Security: BastionZero protects against data breaches by securely storing your server credentials while controlling, timeboxing, monitoring and logging your users’ shell access to your servers. Our next generation key-splitting security model ensures that your servers are safe even if one of your users is compromised or even if BastionZero itself is compromised.  And our system works with any cloud deployment, whether on-prem or in the public cloud.

Zero-trust access: BastionZero leverages your existing IdP with a generic policy- and roles-based access control engine to offer a single solution to provide zero-trust access to targets in any public or private cloud.

No new infrastructure: BastionZero is SaaS, which means that you never have to provision, maintain, upgrade or patch it.  Nevertheless, you haven’t given us all the keys to your kingdom, because our next-generation keysplitting security model ensures that the Bastion cannot access a target server without the participation of a valid user from within your organization.

Target autodiscovery: BastionZero can autodiscover your servers without requiring you to set up a VPN or configure SSH keys. This is done by installing an agent on your targets. Upon startup, the agent phones home to a whitelisted address (via a websocket over TLS 1.2 or TLS 1.3). The agent then registers the server to BastionZero, without requiring you to set up SSH keys.  There is no need for a VPN because the agent initiates an out-bound connection from the public cloud or data-center. The agent is still locked down because it does not accept incoming connections, and because it only phones home to the whitelisted address. 

Logging: Basic cybersecurity hygiene and modern compliance frameworks demand that you track and control each remote server access made by your operators and developers.  BastionZero gives you visibility and control of each server access made by your operators, your developers, or their scripts, along with the ability to set policy about who can login to what server, when, and for how long.  If an adversary compromises your server, they can cover their tracks by deleting any logs stored at the server.  BastionZero eliminates this attack by intercepting and logging all commands before they reach the server. That way, an adversary can’t hide their actions by deleting server logs.