Instructions on Bastionhost edition selection - Bastionhost

Bastionhost provides multiple editions for various business scenarios. This topic describes the differences between the editions to help you select the most suitable one for your business.

This topic describes only a few core differences. For more information, see Comparison of features between Bastionhost editions.

Overview

When you select a Bastionhost edition, consider the following factors based on your business requirements:

Note

The following items are only basic categories. You can select an edition based on your needs and the Bastionhost features.

Compliance and security requirements
Bastionhost Basic Edition, Enterprise Edition, and SM Edition provide classified protection and compliance capabilities. The following section describes the differences between the editions.
- If you require ShangMi (SM) compliance, select SM Edition.
- If you want to configure high O&M security settings such as single point of failure (SPOF) disaster recovery and password and key rotation for your core assets, select Enterprise Edition.
- If you require only basic O&M security, such as O&M approval, command blacklist and whitelist, and behavior audit, select Basic Edition.
Asset type
- If you have Linux and Windows assets, databases, and web applications, select Enterprise Edition.
- If you have only Linux and Windows assets and you require only basic O&M features, select Basic Edition.
Asset distribution
- If assets are deployed on Alibaba Cloud, other public clouds, data centers, and physically isolated networks such as disconnected VPCs and cross-network environments, select Enterprise Edition. You can enable communication between different networks by using a proxy server with the network domain feature to centralize access and O&M management of scattered assets in multi-cloud and hybrid deployment scenarios.
- If assets are centrally deployed on Alibaba Cloud and you require only basic O&M audit and access control, such as basic permission management and operation log retention, select Basic Edition.

Edition selection references

The following table contains edition recommendations based on the applicable, non-feature, and feature scenarios.

Edition	Basic Edition	Enterprise Edition	SM Edition	References
Applicable scenario	Bastionhost Basic Edition ensures basic O&M security for small and medium-sized enterprises that own 50 to 500 different types of assets. This edition provides fine-grained O&M access control, operation management, and audit.	Bastionhost Enterprise Edition is suitable for large-sized enterprises that own more than 500 assets in sectors with high O&M security requirements, such as public service, finance, gaming, online education, and information technology. Bastionhost Enterprise Edition provides sufficient performance and enterprise-level scenario configurations that meet higher O&M security requirements.	Bastionhost SM Edition meets the requirements for domestic algorithm substitution and is suitable for sectors that require domestic cryptography compliance, such as public service and education.	Comparison of features between Bastionhost editions
Non-feature scenario	Cloud architecture and single-engine deployment are supported. You can visit websites by using domain names to prevent the real IP address from being exposed and directly attacked or scanned. Combined with the load balancing capabilities of Server Load Balancer (SLB) instances, the business traffic processing efficiency is improved.	Bastionhost Enterprise Edition provides the following features based on Bastionhost Basic Edition: Higher business stability: Bastionhost Enterprise Edition uses a dual-engine architecture. Both engines are active and provide a 99.95% service-level agreement (SLA). Primary and secondary zones are configured to prevent SPOFs.	Bastionhost SM Edition provides the following features based on Bastionhost Enterprise Edition: The SM algorithm encryption and SM two-factor authentication features are provided to enhance O&M security.	Benefits
Feature scenario	Access control: implements fine-grained O&M permission management to ensure that users can access only authorized resources. O&M management: automatically blocks high-risk commands, approves risk commands, monitors O&M sessions in real time, and blocks O&M sessions. Connects to Resource Access Management (RAM), Microsoft Active Directory (AD), or Lightweight Directory Access Protocol (LDAP) for centralized user identity management and permission control.	Bastionhost allows you to centrally manage the assets of multiple accounts based on Resource Directory. Multi-identity provider (IdP) connection: You can use Identity as a Service (IDaaS) to connect the following types of IdPs: DingTalk, Lark, and Microsoft Azure AD. Database O&M: O&M and authorization management are supported for ApsaraDB RDS instances, self-managed databases, and third-party databases that run MySQL, SQL Server, PostgreSQL, and Oracle. Hybrid O&M: Centralized O&M is supported in scenarios that involve different types of assets, such as assets in data centers, assets in third-party clouds, and cross-account assets, by using the proxy mode of the network domain feature. Other value-added capabilities: Convenient and fast web-based O&M is supported. The host account password is configured and the automatic key rotation feature is enabled, improving password security. Automatic O&M: You can create O&M tasks to run multiple scripts at the same time to perform O&M on multiple hosts, improving O&M efficiency. Application O&M: You can perform O&M operations on web and client applications. You can also configure a blacklist or whitelist to control the access permissions of O&M personnel. For example, you can configure O&M rules to allow O&M personnel to access only the URLs that match the destination IP addresses or domain names.		Feature scenario