We’re excited to announce the experimental release availability of the new IBM Cloud Privileged Access Gateway service.
This service provides IBM Cloud internal services, ISVs, and client admins with seamless, secure operational infrastructure access to essential IBM Cloud-based services or applications, helping them adhere to regulations and zero-trust guidelines, including privilege access validation, restricted access and session recording.
Briefly, it is a Bastion-aaS centralized service that simplifies secure administrative access and helps reduce the cost and burden of deploying and maintaining custom Bastion functionality across IBM Cloud app deployments.
You can read more about the features and benefits in our documentation.
What is IBM Cloud Privileged Access Gateway (PAG)?
Privileged Access Gateway (PAG) is a managed service that provides a secure way for operators to remotely administer servers and clusters within the IBM Cloud. It deploys and manages a Bastion controlled access gateway server, which is a highly secure single point of entry to your fleet of servers and clusters hosting your applications or services. In addition to this restricted gateway access, PAG records operator sessions, which can be used for auditing or forensic investigations and to mitigate against misuse of administrative privileges.
What problems are we solving?
As organizations move to hybrid-cloud deployment models, they are faced with the fact that the XaaS solutions are managed on the backend by third-party vendors (CSPs) with processes outside of their control. Cloud infrastructure resources — such as VSIs, VMs and containers — are foundational services for any cloud-based deployment since all XaaS services and applications are built on top. These infrastructure resources can be under the control of organizations different from the ones owning the applications or the data that leverages them.
This shared-responsibility model introduces security and compliance uncertainty and risk for the consuming organizations, who still have full liability over their data. It requires organizations to follow heightened security and compliance requirements for XaaS on cloud environments, which demand additional access controls to the VSI/Kubernetes infrastructure to enforce proper access, including the following:
- Privileged user access validation tied to identity services and authorization workflows
- Restricted access requiring strict access controls, including MFA
- Session recording and audit
Bastion technology is proven as a successful solution industry-wide to address these issues, but it is cumbersome to maintain. It’s usually available as software packages that require a deployment, integration and operational plan, which can take up to three months to install and configure.
High-level solution experience
The goal for Privileged Access Gateway is to provide XaaS administrators with seamless secure operational access to essential IBM Cloud-based XaaS services and applications to help them adhere to regulations and zero-trust guidelines.
What are the key benefits of PAG?
Frictionless onboarding: Reduce the time of onboarding from three months to minutes (click and deploy right from Cloud Catalog).
Less work, more time: No need to manage Bastion infrastructure (no new VSIs, no new clusters).
Deploy anywhere: Available where current services are deployed (us-south for experimental version, other MZRs later).
Cost savings: Save costs on infrastructure and operator time by using the managed instances.
Bolster controls: Help meet FedRAMP and FSCloud controls on day one of instance deployment (experimental release will not have these validations ready).
First-class integrations: Already integrated with IBM Cloud services (IAM, Activity Tracker (not in experimental), IBM Cloud Object Storage, and more).
Session capturing: Access to session recordings for self-auditing and compliance/security.
Seamless scalability: Easily scale up and down without the need for any configuration change (not in experimental).
Privileged Access Gateway solution concept
The Privileged Access Gateway (PAG) service instance acts as a forced conduit for interactive sessions with hosts present in the account, enforcing the required security policies (including session recording). The instance is deployed by the end-user, in their account, in accordance with their architecture and governance. Integrated with IBM Cloud IAM, PAG can act as a privileged access conduit to any resource visible from the VPC (including other VPCs via Transit Gateway):
Features of Privileged Access Gateway experimental release?
The experimental version of Privileged Access Gateway service will introduce the key controls for access, support for SSH and session recording, including the following:
- Service offered at no charge for early adoption and trial
- Offers service provisioning for single-zone gateway deployments
- Provisioning a PAG instance using an order UI or from the CLI
- Logging into the PAG gateway and ssh to a VSI through the service (CLI only)
- Ability to log into the PAG gateway and access Kubernetes clusters through the service (CLI only)
- VSI ssh and Kubernetes kubectl exec sessions through PAG are recorded and stored in the end-user’s COS bucket
- Playback of session recordings using the PAG CLI
- IAM integration where you can assign users specific PAG roles for easier administration through RBAC access
- Administrator function for listing active sessions in progress on a PAG gateway
- Private access through client-side VPN
- Initial experimental release will be available only on the US-South MZR
The GA version will expand on this foundation and provide extended functionality and support.
Try the IBM Cloud Privileged Access Gateway experimental version today.
Start getting familiar with the benefits of protecting administrative access to your private virtual machines, clusters and servers from the IBM Cloud portal. You can leverage PAG experimental to ensure the access to your private servers and clusters never leave your control.