<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Search
Close icon
Search bar icon

Alternatives to Okta Advanced Server Access

Okta ASA Competitors

Okta’s Advanced Server Access (ASA), formerly known as ScaleFT, is a tool allowing organizations to secure access to SSH and RDP servers via a centralized authentication method. However, if you need to secure access to databases, Kubernetes clusters, the cloud CLIs, switches, routers, or internal web applications, there are other options to consider. This blog post looks at a few Okta ASA alternatives and discusses the pros and cons of each.

Okta Advanced Server Access (ASA) Overview

Brief product summary

Okta’s Advanced Server Access provides privileged access management (PAM) for cloud-native infrastructure. Okta ASA did not build this capability in-house; it came from an acquisition Okta made in July 2018 of a company called ScaleFT. ScaleFT’s original competition came from a company called Gravitational, and their product, Teleport. In general, it is an access and authentication proxy for RDP and SSH access. It allows administrators to set up access for users (grouped into teams) to servers, and implements role-based access control (RBAC) to allow differing levels of access per team to different servers. Individual server credentials are not available to users, reducing the administrative impact of rotating and removing credentials.

Use cases

  • Centralized access to SSH and RDP servers.

Pluses

  • SSH access available.
  • RDP access available.
  • Single sign-on (SSO) for SSH/RDP and your identities in Okta.
  • Authorized requests leverage single-use client certificate or web token scoped to the user and resource being accessed.

Minuses

  • Okta’s software must be running on every server it manages access to.
  • Complex setup: in addition to the ScaleFT software on each server, a ScaleFT Gateway and ScaleFT local client must also be built and maintained for each cluster.
  • CLI-only client scares off non-engineers.
  • User credentials are assigned ephemerally adding complexity to deployments and uptime.
  • Backend configuration required to export audit logs to any 3rd-party.
  • ScaleFT agent audit logs are only accessible through an early access enablement.
  • Audit logs only cover SSH.
  • No auditing for RDP.
  • Complex pricing model.
  • Pricing based per server, which gets extremely expensive in ephemeral environments or those with high-n servers.

1. StrongDM

strongdm-new-homepage-screenshot

Brief product summary

StrongDM is a control plane to manage and monitor access to databases, servers, and Kubernetes. Their zero trust model means instead of distributing access across a combination of VPN, individual database credentials, and SSH keys, StrongDM unifies user management in your existing SSO (Google, Onelogin, Duo, Okta, SAML, etc...) and keeps the underlying credentials hidden. Neither credentials nor keys are accessible by end users. Because StrongDM deconstructs every protocol, it also logs all database queries, complete SSH and RDP sessions, and kubectl activity.

Use cases

Pluses

  • Easy deployment - self-healing mesh network of proxies.
  • No change to workflow- use any SQL client, CLI, or desktop BI tool.
  • Standardize logs across any database type, Linux or Windows server, and Kubernetes.
  • Graphical client for Windows and macOS.
  • See and replay all activity with session recordings.
  • Manage via a user-friendly web browser interface.
  • Simple, straightforward pricing.

Minuses

  • Requires continual access to StrongDM API for access to managed resources.

StrongDM’s G2 Reviews

  • 51 reviews (at the time of writing)
  • 4.8 / 5 stars

Read all of StrongDM’s G2 reviews here.

g2-review-screenshot

Pricing Information

StrongDM offers simple per-user pricing, starting at $70/license, including support for all resource types.

Users have the option to sign up for a free 14-day trial.

strongdm-new-pricing

2. Teleport (Community Edition or Enterprise)

Brief product summary

Teleport provides privileged access management (PAM) for cloud-native infrastructure. Teleport is an access and authentication proxy for SSH and Kubernetes API access. It's meant as a replacement for sshd and it works with existing OpenSSH clients and servers as-is. It allows administrators to set up access for users and groups to groups of servers, called clusters, and implements role-based access control (RBAC) to allow differing levels of access to different clusters. Individual server credentials are not available to users, reducing the administrative impact of rotating and removing credentials.

The open source Community Edition of Teleport is the same as the Enterprise edition, with the following exceptions:

  • No RBAC
  • No SSO integration
  • No paid support available

Use cases

  • Centralized access to servers and Kubernetes.
  • Granting user SSH access to the same usernames across a cluster of servers.

Pluses

For the Enterprise Edition:

  • SSH access available via web UI on proxy server.
  • Single sign-on (SSO) for SSH/Kubernetes and your organization identities via Github Auth, OpenID Connect, or SAML with endpoints like Okta or Active Directory.
  • Can use with an existing OpenSSH infrastructure.
  • Teleport uses SSH certificate-based access with automatic certificate expiration time.

