A few weeks ago, our CTO, Ethan Heilman, had the pleasure of speaking with Steve Stonebraker on the Ephemeral Security Podcast. They talked about getting into information security, how BastionZero works, and BastionZero’s potential features in the future.
Getting into Information Security
Ethan has always been interested in computers — since he was a kid, he collected security knowledge. Although he initially pursued a career as a security engineer, his security interest caused him to get pulled into security-related tasks and do research in his free time.
After the company he was working at was acquired, he decided to pursue a Ph.D. at Boston University, which was where he met Sharon Goldberg.
“When the startup I was at got acquired, I decided to [get a Ph.D. in cybersecurity]... I spent a long time basically deep-diving on network security and cryptology.”
Eventually, they founded Commonwealth Crypto, Inc. However, the blockchain space was heavily regulated. Looking for a space where they could realize their ideas, they shifted their focus to cybersecurity and founded BastionZero.
The Inner Workings of BastionZero
Ethan talked about how the main idea of BastionZero is that it adds an additional route of trust for authentication into the server and to the IDP while not serving as a single point of compromise. This way, both the IDP and BastionZero have to be compromised for your system to be compromised.
“If BastionZero is compromised, the attacker still cannot get access; it requires the joint compromise of both the IDP and BastionZero.”
BastionZero also has a dynamic targets system where the BastionZero acts like a Linux box. Users can plug their provisioning system into our system so that they can request to spin up a box and then gain access to it. The box lives on the user’s network, making the steps to access the box simpler and quicker.
However, Ethan noted that BastionZero isn’t a firewall. BastionZero doesn’t work to prevent users from providing additional ways of accessing servers — instead, it provides a securer way to those servers.
BastionZero’s Future Features
The main feature that Ethan discussed is just-in-time access, which affects BastionZero’s privilege access flow. This feature will connect to a Slack channel and drop an alert whenever a user requests access to a group of servers. If a user is approved, they will have access for two hours before needing to request access again. The feature is still a work in progress and may change before deployment.
A service offering a separate AWS account and a feature of adding another MFA verification was discussed, but no plans for development have been made yet.
Interested in hearing more about getting into information security and the technology underlying BastionZero? Listen to the full episode here: