In the IT environment, some secrets are managed well and some fly under the radar. Here’s a quick checklist of what secrets companies typically manage, including one type they should manage:
- Passwords (x)
- TLS Certificates (x)
- Accounts (x)
- SSH keys ???
The secrets listed above are typically protected by Privileged Access Management (PAM) or similar solutions. However, most traditional PAM vendors barely talk about SSH key management. The reason is simple: they don’t have the technology to do it properly.
We can prove it. All of our SSH key management customers deployed traditional PAM, but they realized they couldn’t manage SSH keys with it. At best, traditional PAMs can detect, let alone manage, 20% of all keys.
So what’s all the fuss about SSH keys?
SSH keys are access credentials in the Secure Shell (SSH) protocol. In many ways, they are similar to passwords, but functionally different. On top of that, keys tend to outnumber passwords, especially in long-established IT environments, by a ratio of 10:1. Although only some passwords are privileged, almost all SSH keys open the door to something valuable.
A single key can also open doors to multiple servers, like the skeleton key in old manors. A root key allows administrators to gain access to one or more servers. After conducting a risk assessment with us, one of our clients discovered a root key that allowed ALL of their servers to be accessed.
Another risk is that anyone can prepare their own SSH keys. They are not centrally controlled, and that is by design. This is why key distribution is an ongoing problem in large-scale IT environments.
There’s more: By default, keys are unidentifiable, so it’s very easy to share or duplicate them. In addition, with third parties. By default, keys never expire.
In addition to everything, there are interactive and automated connections, the latter of which is more common. Millions of automated application-to-application, server-to-server, and machine-to-machine connections.
As I’m sure you’ve figured out, your IT environment may be inundated with keys to your kingdom, but you don’t know how many there are, who’s using them, which ones are legitimate and which ones need to be deleted, which keys don’t expire, and more can be created at will without proper control.
The key problem is your key problem.
Why traditional PAMs can’t handle SSH keys?
Because SSH keys are functionally different from passwords, traditional PAMs don’t manage them very well. Legacy PAMs were created to store passwords, and they try to do the same with keys. Without going into the details of key functionality (such as public and private keys), storing private keys and distributing them on demand just doesn’t work. The keys must be secured on the server side, otherwise keeping them under control is a waste of work.
Also, your solution must first detect the keys in order to manage them. Most PAMs cannot. There are also key configuration files and other key(!) elements that traditional PAMs miss. Read more in the following document:
Your PAM wouldn’t be complete without SSH key management
Even if your organization manages 100% of your passwords, there’s a good chance you’ll still lose 80% of your important credentials if you don’t manage your SSH keys. As the inventors of the Secure Shell (SSH) protocol, we at SSH Communications Security are the original source of the access credentials known as the SSH key. We know the subtleties of their management.
Your PAM is not future-proofed without credential-less access
Back to the subject of passwords. Even if you keep them, you don’t manage them in the best way. Today’s dynamic environments – using on-premise or hosted cloud servers, containers or Kubernetes orchestration – do not perform well with storage or PAMs that were created 20 years ago.
That’s why we offer state-of-the-art ephemeral access, where the secrets required to access the target are provided in time for the session, and they automatically expire after authentication. It leaves no passwords or keys to manage – at all. Our solution is also non-intrusive: implementing it requires minimal changes to your production environment.
How’s that for reducing the attack surface, eliminating complexity, saving costs, and minimizing risk? Read more here:
So, the best way to manage passwords AND keys no need to manage them at all and instead move to managing ephemeral secrets. Here’s how:
“I wish I was still changing passwords and keys.” He said that there are no customers!
Once without credentials, there’s no going back. Take it from our customers, who rated our solution with an NPS rating of 71 – which is astronomical in the cybersecurity industry.
Traditional PAMs have worked well until now, but it’s time to prepare your environment for the future with a modern solution that allows you to work without a password or key. At a pace convenient for you.
Check out our PrivX Zero Trust Suite learn to comprehensively manage access and secrets.
