We’re excited to announce the experimental release availability of the new IBM Cloud Privileged Access Gateway service.

This service provides IBM Cloud internal services, ISVs, and client admins with seamless, secure operational infrastructure access to essential IBM Cloud-based services or applications, helping them adhere to regulations and zero-trust guidelines, including privilege access validation, restricted access and session recording. 

Briefly, it is a Bastion-aaS centralized service that simplifies secure administrative access and helps reduce the cost and burden of deploying and maintaining custom Bastion functionality across IBM Cloud app deployments.

You can read more about the features and benefits in our documentation

What is IBM Cloud Privileged Access Gateway (PAG)?

Privileged Access Gateway (PAG) is a managed service that provides a secure way for operators to remotely administer servers and clusters within the IBM Cloud. It deploys and manages a Bastion controlled access gateway server, which is a highly secure single point of entry to your fleet of servers and clusters hosting your applications or services. In addition to this restricted gateway access, PAG records operator sessions, which can be used for auditing or forensic investigations and to mitigate against misuse of administrative privileges.

What problems are we solving?

As organizations move to hybrid-cloud deployment models, they are faced with the fact that the XaaS solutions are managed on the backend by third-party vendors (CSPs) with processes outside of their control. Cloud infrastructure resources — such as VSIs, VMs and containers — are foundational services for any cloud-based deployment since all XaaS services and applications are built on top. These infrastructure resources can be under the control of organizations different from the ones owning the applications or the data that leverages them. 

This shared-responsibility model introduces security and compliance uncertainty and risk for the consuming organizations, who still have full liability over their data. It requires organizations to follow heightened security and compliance requirements for XaaS on cloud environments, which demand additional access controls to the VSI/Kubernetes infrastructure to enforce proper access, including the following: 

  • Privileged user access validation tied to identity services and authorization workflows
  • Restricted access requiring strict access controls, including MFA
  • Session recording and audit

Bastion technology is proven as a successful solution industry-wide to address these issues, but it is cumbersome to maintain. It’s usually available as software packages that require a deployment, integration and operational plan, which can take up to three months to install and configure.   

High-level solution experience

Value proposition

The goal for Privileged Access Gateway is to provide XaaS administrators with seamless secure operational access to essential IBM Cloud-based XaaS services and applications to help them adhere to regulations and zero-trust guidelines.

What are the key benefits of PAG?

  1. Frictionless onboarding: Reduce the time of onboarding from three months to minutes (click and deploy right from Cloud Catalog).
  2. Less work, more time: No need to manage Bastion infrastructure (no new VSIs, no new clusters).
  3. Deploy anywhere: Available where current services are deployed (us-south for experimental version, other MZRs later).
  4. Cost savings: Save costs on infrastructure and operator time by using the managed instances.
  5. Bolster controls: Help meet FedRAMP and FSCloud controls on day one of instance deployment (experimental release will not have these validations ready).
  6. First-class integrations: Already integrated with IBM Cloud services (IAM, Activity Tracker (not in experimental), IBM Cloud Object Storage, and more).
  7. Session capturing: Access to session recordings for self-auditing and compliance/security.
  8. Seamless scalability: Easily scale up and down without the need for any configuration change (not in experimental).

Privileged Access Gateway solution concept  

The Privileged Access Gateway (PAG) service instance acts as a forced conduit for interactive sessions with hosts present in the account, enforcing the required security policies (including session recording). The instance is deployed by the end-user, in their account, in accordance with their architecture and governance. Integrated with IBM Cloud IAM, PAG can act as a privileged access conduit to any resource visible from the VPC (including other VPCs via Transit Gateway):

Features of Privileged Access Gateway experimental release?

The experimental version of Privileged Access Gateway service will introduce the key controls for access, support for SSH and session recording, including the following:

  • Service offered at no charge for early adoption and trial
  • Offers service provisioning for single-zone gateway deployments 
  • Provisioning a PAG instance using an order UI or from the CLI 
  • Logging into the PAG gateway and ssh to a VSI through the service (CLI only)
  • Ability to log into the PAG gateway and access Kubernetes clusters through the service (CLI only)
  • VSI ssh and Kubernetes kubectl exec sessions through PAG are recorded and stored in the end-user’s COS bucket
  • Playback of session recordings using the PAG CLI
  • IAM integration where you can assign users specific PAG roles for easier administration through RBAC access 
  • Administrator function for listing active sessions in progress on a PAG gateway
  • Private access through client-side VPN
  • Initial experimental release will be available only on the US-South MZR

The GA version will expand on this foundation and provide extended functionality and support.

Get started

Try the IBM Cloud Privileged Access Gateway experimental version today.

Start getting familiar with the benefits of protecting administrative access to your private virtual machines, clusters and servers from the IBM Cloud portal. You can leverage PAG experimental to ensure the access to your private servers and clusters never leave your control. 


More from Announcements

IBM TechXchange underscores the importance of AI skilling and partner innovation

3 min read - Generative AI and large language models are poised to impact how we all access and use information. But as organizations race to adopt these new technologies for business, it requires a global ecosystem of partners with industry expertise to identify the right enterprise use-cases for AI and the technical skills to implement the technology. During TechXchange, IBM's premier technical learning event in Las Vegas last week, IBM Partner Plus members including our Strategic Partners, resellers, software vendors, distributors and service…

Introducing Inspiring Voices, a podcast exploring the impactful journeys of great leaders

< 1 min read - Learning about other people's careers, life challenges, and successes is a true source of inspiration that can impact our own ambitions as well as life and business choices in great ways. Brought to you by the Executive Search and Integration team at IBM, the Inspiring Voices podcast will showcase great leaders, taking you inside their personal stories about life, career choices and how to make an impact. In this first episode, host David Jones, Executive Search Lead at IBM, brings…

IBM watsonx Assistant and NICE CXone combine capabilities for a new chapter in CCaaS

5 min read - In an age of instant everything, ensuring a positive customer experience has become a top priority for enterprises. When one third of customers (32%) say they will walk away from a brand they love after just one bad experience (source: PWC), organizations are now applying massive investments to this experience, particularly with their live agents and contact centers.  For many enterprises, that investment includes modernizing their call centers by moving to cloud-based Contact Center as a Service (CCaaS) platforms. CCaaS solutions…

See what’s new in SingleStoreDB with IBM 8.0

3 min read - Despite decades of progress in database systems, builders have compromised on at least one of the following: speed, reliability, or ease. They have two options: one, they could get a document database that is fast and easy, but can’t be relied on for mission-critical transactional applications. Or two, they could rely on a cloud data warehouse that is easy to set up, but only allows lagging analytics. Even then, each solution lacks something, forcing builders to deploy other databases for…