single point of compromise. If attackers own centralized root-of-trust because itf the attack is successful, the own all the infrastructure behind it.  BastionZero uses multiple independent roots-of-trust to control access to your targets. This eliminates single points of compromise because if one root-of-trust is compromised but the other root-of-trust is not, then your targets remain secure.   Traditional VPNs, homegrown access systems, and zero-trust solutions do not provide this level of security and risk reduction.  Learn more here.