Download the PAM Buyer’s Guide PDF eBook
Both StrongDM and CyberArk are privileged access management solutions to provide secure access to backend infrastructure. While there are many similarities between the two solutions, there are also some key differences.
StrongDM manages and audits access to infrastructure.
- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Both AWS Systems Manager (SSM) Session Manager and StrongDM are solutions for gaining remote access to critical infrastructure. Yet, while they share some of the same capabilities required of an enterprise access management platform, the execution and the ultimate goals they accomplish for security and compliance teams are very different.
While AWS provides an effective solution for specific AWS session access requirements, StrongDM uses a fine-grained approach that emphasizes actions rather than access from the beginning of a session through the end.
Let’s review the details of both solutions to understand why StrongDM is the best choice for your organization’s overall access management strategy.
What Is AWS SSM Session Manager?
AWS SSM Session Manager is a remote access management service that allows users to establish remote SSH and RDP sessions to Linux, macOS, and Windows servers hosted on AWS or on-prem, without maintaining bastion hosts or opening inbound firewall ports. Sessions can be browser-based or initiated with the AWS CLI.
What Is StrongDM?
StrongDM® Zero Trust Privileged Access Management Platform (PAM) allows IAM and security teams to manage the access lifecycle to critical infrastructure comprehensively. StrongDM helps manage access to cloud-based and on-prem infrastructure, from legacy to cloud-native, with dynamic access workflows and continuous context-based authorization, in a frustration-free way while maintaining a strong security posture. It supports the needs of IT and related teams, including
- DevOps: DevOps teams can provision and de-provision access to specific instances, servers, or databases with a few clicks. Users can access all of their critical infrastructure using their native tools and protocols, not forcing feature-deficient and proprietary web-based interfaces.
- Security & Compliance: Sessions can be continuously authorized with “just enough” friction, using Strong Policies with contextual security signals, such as user device posture and location, to authorize access and actions without impacting the user’s experience or productivity. Security and compliance teams gain full visibility into “who did what when,” on each system, including video playback of what individual users have executed on specific systems. For continuous compliance, maintains records of, “who was in each system and what were they doing” at any given point in time.
- Admins: Access to critical infrastructure can be granted and revoked quickly and easily, greatly simplifying user onboarding and offboarding, provisioning for third parties, and the ability to provide access for a specified period of time. Users, roles, and access are easily managed via an Admin UI (CLI available as well).
StrongDM and AWS Session Manager: What’s the Difference?
While ostensibly seeking to perform similar operations, these two solutions approach the task of access management and control through very different methods. The differences in approaches govern what each is able to achieve, as you can see in this outline of key solution elements.
1. Agentless Architecture
StrongDM does not require agents to be installed on end resources. This means fewer administrative headaches in managing the solution and faster time-to-value for the product. Session Manager requires the installation of the SSM agent for the operating systems supported (Linux, macOS, and Windows), which complicates the ongoing maintenance of the managed nodes.
2. Support for All Protocols
Session Manager is limited to SSH and Windows PowerShell sessions (RDP is available via Systems Manager Fleet Manager). StrongDM is built for the modern stack, with cloud-native support for dozens of protocols. It lets you monitor and manage access to servers (SSH and RDP), multiple clouds (including AWS), Kubernetes clusters, and many different database types, from legacy to cloud-native. It supports almost everything in your environment.
3. Flexible Access
Session Manager requires that access to go through a web browser or via the AWS CLI. StrongDM does not force the use of a particular client or a web browser to connect to the supported resources. The user can access resources using their favorite GUI or CLI clients, allowing for maximum flexibility without impacting productivity.
4. Dynamic Access Workflows
Session Manager relies on IAM permissions only. StrongDM, on the other hand, employs fully dynamic workflows, whether from the administrative UI, Slack, or ServiceNow. This allows for Just-in-Time access to critical infrastructure, removing standing privileges, which decreases the risk of insider threats.
5. Proxy Architecture
StrongDM is a proxy that combines authentication, authorization, networking, and observability capabilities for your environment. This architecture simplifies access workflows by providing low-friction connectivity to virtually every piece of infrastructure in your stack. A high degree of security posture is maintained with fully encrypted tunnels, visibility of every session, and dynamic credential injection between the StrongDM Gateway and your vault of choice for all supported protocols and resource types. This ensures that end-users are never exposed to credentials. StrongDM also supports end-to-end passwordless authentication with certificate-based authentication for SSH and RDP, and IAM authentication support for EKS and RDS PostgreSQL (Aurora and regular PostgreSQL).
