Please select a language

Please select the country/region where you would like to introduce your business.

Contact Us
Contact Us

Please select a language

Please select the country/region where you would like to introduce your business.

KDDI Cyber Bastion — Privileged Account Management (PAM)

KDDI Cyber Bastion, developed in partnership with Wallix, provides a secure, centralized, and fully auditable access gateway to your IT infrastructure — without requiring VPN tunnels, client software installation, or opening additional firewall ports.

Key Features

Zero Trust Secure Access

Zero Trust Secure Access

Based on Zero Trust principles, secure access to Windows and Linux servers, databases, and business applications is provided through any HTML5-compatible browser.
Regardless of the access source, all communications are continuously authenticated, authorized, and audited, with no implicit trust granted.

No plugins, agents, or additional components are required—everything operates directly through the browser. This significantly simplifies deployment, operations, and update management.

Privileged account passwords are never disclosed to users, and credentials are managed securely and centrally. This reduces the risk of credential leakage and strengthens compliance with security policies.

With a Zero Trust architecture, this solution delivers a balance of usability, strong security, and operational efficiency.

Granular Secure Access Control

Granular Secure Access Control

The solution enforces robust access control based on the principle of least privilege, ensuring that each user is granted only the minimum permissions required to perform their tasks.

Access rights are managed on a role-based basis, enabling clear, consistent, and controlled access management.

Security is reinforced through IP whitelisting, strong two‑factor authentication (2FA), and automated password rotation for sensitive accounts.

Together, these mechanisms significantly reduce the risk of unauthorized access while ensuring streamlined and secure system administration.

Session Recording and Auditable Access Control

Session Recording and Auditable Access Control

All user sessions are fully recorded to ensure complete traceability of every action performed.

This comprehensive session recording capability enables organizations to accurately reconstruct operations and quickly identify the root cause of any incident.

In addition, a command interception and control mechanism is implemented to prevent malicious or non-compliant actions.
Sensitive commands can be restricted or blocked in real time, significantly reducing risks related to human error, privilege abuse, or compromised accounts.

User Management and Access Policy Administration

User Management and Access Policy Administration

Administrators benefit from a centralized management interface that enables them to control all users and access policies for target systems.
They can easily create, modify, or delete user accounts, assign roles, and adjust permission levels according to operational requirements.

Access policy management allows organizations to precisely define who can access which resources, under what conditions, and in compliance with established security rules.
This granular control ensures consistent enforcement of security policies while supporting operational flexibility.

Bastion Sizing and Scalability

The sizing of a Bastion is determined by the number of concurrent sessions it must support in order to ensure optimal performance and a smooth user experience.

Proper capacity planning is essential to maintain system responsiveness and avoid bottlenecks during peak usage.

It is important to note that a single user may initiate multiple parallel sessions simultaneously.

As a result, Bastion sizing must be based on the total number of concurrent sessions rather than the number of individual users.

TypeNumber of RDP / SSH SessionsCPU, RAM, DISK, OS
Bastion S 25 / 2404, 16 GB,  50 GB
Bastion M 40 / 2408, 16 GB, 50 GB
Bastion L 50 / 4808, 32 GB, 50 GB
Bastion XL 75 / 480 16, 32 GB, 50 GB
It is important to know that:
  • Storage volume is in addition to the size of the Bastion host.
  • Estimated storage for session recording: ~35 GB / User / month, based on 3 hours of connection per day over 5 business days, 4 weeks per month.
  • Windows Server RDS (SAL RDS) licenses are not included.

Log management and rotation

Configuration optionsDefault value
Delete user data older than a defined retention period36 weeks
Delete user logs older than a defined retention period5 weeks
Delete sessions older than a specified age36 months
Delete sessions when available free disk space falls below a defined threshold10%
Prioritize deletion of sessions older than a specified duration15 days
Retain critical sessions newer than a defined period, regardless of cleanup rules7 days

Recommendations for safety measures

To ensure enhanced protection of cloud environments, it is essential to implement security measures tailored to different platforms and architectures.
These recommendations are designed to reduce the risk of unauthorized access, strengthen control over network traffic, and ensure effective isolation of critical resources.

By applying a defense‑in‑depth approach, organizations can improve their security posture while maintaining operational flexibility across cloud and hybrid infrastructures.

KDDI Cloud Serenity – Security Recommendations

For the KDDI Cloud Serenity offering, it is strongly recommended to enable an operating system–level firewall based on the principle of least privilege.

In practical terms, this means that only strictly necessary network flows are allowed, specifically:

  • SSH connections originating from the Bastion
  • RDP connections originating from the Bastion

By restricting access to these essential flows only, the server’s exposure to external threats is significantly reduced.

This approach helps minimize the attack surface, strengthen access control, and enhance the overall security posture of cloud workloads.

KDDI Cloud Autonomy – Security Recommendations

For the KDDI Cloud Autonomy offering, the use of micro‑segmentation between virtual machines is a key security measure.
East‑West traffic filtering allows SSH and RDP communications to be restricted exclusively to authorized connections, effectively limiting the lateral movement of potential internal attacks.

This fine‑grained isolation between virtual machines strengthens overall network security and prevents any uncontrolled access between resources.
At the same time, it preserves the flexibility required for day‑to‑day operations and evolving business needs.

Why Bastion as a Service?

A Bastion acts as a secure access gateway between users and target systems.
It centralizes SSH and RDP connections, enforces access controls, and records user sessions to ensure a high level of security and full traceability.

By providing Bastion functionality as a service, organizations benefit from a simplified deployment, centralized management, and enhanced security, without the complexity of maintaining dedicated infrastructure.

Why Bastion as a Service?

Contact an expert

Got a question? Looking to outsource your infrastructure?
Need some specific information?
Our expert consultants are on hand to help!

"Ensure reliable backups and uninterrupted business operations with our tailored cyber protection solutions.
Ideal for organizations with on-premises infrastructure, our offering delivers dependable backups and an effective Disaster Recovery Plan (DRP)."

Related Case Studies

IMPF
KDDI France fait ses premiers pas prometteurs dans le monde très spécifique de l’hébergement des données de santé, avec l’ouverture d’un cloud privé en plein cœur de Paris au sein de son propre Data Center et une première collaboration avec l'IMPF.(French page)
SECTA AUTOSUR
Depuis 10 ans, une infrastructure cloud de qualité pour nos applications coeur de métier(French page)
RESTALLIANCE
POURQUOI RESTALLIANCE A CHOISI KDDI FRANCE POUR HÉBERGER SES INFRASTRUCTURES À LA SUITE D’UN INCIDENT MAJEUR ?(French page)
Difenso
DIFENSO, éDITEUR DE LOGICIELS DE GéNéRATION DE CLéS DE CHIFFREMENT ET DE DéCHIFFREMENT DE DONNéES SENSIBLES, A CHOISI D’HéBERGER SES SOLUTIONS CHEZ KDDI FRANCE.(French page)
Tenor EDI Services
COMMENT TENOR EDI SERVICES AMÉLIORE LA CONTINUITÉ DE SERVICES ET ASSURE LA DISPONIBILITÉ DE SES SOLUTIONS SAAS AVEC KDDI FRANCE ?(French page)
EasyVista
POURQUOI EASYVISTA A RETENU KDDI FRANCE COMME PARTENAIRE CLOUD DE CONFIANCE POUR SES APPLICATIONS SAAS ?(French page)