BastionZero today announced SplitCert, an innovation in zero trust access to databases that reduces the probability and impact of compromise. It leverages Mutual TLS (mTLS) and cryptographic multi-party computation (MPC) to support ephemeral password-free authentication to databases, without storing any database passwords at all.
“The release of SplitCert demonstrates BastionZero’s commitment to innovation in zero trust infrastructure access,” says Sharon Goldberg, PhD, CEO and co-founder of BastionZero. “With SplitCert, we’ve leveraged modern cryptographic techniques to ensure that our customers don’t need to trust anyone with their database credentials, not even us. SplitCert eliminates single points of compromise and provides true zero trust database access without the hassle of distributing and maintaining credentials.”
BastionZero’s SplitCert generates one-time mTLS client certificates from two key “shards” that are stored in two independent locations. Cryptographic multi-party computation is then used to generate one-time mTLS client certificates, on the fly, from the two independently stored shards.
By storing the shards in independent locations, SplitCert eliminates the single point of compromise associated with the storage and maintenance of database passwords. SplitCert is invisible to end users, and supports database access via popular existing database clients and workflows. The company’s initial release of SplitCert supports access to two popular databases: self-hosted Postgres and MongoDB.
The BastionZero Desktop App and Microsoft Windows Support
The latest release of the BastionZero platform includes passwordless access to GCP Cloud SQL and AWS RDS through BastionZero’s newly released Desktop App. BastionZero’s Desktop App creates a simple, point-and-click path for users to access Windows, Linux, database and Kubernetes targets, making BastionZero-secured infrastructure easily approachable for all levels of users.
The release also introduces support for access to Microsoft Windows servers with RDP. This feature supports locking down infrastructure access with RDP, which is one of the most popular attack vectors for infiltrating and compromising production environments.