PAM software · approval workflow · session recording · agentless
Blackfort Privileged Access Bridge
Manage privileged access to IT, OT and cloud systems securely – with approval workflow, session recording and full auditability. No permanently open access, no agents installed on the target systems.
What the Privileged Access Bridge is
The Blackfort Privileged Access Bridge is a software platform for privileged access management (PAM). It sits as a hardened gateway between users and critical target systems – servers, databases, network devices, cloud consoles and industrial controllers. Every privileged access runs exclusively through the bridge, is approved in a structured way, recorded in full and can be terminated immediately at any time.
The product delivers the controls that ISO 27001, NIS2, DORA, BSI IT-Grundschutz and IEC 62443 require for privileged access – not as after-the-fact documentation, but structurally anchored in the access process. Auditors receive data from the system, not from policy documents.
Software platform – with or without a hardware gateway: The PAB is primarily a software solution for IT, cloud and service-provider scenarios. For industrial remote maintenance we bundle the same software with an industrial-grade gateway in the DMZ – the OT remote-maintenance variant. Identical software, different delivery form.
The problem: uncontrolled privileged access
Privileged access is the most common root cause of serious security incidents. In typical enterprise environments you find administrators with permanent, barely monitored Domain Admin rights, service providers with active VPN accounts left over from projects that ended long ago, service accounts with passwords that have not been rotated for years, and machine builders with direct connections into production networks.
A single compromised admin or supplier account is enough in such environments to bypass the entire perimeter. Ransomware attacks of the last few years – from Colonial Pipeline to numerous German mid-sized companies – have all taken exactly this route. Not because internal systems were poorly secured, but because uncontrolled privileged access was permanently open.
Typical findings in practice: Domain Admin accounts without MFA, shared service accounts with wiki-documented passwords, permanently active RDP jump boxes without session recording, external service providers with site-to-site VPNs into production networks, no evidence of who accessed which system when – and therefore no defensible forensics in the event of an incident.
Regulatory requirements for PAM
Privileged access management is an explicit obligation – not a recommendation – in virtually every relevant security framework. The Privileged Access Bridge addresses these requirements structurally:
ISO/IEC 27001:2022 – Annex A.8.2 & A.8.18
Privileged access rights must be restricted, logged and regularly reviewed. The use of privileged utility programs must be controlled. The PAB delivers the structural implementation: session recording, four-eyes approval, documented release process, tamper-evident audit trail.
NIS2 – Art. 21(2) (access control & asset management)
NIS2 obliges affected organisations to take concrete measures for access control, MFA and monitoring – including external service providers (supply-chain security, Art. 21(2)(d)). Uncontrolled supplier access is a direct breach. Under Art. 20 the management body is personally liable for implementation.
DORA – Art. 9 (ICT security) & Art. 28 (third-party risk)
Mandatory for financial entities: controlled access to ICT systems, oversight of external ICT providers, gapless logging. The PAB delivers the required evidence for BaFin and auditor enquiries as well.
IEC 62443-3-3 – remote access in OT
For industrial automation systems: strong authentication, dedicated monitored remote-access channels, full logging, immediate termination capability. No general VPN access to the OT network – instead a dedicated, controlled entry point.
BSI IT-Grundschutz – ORP.4 & OPS.1.1.5
Identity and entitlement management as well as logging are basic requirements. For KRITIS operators the requirements must be implemented demonstrably – the PAB delivers the structured documentation for audits under BSI-KritisV.
GDPR – Art. 32 (technical and organisational measures)
Processing activities of privileged users must be controlled and traceable. In the event of a data protection incident the supervisory authority requires evidence of who accessed which personal data when – the PAB delivers that evidence directly.
What the Privileged Access Bridge delivers
The PAB is more than a jump host with a session-recording add-on. It is a complete PAM platform with eight core capabilities that regulated environments require:
Session Recording
Every privileged session is recorded in full and tamper-evidently – including command history, screen contents and file transfers. Audit reports at the press of a button.
