Community Story | Why a Financial Services Firm Chose JumpServer

Editor's note: Contributed by Mr. Zhou, a senior JumpServer community user.

"When people search for open-source bastion hosts, JumpServer is what comes to mind—that's how we first discovered it."

— Mr. Zhou, Senior JumpServer Community User

I have worked in financial services for years and currently serve in the IT department of a fund company. Our adoption of a bastion host is closely tied to securities industry compliance requirements from the China Securities Regulatory Commission (CSRC) and internal security policies.

1. Industry regulatory requirements

In February 2023, the CSRC issued the Measures for the Administration of Network and Information Security in the Securities and Futures Industry, requiring institutions to build network and information security protection systems—including network isolation, user authentication, access control, and policy management—to improve protection and block attacks on critical systems and infrastructure.

The Basic Requirements for Cybersecurity Classified Protection in the Securities and Futures Industry also requires security auditing at network boundaries and critical nodes, covering every user, auditing important behaviors and security events, and protecting audit records with regular backups.

Identity authentication requirements include unique user identification, password complexity and rotation, login failure handling, and passphrase policies—all areas where a bastion host helps institutions comply.

2. Company-level security requirements

Internal policies further drive bastion adoption:

• Least privilege with separated host, application, and database permissions.
• Centralized password management with periodic rotation.
• Secure, auditable remote operations with full session traceability.
• Network isolation preventing direct remote access to production resources.
• Controlled file transfer to prevent data exfiltration.

Why JumpServer?

I first used JumpServer at a previous employer during dual-active data center construction. Server count tripled overnight, exceeding the legacy bastion's license count and performance. Scaling licenses risked waste if capacity later shrank, so we tried an open-source bastion as a bridge—and found JumpServer.

At my current company, the hardware bastion failed frequently due to aging equipment. We urgently needed an alternative and tested several vendors before choosing JumpServer. Many financial firms default to traditional hardware bastions, but we valued JumpServer's reputation and the feedback loop from its large user community.

We now run JumpServer Enterprise Edition because:

• Staff were already accustomed to JumpServer; switching would be costly.
• Distributed deployment offers lower total cost of ownership.
• Rich features and flexible operations.
• Smooth upgrade path from Community to Enterprise Edition.

JumpServer in Practice

Office and production network isolation

A single bastion cannot securely manage across isolated networks without weakening isolation. Deploying two full bastions with separate licenses—and doubling servers for HA—would be expensive.

JumpServer distributed deployment shares one license across office and production networks with separate application instances. Firewall rules enable mutual backup when needed. Organization management separates office and production servers.

Vendor remote maintenance

Fund companies rely on third-party software vendors who often need emergency remote support. Third-party remote tools pose problems:

• Weak security — Frequent vulnerabilities and unreliable services.
• Uncontrolled file transfer — Easy copy, screenshot, and data leakage.
• No effective audit — Operations cannot be traced for compliance.
• Inflexible permissions — Hard to enable/disable remote access on schedule.

The firm implemented VPN + JumpServer + VNC:

1. VPN access — VNC on internal maintenance machines is hosted in JumpServer; vendors connect via corporate VPN instead of third-party tools.
2. Dynamic tokens — Vendors receive time-bound VPN and JumpServer tokens when remote work is needed.
3. Controlled shared sessions — JumpServer connects to internal VNC; internal staff and vendors can operate together under scoped permissions.
4. Recorded vendor operations — Real-time oversight with full session recording.

As a long-time JumpServer user, I look forward to continued product improvements so more teams can benefit from this practical, easy-to-use bastion host.