If you use a VPN with SSH or k8s, you need to have an open SSH port or exposed k8s API, which increases the risk of lateral movement by adversaries. With BastionZero, you can close open ports (e.g. Unlike a VPN, BastionZero collects identity-aware logs of the commands that your developers execute on your targets, along with session recordings and access logs. With a VPN, you still need to manage SSH keys, IAM roles and database passwords. BastionZero’s model of passwordless access eliminates key management and rotation. A VPN just gates access to your network, without supporting authorization to your targets. It also gives you visibility into who has access to what, and when. This prevents privilege creep, where all your developers eventually gain privileged access to all your targets. BastionZero supports just-in-time authorization, so you can provide a developer with time-limited access to a specific role (“cluster-admin”) on a specific target (“k8s-cluster-123”). BastionZero provides zero-trust access directly to your sensitive infrastructure targets, so you can control exactly which engineers have access to what roles and targets, and audit the commands that they run. Failures like the recent Colonial Pipeline breach are one reason why the US federal government is deprecating VPNs in favor of a zero-trust security posture, where users are required to authentication every time they wish to access a target. In other words, VPNs provide mediocre access control - they can control which private networks a user Alice is allowed to access, but not which targets or roles she’s able to access while she’s inside that network. Once the attacker enters the building, they can get into any office and no one can stop them from doing whatever they want. Having just one perimeter VPN to protect your assets, but no other defenses, is akin to basing your corporate security posture around giving keys to office buildings but not to individual offices. Perimeter-based security is outdated, and has failed over and over again.
BastionZero is an all-in-one SaaS which provides access directly to your targets, integrates with your SSO, eliminates management of credentials and passwords, and provides audit logs of each access and command, along with session recording. IAM roles, SSH keys, SSO integrations, bastion hosts, proxies, database keys, secret vaults, etc). With a VPN, you still need a system in place to support access to individual targets (e.g. A VPN only solves part of the problem. Why choose BastionZero as an alternative to VPN? Log which role on what target is accessed by what user, and what commands that user ran (e.g., "Alice has access to cluster-admin role on k8s-cluster-123 for 2 hours") Authenticate to the target via SSO and an independent MFAĪuthenticate to the network via SSO or via long-lived credentials
0 kommentar(er)