Agentless
No software installation on target systems. The bridge mediates over native protocols – RDP, SSH, HTTPS, VNC as well as industrial protocols. Legacy systems stay untouched.
Approval Workflow
Every access request runs through a defined approval process: request, four-eyes review, documented release. Optionally integrated with your ITSM.
Device-isolated Access
External service providers see only the systems explicitly released to them. Lateral movement into other network segments is structurally excluded.
MFA Enforcement
Multi-factor authentication is enforced at the gateway level – including for external partners without their own MFA infrastructure. Integrates with TOTP, FIDO2 and push-based methods.
Multi-tenancy
Strict separation between customers, business units or sites. Designed for managed service providers and group-wide rollouts.
Audit Trail & Compliance Reports
Structured reports for ISO 27001, NIS2, DORA and IEC 62443 audits straight from the system. Complete, tamper-evidently archived evidence.
Architectural principle: zero trust for privileged access
The PAB consistently follows the zero-trust principle: no implicit trust, minimal entitlements, full logging. In practice this means four structural properties that classical jump-host or VPN solutions do not deliver:
Structured approval process
Privileged access is not granted, it is requested and released. Every access runs through a documented approval process with a four-eyes review – including for long-standing regular service providers. No "grown-in" permanent accounts.
Identity before network
Authentication and MFA come before any network connection. The user only reaches the target system after their identity has been proven, the entitlement has been checked and the access has been released. No tunnel into the network before identity verification.
Granular zone isolation
Every user sees only the target systems explicitly released to them. Lateral movement into neighbouring segments is structurally excluded on the bridge – not by per-tenant firewall rules but by the bridge architecture itself.
Structured audit trail
Every action is logged in machine-readable form and exported to your SIEM and optionally to the Independent Log Vault. Audit reports are generated from raw data – no after-the-fact stitching, no spreadsheets, no questions of interpretation.
Use cases
Privileged access management for internal admins
System administrators receive access only after a documented approval process; all actions are recorded. The four-eyes principle is enforced structurally instead of being expected informally. Auditors and regulators receive directly verifiable control processes – not just policy documents.
Secure remote maintenance by external service providers
Software vendors, IT service providers and maintenance partners receive only device-specific access after explicit approval. Full session recording, immediate termination capability, no permanently active VPN accounts.
Industrial remote maintenance (OT)
Machine builders and system integrators need access to production lines, SCADA systems and PLCs. The PAB mediates over industrial protocols, isolates assets from each other and delivers IEC 62443-compliant controls – without interfering with running production systems. For this use case we additionally offer an industrial-grade gateway.
Managed service providers with many customer tenants
An MSP manages systems for dozens of customers. Every access must be logged separately, stored tenant-isolated and reported per customer. The PAB delivers exactly that separation – without requiring a dedicated VPN configuration for each customer.
Cloud admin access to hybrid infrastructures
Privileged access to Azure, AWS and GCP resources as well as on-premises systems happens through a single interface. MFA, approval workflow and session recording apply consistently – regardless of which data centre or cloud region the target system lives in.
KRITIS and NIS2 compliance evidence
Operators of critical infrastructure must demonstrably control privileged access. The PAB produces the regulatory evidence required – access matrix, session logs, approval history – directly from the system. Auditors review data, not promises.
Privileged Access Bridge in comparison
In many organisations VPN or classical jump hosts are the existing baseline. Both have their place – but structurally they do not deliver the controls regulators expect:
| Property | VPN | Jump host (classical) | Privileged Access Bridge |
|---|---|---|---|
| Granular target-system control | ✗ | manual | ✓ |
| Session recording | ✗ | optional | ✓ |
| Structured approval workflow | ✗ | ✗ | ✓ |
| Immediate session termination | ✗ | manual | ✓ |
| MFA enforcement per target system | limited | manual | ✓ |
| Multi-tenant separation | costly | manual | ✓ |
| Audit trail in machine-readable form | ✗ | incomplete | ✓ |
| No software on target systems | ✓ | ✓ | ✓ |
The PAB does not replace a VPN in every case – often the clean combination of VPN as the network layer plus the PAB as the control plane is the pragmatic path. In scenarios with a high density of external providers or strict evidence obligations, the PAB fully replaces classical jump-host solutions.