For the Community Edition:

  • It's open source.

Minuses

For the Enterprise Edition:

  • Teleport software must be running on every server to be managed by Teleport access.
  • Complex setup: in addition to the Teleport software on each server, a Teleport Proxy and TeleportAuth server must also be built and maintained for each cluster.
  • CLI-only client scares off non-engineers.
  • User credentials are assigned across a full cluster rather than server-by-server.
  • Backend configuration required to store audit logs (AWS S3 / DynamoDB, required by teleport to store session logs).
  • Teleport agent audit logs are only accessible through the UI or backend storage.
  • Complex pricing model.

For the Community Edition:

  • Because it’s available for free, only community support is available.
  • The free version is missing important enterprise features (see above).
  • Only uses local users or Github for identity-based authentication.

3. Bastion Host

Brief product summary

A bastion, or jump host, is simply a Linux/UNIX server that mediates access to sensitive servers/database access by requiring the user to first log into the bastion host and then ‘jump’ to additional resources in the network controlled by the bastion. Organizations simply need to set up an additional server that is both accessible from external sources and is able to connect to internal resources.

Use cases

  • Mediate access to protected resources on a restricted network segment.
  • Database clients and similar tools can work via bastion host by using port forwarding over the SSH connection.

Pluses

  • Free, or nearly so: the only requirement is the cost for the hardware (or virtual server) underlying the bastion host.
  • Straightforward access for users who are familiar with SSH.

Minuses

  • Because all access to protected resources requires first logging in via command line to the bastion host, the user must have an account on the bastion and a certain level of technical acumen, especially if employing port forwarding for database access.
  • The bastion host represents a single point of failure; if it is unavailable, all resources behind it are inaccessible. Setting up multiple bastion hosts to mitigate against this possibility means another set of credentials to manage.
  • In the case of problems, support is limited to whatever support may be available for the underlying OS running on the bastion host.
  • Session logs and database/other protocol activity are not captured.


About the Author

, Technical Evangelist, has had a long 30+ year career in systems engineering and architecture, but has spent the last 13+ years working on the Cloud, and specifically, Cloud Security. He's currently the Technical Evangelist at StrongDM, taking the message of Zero Trust Privileged Access Management (PAM) to the world. As a practitioner, he architected and created cloud automation, DevOps, and security and compliance solutions at Netflix and Adobe. He worked closely with customers at Evident.io, where he was telling the world about how cloud security should be done at conferences, meetups and customer sessions. Before coming to StrongDM, he lead an innovations and solutions team at Palo Alto Networks, working across many of the company's security products.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

StrongDM vs. AWS SSM Session Manager: Side-by-Side Comparison
StrongDM vs. AWS SSM Session Manager: Side-by-Side Comparison
Both AWS Systems Manager (SSM) Session Manager and StrongDM are solutions for gaining remote access to critical infrastructure. Yet, while they share some of the same capabilities required of an enterprise access management platform, the execution and the ultimate goals they accomplish for security and compliance teams are very different.
StrongDM vs. CyberArk: Side-by-Side Comparison
StrongDM vs. CyberArk: Side-by-Side Comparison
Both StrongDM and CyberArk are privileged access management solutions to provide secure access to backend infrastructure. While there are many similarities between the two solutions, there are also some key differences.
StrongDM vs. Teleport: Which One Is Better
StrongDM vs. Teleport: Side-by-Side Comparison
Both StrongDM and Teleport are access control solutions designed to provide secure access to databases, servers, clusters, and web apps. While there are some similarities between the two solutions, there are also some key differences.
AWS Secrets Manager Alternatives & Competitors
Alternatives to AWS Secrets Manager
AWS Secrets Manager is a popular and highly intuitive secrets management tool that lets organizations automate secrets rotation processes and securely store, manage, and audit IT credentials. However, certain AWS Secrets Manager alternatives are available if you are looking to avoid getting tied down exclusively to AWS products or prioritize efficient user onboarding. In this product comparison guide, we evaluate AWS Secrets Manager competitors that can fill in some of its product gaps.
Azure Key Vault Alternatives & Competitors
Alternatives to Azure Key Vault
Microsoft Azure Key Vault is a cryptographic and secrets management solution for storing encryption keys, certificates, and passwords. While known for its interface simplicity and robust security, users should look to Azure Key Vault alternatives if they prioritize employee onboarding automation or need quick and easy implementation. This article evaluates Azure Key Vault competitors regarding security features, pricing, and usability to identify the best alternative options.