What is Bastionhost?
Bastionhost is a system O&M and security audit platform provided by Alibaba Cloud. It allows you to centrally manage asset permissions and O&M operations, and play back recordings of O&M operations. This way, you can identify the users who perform specific O&M operations in the cloud, manage permissions, and audit O&M operations. Bastion host makes asset management efficient, O&M responsibilities clear, and O&M events traceable. Bastion host helps enterprises meet the requirements for classified protection.
Benefits
Bastionhost provides the following benefits:
Unified portal for O&M
Bastionhost provides a unified portal for you to manage different accounts. You can use single sign on (SSO) to access a large number of server resources in the backend. This improves O&M efficiency and prevents risks, such as passwords are forgotten or leaked.
Two-factor authentication
Bastion host provides the two-factor authentication feature. You can use a verification code in a multi-factor authentication (MFA) device or a verification code sent in a text message for identity authentication. This prevents unauthorized users from accessing assets by using leaked accounts and passwords.
Fine-grained permission assignment
Bastionhost allows you to group users and assign permissions to the users at a fine granularity. You can control permissions such as file upload, download, and creation permissions. This helps implement flexible access control based on the principle of least privilege.
Automatic blocking of high-risk commands
Bastionhost automatically blocks the running of high-risk commands, such as rm-rf /* (the command to delete data), and commands to format system disks. This helps prevent accidental deletion operations that may cause serious consequences.
Visualized audit for event tracing
Bastionhost visualizes audit records. It records O&M sessions and allows you to play back the recordings. This way, you can collect evidence and trace security events in an efficient manner.
Editions
Bastionhost has the Basic Edition and HA Edition to meet the requirements of different users.
Basic Edition
Bastionhost Basic Edition provides basic features, including two-factor authentication, O&M authorization, high-risk command blocking, and O&M audit. These features help small- and medium sized enterprises ensure basic O&M security and meet the requirements of classified protection.
HA Edition
Bastionhost HA Edition is suitable for the large-sized enterprises or enterprises in the sectors that have high requirements for O&M security, such as the public service, finance, gaming, online education, and technology development sectors.
Bastionhost HA Edition supports the O&M features that are provided by the Basic Edition. Bastionhost HA Edition also provides the following features to meet higher requirements for business O&M security:
- Higher business stability. Bastionhost HA Edition uses a dual-engine architecture. Both engines are active, which offers a Service Level Agreement (SLA) of 99.95%.
- Higher processing performance. Bastionhost HA Edition can maintain up to 10,000 hosts. However, Bastionhost Basic Edition can maintain up to 500 hosts.
- More O&M capabilities. For example, Bastionhost HA Edition allows you to perform O&M operations by using a web terminal and supports automatic password change. You can use automatic password change to regularly rotate passwords, which improves password security.
- More bandwidth and storage. Bastionhost HA Edition offers you better O&M experience.
Security and Authorization
Alibaba Cloud Bastionhost implements the security control based on principles of least privilege. The Principles of Least Privilege (PoLP) is a security concept that provides permissions and access based on requirements. In PoLP, you are essentially assigning the lowest level of access needed (least amount of access) for an individual (role) to successfully complete a task.
PoLP is among the best practices for security in the IT industry. Alibaba Cloud Bastionhost provides a centralized management system to provide a seamless and effective user permission control system, as required by PoLP. This enables Bastionhost to assign permission to users and user groups for tasks, such as file creation, upload, or download.