Integration with your existing infrastructure
The PAB is designed as a control plane – it complements your existing identity, SIEM and ITSM systems, it does not replace them. Standard integrations are in place, and a REST API allows custom workflows on top:
Identity & MFA
Active Directory · Entra ID (Azure AD) · LDAP · SAML 2.0 · OIDC · TOTP · FIDO2 · Push MFA
Protocols
RDP · SSH · Telnet · HTTPS · VNC · X11 · serial consoles (with OT gateway) · industrial protocols
SIEM & Logging
Splunk · Microsoft Sentinel · IBM QRadar · Elastic · Syslog · Blackfort Independent Log Vault
ITSM & Workflow
ServiceNow · Jira Service Management · Webhooks · REST API · email approvals
Cloud
Azure · AWS · GCP · OCI · hybrid deployments with mixed on-prem targets
Deployment options
The PAB is operated the way it fits your security and operational strategy – not the other way around. Privileged credentials never leave your security zone in any of the models.
On-premises
Full sovereignty: the PAB runs on your own hardware or your own virtualisation platform (VMware, Hyper-V, Proxmox, KVM). No external data flow, no cloud component – the right choice for KRITIS operators and highly regulated environments.
Private cloud
Deployment in Azure, AWS, GCP or OCI as hardened VM instances with IaC templates (Terraform). High availability across multiple availability zones, encapsulated in your tenant.
Managed by Blackfort
You use the platform, we operate it: 24/7 monitoring, patch management, regular hardening reviews. Including SLA, with no need for your team to build its own operational expertise.
OT bundle with hardware gateway
For industrial remote maintenance: identical software, bundled with a fanless, DIN-rail capable gateway installed directly in the control cabinet or in the OT DMZ. Includes support for industrial protocols and serial consoles.
How a typical introduction runs
A PAB introduction is a structured process, not an experimental one. In typical projects – from mid-sized machine builders to KRITIS operators – we work in four phases:
- 01
Inventory & risk matrix
Which privileged accesses exist today? Through which paths? Who has which entitlements? The outcome is a risk matrix that exposes the largest uncontrolled access points – often the basis for management decisions.
- 02
Architecture & pilot
Selection of the deployment option, HA architecture design, pilot rollout for a delimited area (one plant, one tenant, one admin group). Validation of the approval workflows with real stakeholders.
- 03
Rollout & migration
Step-by-step replacement of existing access paths: permanent VPN accounts are closed, service providers are migrated to the PAB, emergency access is documented and hardened. Accompanied by our specialists – without production downtime.
- 04
Operations & audit readiness
Quarterly compliance reports, regular hardening reviews, preparation for ISO 27001, NIS2 or IEC 62443 audits. Optionally as a managed service through our team.
Why Blackfort for privileged access?
Blackfort Technology develops and operates security software for regulated environments – with its own product team in Germany, without dependency on third-party backends, and with the conviction that security products must not get in the way of day-to-day operations. The Privileged Access Bridge grew out of real requirements from our customers in industry, financial services and KRITIS – not from a marketing whitepaper.
We understand the reality that a security tool that slows down the admin on a weekend will eventually be bypassed. The PAB is therefore optimised for usability: one click to request access, single sign-on where possible, full keyboard workflows. Security is created through structure, not through friction.
What sets us apart from classical PAM vendors: we ship hardware-plus-software bundles for OT environments, operate the platform as a managed service on request and integrate it seamlessly with our other products – such as the Independent Log Vault for tamper-evident long-term archiving of audit data, or the Privileged Activity Review for automated anomaly detection in recorded sessions.
Put privileged access on a structural footing now
In a 30-minute demo we show you the Privileged Access Bridge live: request workflow, approval, session recording, audit reports. Afterwards we discuss your specific architecture and provide a defensible price range.
Core capabilities
- Session recording & audit trail
- Structured approval workflow
- MFA enforcement
- Multi-tenancy
- Device-isolated access
- Immediate session termination
- Agentless – no software on target systems
- Compliance reports at the press of a button
Regulatory framework
OT variant
Industrial remote maintenance with a hardware gateway
Identical software, bundled with an industrial-grade gateway for the OT DMZ – including support for industrial protocols.
To the OT variantComplementary products
Request a demo
30-minute live demo with request workflow, approval and session recording – tailored to your scenario.
Schedule a demoFrequently asked questions about the Privileged Access Bridge
What is the Blackfort Privileged Access Bridge?
The Blackfort Privileged Access Bridge (PAB) is a privileged access management (PAM) software platform that acts as a hardened gateway between users and critical target systems. All administrative access – by internal admins, external service providers or equipment manufacturers – runs exclusively through the bridge. It enforces multi-factor authentication, grants access only after an explicitly approved request, records every session in full and delivers a tamper-evident audit trail. Target systems remain unchanged; no agent installation is required.
What is the difference between the software and the OT remote-maintenance variant?
The software is identical. For classical IT environments, cloud and service providers we ship the PAB as a pure software solution – on-premises, in your private cloud or as a hybrid deployment. For industrial remote maintenance we bundle the same software with an industrial-grade DIN-rail gateway positioned in the DMZ between IT and OT networks (see industrial-remote-access-security). You decide – without changing the software – whether you need only the software platform or the full hardware-plus-software package.
Does software need to be installed on the target systems?
No. The Privileged Access Bridge is agentless by design. It communicates with target systems over their native protocols – RDP, SSH, HTTPS, VNC, plus a wide range of industrial protocols in OT deployments. Legacy systems and proprietary controllers stay untouched, which preserves maintenance windows, vendor support contracts and certification states.
Why is a VPN or a classical jump host not enough?
A VPN grants network access, but no granular control over what happens once the user is connected. Classical jump hosts are often permanently reachable themselves, without session recording, without a structured approval workflow, without multi-tenant isolation. The Privileged Access Bridge replaces or augments these components with exactly those controls – it is the control plane that ISO 27001, NIS2 and DORA explicitly require for privileged access.
Which authentication and identity sources are supported?
Active Directory, Azure AD / Entra ID, LDAP and SAML/OIDC identity providers are supported natively. MFA is enforced at the gateway level – including for external service providers that do not run their own MFA infrastructure. For service accounts and automated processes, short-lived rotated credentials and vault-based secrets management are available.
How does the PAB integrate with our existing tooling landscape?
Session metadata and audit events are forwarded to your SIEM via syslog or API (Splunk, QRadar, Microsoft Sentinel, Elastic). Approval workflows can be wired into existing ITSM systems (ServiceNow, Jira Service Management) so that maintenance slots are handled as regular tickets. For tamper-evident long-term archiving of logs we recommend combining the PAB with the Blackfort Independent Log Vault.
How is the PAB operated – on-premises or as a service?
Both are possible. For organisations without their own operations teams we also offer the PAB as a managed service, including high availability, patch management and 24/7 monitoring.
How secure is the audit trail?
Session recordings and audit logs are cryptographically sealed and can be exported to the Blackfort Independent Log Vault as a separate instance that is independent of PAB administration. This ensures that PAB administrators cannot retroactively obscure their own activities – an explicit requirement under NIS2 and ISO 27001.
What happens if the bridge fails?
The PAB can be configured for high availability (active-active or active-passive). For genuine emergencies there is a documented break-glass process with separately secured emergency credentials whose use is itself logged in full. Production outages caused by a failed PAB have not occurred in our reference implementations.
Kontakt aufnehmen
Put privileged access on a structural footing
Talk to us about your specific environment. We will provide a defensible architecture and price range – concrete, with no obligation.