Announcements
Security
October 3, 2022 By Denis Ducharme
Luis Casco-Arias
Shaun Murakami
Sumanth Singidi
Guohui Leo Li
4 min read

We’re excited to announce the experimental release availability of the new IBM Cloud Privileged Access Gateway service.

This service provides IBM Cloud internal services, ISVs, and client admins with seamless, secure operational infrastructure access to essential IBM Cloud-based services or applications, helping them adhere to regulations and zero-trust guidelines, including privilege access validation, restricted access and session recording. 

Briefly, it is a Bastion-aaS centralized service that simplifies secure administrative access and helps reduce the cost and burden of deploying and maintaining custom Bastion functionality across IBM Cloud app deployments.

You can read more about the features and benefits in our documentation

What is IBM Cloud Privileged Access Gateway (PAG)?

Privileged Access Gateway (PAG) is a managed service that provides a secure way for operators to remotely administer servers and clusters within the IBM Cloud. It deploys and manages a Bastion controlled access gateway server, which is a highly secure single point of entry to your fleet of servers and clusters hosting your applications or services. In addition to this restricted gateway access, PAG records operator sessions, which can be used for auditing or forensic investigations and to mitigate against misuse of administrative privileges.

What problems are we solving?

As organizations move to hybrid-cloud deployment models, they are faced with the fact that the XaaS solutions are managed on the backend by third-party vendors (CSPs) with processes outside of their control. Cloud infrastructure resources — such as VSIs, VMs and containers — are foundational services for any cloud-based deployment since all XaaS services and applications are built on top. These infrastructure resources can be under the control of organizations different from the ones owning the applications or the data that leverages them. 

This shared-responsibility model introduces security and compliance uncertainty and risk for the consuming organizations, who still have full liability over their data. It requires organizations to follow heightened security and compliance requirements for XaaS on cloud environments, which demand additional access controls to the VSI/Kubernetes infrastructure to enforce proper access, including the following: 

  • Privileged user access validation tied to identity services and authorization workflows
  • Restricted access requiring strict access controls, including MFA
  • Session recording and audit

Bastion technology is proven as a successful solution industry-wide to address these issues, but it is cumbersome to maintain. It’s usually available as software packages that require a deployment, integration and operational plan, which can take up to three months to install and configure.   

High-level solution experience

Value proposition

The goal for Privileged Access Gateway is to provide XaaS administrators with seamless secure operational access to essential IBM Cloud-based XaaS services and applications to help them adhere to regulations and zero-trust guidelines.

What are the key benefits of PAG?

  1. Frictionless onboarding: Reduce the time of onboarding from three months to minutes (click and deploy right from Cloud Catalog).
  2. Less work, more time: No need to manage Bastion infrastructure (no new VSIs, no new clusters).
  3. Deploy anywhere: Available where current services are deployed (us-south for experimental version, other MZRs later).
  4. Cost savings: Save costs on infrastructure and operator time by using the managed instances.
  5. Bolster controls: Help meet FedRAMP and FSCloud controls on day one of instance deployment (experimental release will not have these validations ready).
  6. First-class integrations: Already integrated with IBM Cloud services (IAM, Activity Tracker (not in experimental), IBM Cloud Object Storage, and more).
  7. Session capturing: Access to session recordings for self-auditing and compliance/security.
  8. Seamless scalability: Easily scale up and down without the need for any configuration change (not in experimental).

Privileged Access Gateway solution concept  

The Privileged Access Gateway (PAG) service instance acts as a forced conduit for interactive sessions with hosts present in the account, enforcing the required security policies (including session recording). The instance is deployed by the end-user, in their account, in accordance with their architecture and governance. Integrated with IBM Cloud IAM, PAG can act as a privileged access conduit to any resource visible from the VPC (including other VPCs via Transit Gateway):

Features of Privileged Access Gateway experimental release?

The experimental version of Privileged Access Gateway service will introduce the key controls for access, support for SSH and session recording, including the following:

  • Service offered at no charge for early adoption and trial
  • Offers service provisioning for single-zone gateway deployments 
  • Provisioning a PAG instance using an order UI or from the CLI 
  • Logging into the PAG gateway and ssh to a VSI through the service (CLI only)
  • Ability to log into the PAG gateway and access Kubernetes clusters through the service (CLI only)
  • VSI ssh and Kubernetes kubectl exec sessions through PAG are recorded and stored in the end-user’s COS bucket
  • Playback of session recordings using the PAG CLI
  • IAM integration where you can assign users specific PAG roles for easier administration through RBAC access 
  • Administrator function for listing active sessions in progress on a PAG gateway
  • Private access through client-side VPN
  • Initial experimental release will be available only on the US-South MZR

The GA version will expand on this foundation and provide extended functionality and support.

Get started

Try the IBM Cloud Privileged Access Gateway experimental version today.

Start getting familiar with the benefits of protecting administrative access to your private virtual machines, clusters and servers from the IBM Cloud portal. You can leverage PAG experimental to ensure the access to your private servers and clusters never leave your control. 

Denis Ducharme
Cross-Portfolio Network Strategy
Luis Casco-Arias
Program Director - OM, IBM Cloud Security
Shaun Murakami
Cloud Architect, Privileged Access
Sumanth Singidi
Release/Program Manager - IBM Privileged Access
Guohui Leo Li
Product Manager, IBM Cloud

More from Announcements
July 2, 2024

Success and recognition of IBM offerings in G2 Summer Reports  

2 min read - IBM offerings were featured in over 1,365 unique G2 reports, earning over 230 Leader badges across various categories.   This recognition is important to showcase our leading products and also to provide the unbiased validation our buyers seek. According to the 2024 G2 Software Buyer Behavior Report, “When researching software, buyers are most likely to trust information from people with similar roles and challenges, and they value transparency above other factors.”  With over 90 million visitors each year and hosting more than 2.6…

June 24, 2024

Manage the routing of your observability log and event data 

4 min read - Comprehensive environments include many sources of observable data to be aggregated and then analyzed for infrastructure and app performance management. Connecting and aggregating the data sources to observability tools need to be flexible. Some use cases might require all data to be aggregated into one common location while others have narrowed scope. Optimizing where observability data is processed enables businesses to maximize insights while managing to cost, compliance and data residency objectives.  As announced on 29 March 2024, IBM Cloud® released its next-gen observability…

June 21, 2024

Unify and share data across Netezza and watsonx.data for new generative AI applications

3 min read - In today's data and AI-driven world, organizations are generating vast amounts of data from various sources. The ability to extract value from AI initiatives relies heavily on the availability and quality of an enterprise's underlying data. In order to unlock the full potential of data for AI, organizations must be able to effectively navigate their complex IT landscapes across the hybrid cloud.   At this year’s IBM Think conference in Boston, we announced the new capabilities of IBM watsonx.data, an open…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters