<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Alternatives to Tailscale

Tailscale Competitors
StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Tailscale is a zero-configuration virtual private cloud that builds secure networks for WireGuard-encrypted traffic. Tailscale replaces traditional VPNs with a coordination node that acts as a control plane to manage keys and identities. This allows you to create a secure network between cloud resources without the need for firewall configuration changes. However, if your goal is to centralize and secure access to databases, servers, Kubernetes, and more, a VPN (even a fancy modern one) may not be the best approach. In this blog post, we’ll look at the strengths and weaknesses of a few alternatives.

Tailscale

Brief product summary

Tailscale is open-source software that scales from single-user networks to enterprise environments. It integrates with your existing identity provider, making it easy to enforce multi-factor authentication and off-board users who no longer need access.

Tailscale relies on WireGuard for tunneling and encryption. When connecting, the client configures its own WireGuard instance with a pair of randomly generated private and public keys. The public key carries identity information, while the private key always remains with the client—allowing Tailscale to establish a zero-trust network.

Use cases

  • Connect personal computing environments.
  • Create secure point-to-point connections.
  • Facilitate remote access from any physical location.
  • Establish and enforce security access policies.
  • Manage large-scale deployments.

Pluses

  • Easy to configure and use.
  • Provides audit-compliant logging.
  • Integrates with your existing identity provider.
  • Works with teams of any size.
  • Protects your credentials with automatic key rotation.
  • Command-line clients are open source.

Minuses

  • Requires some networking expertise.
  • The product is still in an early growth phase.
  • RBAC is only available at higher-tier pricing.
  • Okta integration is only available at higher-tier pricing.
  • SAML SSO integration is only available at higher-tier pricing.

StrongDM

Brief product summary

StrongDM is a control plane to manage and monitor access to databases, servers, and Kubernetes. Their zero trust model means instead of distributing access across a combination of VPN, individual database credentials, and SSH keys, StrongDM unifies user management in your existing SSO (Google, Onelogin, Duo, Okta, SAML, etc...) and keeps the underlying credentials hidden. Neither credentials nor keys are accessible by end users. Because StrongDM deconstructs every protocol, it also logs all database queries, complete SSH and RDP sessions, and kubectl activity.

Use cases

  • Faster on-boarding- no need to provision database credentials, ssh keys, VPN passwords for each new hire.
  • Secure off-boarding- suspend SSO access once to revoke all database, server access.
  • Automatically adopt security best practices- least privilege, ephemeral permissions, audit trail.
  • Comprehensive logs- log every permission change, database query, ssh & kubectl command.

Pluses

  • Easy deployment - self-healing mesh network of proxies.
  • No change to workflow- use any SQL client, CLI, or desktop BI tool.
  • Standardize logs across any database type, Linux or Windows server, and Kubernetes.
  • Graphical client for Windows and MacOS.
  • See and replay all activity with session recordings.
  • Manage via a user-friendly web browser interface.
  • Simple, straightforward pricing.

Minuses

  • Requires continual access to StrongDM API for access to managed resources.

Okta Advanced Server Access (ScaleFT)

Brief product summary

Okta’s Advanced Server Access (ASA) is a tool allowing organizations to secure access to SSH and RDP servers via a centralized authentication method.

Use cases

  • Centralized access to SSH and RDP servers.

Pluses

  • SSH access is available.
  • RDP access is available.
  • Single sign-on (SSO) for SSH/RDP and your identities in Okta.
  • Authorized requests leverage single-use client certificate or web token scoped to the user and resource being accessed.

Minuses

  • Okta’s software must be running on every server it manages access to.
  • Complex setup: in addition to the ScaleFT software on each server, a ScaleFT Gateway and ScaleFT local client must also be built and maintained for each cluster.
  • CLI-only client scares off non-engineers.
  • User credentials are assigned ephemerally adding complexity to deployments and uptime.
  • Backend configuration required to export audit logs to any 3rd-party.
  • ScaleFT agent audit logs are only accessible through an early access enablement.
  • Audit logs only cover SSH.
  • No auditing for RDP.
  • Complex pricing model.
  • Pricing based per server, which gets extremely expensive in ephemeral environments or those with high-n servers.

Teleport (Community Edition or Enterprise)

Brief product summary

Gravitational Teleport provides privileged access management (PAM) for cloud-native infrastructure. Teleport is an access and authentication proxy for SSH and Kubernetes API access. It's meant as a replacement for sshd and it works with existing OpenSSH clients and servers as-is. It allows administrators to set up access for users and groups to groups of servers, called clusters, and implements role-based access control (RBAC) to allow differing levels of access to different clusters. Individual server credentials are not available to users, reducing the administrative impact of rotating and removing credentials.

The open source Community Edition of Teleport is the same as the Enterprise edition, with the following exceptions:

No RBAC.

No SSO integration.

No paid support available.

Use cases

  • Centralized access to servers and Kubernetes.
  • Granting user SSH access to the same usernames across a cluster of servers.

Pluses

For the Enterprise Edition:

  • SSH access available via web UI on proxy server.
  • Single sign-on (SSO) for SSH/Kubernetes and your organization identities via Github Auth, OpenID Connect or SAML with endpoints like Okta or Active Directory.
  • Can use with an existing OpenSSH infrastructure.
  • Teleport uses SSH certificate-based access with automatic certificate expiration time.

Minuses

For the Enterprise Edition:

  • Teleport software must be running on every server to be managed by Teleport access.
  • Complex setup: in addition to the Teleport software on each server, a Teleport Proxy and TeleportAuth server must also be built and maintained for each cluster.
  • CLI-only client scares off non-engineers.
  • User credentials are assigned across a full cluster rather than server-by-server.
  • Backend configuration required to store audit logs (AWS S3 / DynamoDB, required by teleport to store session logs).
  • Teleport agent audit logs are only accessible through the UI or backend storage.
  • Complex pricing model.

For the Community Edition:

  • Because it’s available free, only community support is available.
  • Is missing important enterprise features (see above).
  • Only uses local users or Github for identity-based authentication.


About the Author

, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

Competitors & Alternatives to Saviynt
Competitors & Alternatives to Saviynt
Saviynt is a popular identity and access management solution (IAM), but it may not be the best choice for every organization. In this article, we’ll explore powerful alternatives to Saviynt for companies with cloud-first IT infrastructure. By the end of this article, you’ll know whether Saviynt or one of these Saviynt competitors is the right fit for you.
CyberArk Pricing: How Much Does It Cost and Is It Worth It?
CyberArk Pricing: How Much Does It Cost and Is It Worth It?
Examining the CyberArk pricing model to discover how it fits with your organization’s budget will help you make the case for a PAM solution. Here’s how CyberArk PAM pricing breaks down.
BeyondTrust vs. Thycotic (Delinea): Which Solution Is Better?
BeyondTrust vs. Thycotic (Delinea): Which Solution Is Better?
This article compares two Privileged Access Management (PAM) solutions, BeyondTrust vs. Thycotic (Delinea). It takes a closer look at how these PAM products work and how they fit in with your organization’s access management strategy. We’ll examine product summaries, use cases, and pros and cons. By the time you’re done reading this article, you’ll have a clear understanding of the similarities and differences between these PAM tools and be able to choose the tool that best fits your organization.
CyberArk vs. BeyondTrust: Which PAM Solution is Better?
CyberArk vs. BeyondTrust: Which PAM Solution is Better?
This article compares two Privileged Access Management (PAM) solutions, CyberArk vs. BeyondTrust. It takes a closer look at what these two PAM products are, how they work, and what may make them fit well with your organization. We’ll explore product summaries, use cases, pros and cons, PAM features, and pricing. By the time you’re done reading this article, you’ll have a clear understanding of how these PAM tools operate and be able to choose the one that will work best for you.
Competitors & Alternatives to ManageEngine PAM360
Alternatives to ManageEngine PAM360
ManageEngine’s PAM360 gives system administrators a centralized way to manage and audit user and privileged accounts within network resources. However, teams that need to manage secure access to Kubernetes environments or enforce password policies within their privileged access management (PAM) system may want to consider other options. This blog post will cover ManageEngine PAM 360 and some solid alternatives, along with the pros and cons of each.