6. Continuous Authorization
The Strong Policy Engine allows continuous Zero-Trust access to critical infrastructure. Policies are managed centrally, while being enforced in a distributed way on enforcement points near the resources being accessed. This allows for continuous, real-time assessment of a user’s security posture, and uses that context to allow, deny, or challenge a user’s session from continuing. The Zero Policy Engine also implements policies with fine-grained permissions of actions on resources.
StrongDM: A Complete Access Solution
Session Manager provides a limited set of protocols and features, which is sufficient for AWS-only implementations. StrongDM, by contrast, allows for more complete coverage of all resource types across more environments–from legacy infrastructure to cloud-native and from on-prem to Cloud.
| StrongDM | AWS SSM | |
|---|---|---|
| Breadth of Resources |
||
| SSH to Linux | ✔ | ✔ |
| RDP to Windows | ✔ | ✔ |
| Azure Cloud | ✔ | ✗ |
| GCP Cloud | ✔ | ✗ |
| HTTP Support | ✔ | ✗ |
| Databases(1) | ✔ | ✗ |
| Kubernetes Clusters(1) | ✔ | ✗ |
| Breadth of Authentication / IAM |
||
| AWS IAM | ✔ | ✔ |
| Certificates | ✔ | ✗ |
| Active Directory | ✔ | ✗ |
| Legacy Authentication with Vault of Choice | ✔ | ✗ |
| Auditing & Logging |
||
| Records Session Replays for SSH and RDP | ✔ | ✔ |
| Records Database Queries | ✔ | ✗ |
| Records Kubernetes Admin Actions | ✔ | ✗ |
| Logs directly to Cloudwatch(2) | ✔ | ✔ |
| Deployment |
||
| Multi-Cloud | ✔ | ✗ |
| Works On-Premises | ✔ | ✔ |
| Agentless | ✔ | ✗ |
| Bring your own client(3) | ✔ | ✗ |
| Reverse proxy architecture | ✔ | ✗ |
| Access Control & Workflows | ||
| Dynamic Access Grants by Policy | ✔ | ✔ |
| Approval Workflows with StrongDM client, Slack and ServiceNow | ✔ | ✗ |
| Works with any SSO (SAML & OIDC) | ✔ | ✔ |
| Context-based access | ✔ | ✗ |
| Continuous Policy-based access | ✔ | ✗ |
(1) On-prem, cloud-managed, and self-managed;
(2) StrongDM streams logs directly to S3, where they can easily be imported into CloudWatch;
(3) SSM requires a web browser or AWS-CLI clients.
Conclusion
StrongDM is built for an organization's entire technical staff, not just developers. It’s easy for end users to adopt because it seamlessly integrates with existing tools and workflows, including identity providers and vault solutions. StrongDM has superior reliability and a cost-effective pricing model.
To see StrongDM in action, book a demo.
About the Author
💙 this post?
Then get all that StrongDM goodness, right in your inbox.
You May Also Like
Both StrongDM and Teleport are access control solutions designed to provide secure access to databases, servers, clusters, and web apps. While there are some similarities between the two solutions, there are also some key differences.
AWS Secrets Manager is a popular and highly intuitive secrets management tool that lets organizations automate secrets rotation processes and securely store, manage, and audit IT credentials. However, certain AWS Secrets Manager alternatives are available if you are looking to avoid getting tied down exclusively to AWS products or prioritize efficient user onboarding. In this product comparison guide, we evaluate AWS Secrets Manager competitors that can fill in some of its product gaps.
Microsoft Azure Key Vault is a cryptographic and secrets management solution for storing encryption keys, certificates, and passwords. While known for its interface simplicity and robust security, users should look to Azure Key Vault alternatives if they prioritize employee onboarding automation or need quick and easy implementation. This article evaluates Azure Key Vault competitors regarding security features, pricing, and usability to identify the best alternative options.
Google Cloud Secret Manager is an intuitive platform for managing API keys, user passwords, digital certificates, and other sensitive data and administering access control policies for business resources. While cost-friendly and reliable for securing Google Cloud applications, you should look to other Google Cloud Secret Manager competitors if you manage complex infrastructure and need multiple integrations.