We’re excited to announce the experimental release availability of the new IBM Cloud Privileged Access Gateway service.

This service provides IBM Cloud internal services, ISVs, and client admins with seamless, secure operational infrastructure access to essential IBM Cloud-based services or applications, helping them adhere to regulations and zero-trust guidelines, including privilege access validation, restricted access and session recording. 

Briefly, it is a Bastion-aaS centralized service that simplifies secure administrative access and helps reduce the cost and burden of deploying and maintaining custom Bastion functionality across IBM Cloud app deployments.

You can read more about the features and benefits in our documentation

What is IBM Cloud Privileged Access Gateway (PAG)?

Privileged Access Gateway (PAG) is a managed service that provides a secure way for operators to remotely administer servers and clusters within the IBM Cloud. It deploys and manages a Bastion controlled access gateway server, which is a highly secure single point of entry to your fleet of servers and clusters hosting your applications or services. In addition to this restricted gateway access, PAG records operator sessions, which can be used for auditing or forensic investigations and to mitigate against misuse of administrative privileges.

What problems are we solving?

As organizations move to hybrid-cloud deployment models, they are faced with the fact that the XaaS solutions are managed on the backend by third-party vendors (CSPs) with processes outside of their control. Cloud infrastructure resources — such as VSIs, VMs and containers — are foundational services for any cloud-based deployment since all XaaS services and applications are built on top. These infrastructure resources can be under the control of organizations different from the ones owning the applications or the data that leverages them. 

This shared-responsibility model introduces security and compliance uncertainty and risk for the consuming organizations, who still have full liability over their data. It requires organizations to follow heightened security and compliance requirements for XaaS on cloud environments, which demand additional access controls to the VSI/Kubernetes infrastructure to enforce proper access, including the following: 

  • Privileged user access validation tied to identity services and authorization workflows
  • Restricted access requiring strict access controls, including MFA
  • Session recording and audit

Bastion technology is proven as a successful solution industry-wide to address these issues, but it is cumbersome to maintain. It’s usually available as software packages that require a deployment, integration and operational plan, which can take up to three months to install and configure.   

High-level solution experience

Value proposition

The goal for Privileged Access Gateway is to provide XaaS administrators with seamless secure operational access to essential IBM Cloud-based XaaS services and applications to help them adhere to regulations and zero-trust guidelines.

What are the key benefits of PAG?

  1. Frictionless onboarding: Reduce the time of onboarding from three months to minutes (click and deploy right from Cloud Catalog).
  2. Less work, more time: No need to manage Bastion infrastructure (no new VSIs, no new clusters).
  3. Deploy anywhere: Available where current services are deployed (us-south for experimental version, other MZRs later).
  4. Cost savings: Save costs on infrastructure and operator time by using the managed instances.
  5. Bolster controls: Help meet FedRAMP and FSCloud controls on day one of instance deployment (experimental release will not have these validations ready).
  6. First-class integrations: Already integrated with IBM Cloud services (IAM, Activity Tracker (not in experimental), IBM Cloud Object Storage, and more).
  7. Session capturing: Access to session recordings for self-auditing and compliance/security.
  8. Seamless scalability: Easily scale up and down without the need for any configuration change (not in experimental).

Privileged Access Gateway solution concept  

The Privileged Access Gateway (PAG) service instance acts as a forced conduit for interactive sessions with hosts present in the account, enforcing the required security policies (including session recording). The instance is deployed by the end-user, in their account, in accordance with their architecture and governance. Integrated with IBM Cloud IAM, PAG can act as a privileged access conduit to any resource visible from the VPC (including other VPCs via Transit Gateway):

Features of Privileged Access Gateway experimental release?

The experimental version of Privileged Access Gateway service will introduce the key controls for access, support for SSH and session recording, including the following:

  • Service offered at no charge for early adoption and trial
  • Offers service provisioning for single-zone gateway deployments 
  • Provisioning a PAG instance using an order UI or from the CLI 
  • Logging into the PAG gateway and ssh to a VSI through the service (CLI only)
  • Ability to log into the PAG gateway and access Kubernetes clusters through the service (CLI only)
  • VSI ssh and Kubernetes kubectl exec sessions through PAG are recorded and stored in the end-user’s COS bucket
  • Playback of session recordings using the PAG CLI
  • IAM integration where you can assign users specific PAG roles for easier administration through RBAC access 
  • Administrator function for listing active sessions in progress on a PAG gateway
  • Private access through client-side VPN
  • Initial experimental release will be available only on the US-South MZR

The GA version will expand on this foundation and provide extended functionality and support.

Get started

Try the IBM Cloud Privileged Access Gateway experimental version today.

Start getting familiar with the benefits of protecting administrative access to your private virtual machines, clusters and servers from the IBM Cloud portal. You can leverage PAG experimental to ensure the access to your private servers and clusters never leave your control. 

More from Announcements

IBM offerings close 2023 strong in G2 Winter Reports

2 min read - IBM offerings were featured in more than 1,400 unique G2 reports, earning over 300 leader badges across various categories. G2 was visited 90 million times in 2023 and hosts over one million user reviews, solidifying the crucial role peer reviews play in the software buying process. IBM is thankful to its clients for the continued trust, feedback and partnership. All of which help IBM to enable global enterprises with innovative, intelligent, and effective business solutions. Highlights of IBM’s leadership: Ranked #1 in 152…

Tune in to the second episode of the Inspiring Voices podcast, featuring Dr. Nicola Hodson

< 1 min read - The Inspiring Voices podcast, brought to you by the Executive Search and Integration team at IBM, aims to inspire you in your life and career choices by showcasing great leaders and their personal stories about life, career, and how to make an impact. In this second episode, our host, Christian Zani, brings you the story of Dr. Nicola Hodson, Country General Manager UK & Ireland. Nicola reflects on IBMs culture and provides valuable insights into her experience as a new…

More accessible than ever: IBM Envizi ESG Suite now available in seven languages

2 min read - The capture, management, and reporting of environmental, social and governance (ESG) data is a topic of global relevance. IBM Envizi is making this process more accessible with this latest release of Envizi in seven languages. Customers can now view the IBM Envizi ESG Suite interface in English, French, German, Italian, Spanish, Brazilian-Portuguese, and Japanese.  Translated functionality includes key areas of the IBM Envizi user interface including home pages, summary pages, popular dashboards and PowerReports, menus, buttons, browse grids, search and…

Introducing IBM Sterling Order Management on Microsoft Azure

4 min read - IBM and Microsoft believe in providing you with the power of choice so you can leverage the industry-leading omnichannel fulfillment capabilities of Sterling Order Management Software (OMS) along with your existing skills and investment in native Azure services.  IBM and Microsoft provide you with the ability to confidently deploy Sterling OMS on Azure using Azure Red Hat OpenShift (ARO) or Azure Kubernetes Service (AKS), with the added flexibility of using multiple native Azure services. The reference architecture details are available…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters