Identity security is all the rage right now, and rightfully so. Securing identities that access organizational resources is a good security model.
But IDs have their limits, and there are many use cases where a company needs to add other layers of security to strong identification. And that’s what we at SSH Communications Security want to talk about today.
Let’s take a look at seven ways to add additional security controls for critical and sensitive sessions for privileged users as an adjunct to other systems.
Fix 1: Securing access for high-impact IDs
Because a trusted identity is a key element of privileged access, our model provides native integration with identity and access management (IAM) solutions such as Microsoft Entra ID. We use IAM as the source for identities and permissions and ensure that your organization stays up to date with any changes to Entra’s identities, groups or permissions in real-time.
The native integration allows you to automate the join-move-leave process because when a user is removed from IAM, all access privileges and sessions are instantly revoked. It keeps HR and IT processes in sync.
Our solution maps security groups located in Entra ID to roles and applies them to role-based access control (RBAC) for privileged users. Role-based access is not established without ID.
With role-bound identities, we enable additional security controls not available in IAM, such as:
- Empowerment and Delegation Management (PEDM) enables companies to use granular controls to perform tasks while providing sufficient least-privilege access for only the desired amount of time. Access can be limited to specific tasks, programs, or scripts instead of entire servers.
- Privileged account detection from cloud, hybrid, and on-premises environments, including local administrator accounts and Unix and Linux administrator accounts.
- An isolated and independent source of identity: When an organization does not want to inject, for example, third-party identities into its IAM.
- Authorize an external administrator to approve access to critical targets as an additional verification step
- The way to passwordless and keyless: Reduce the risk of shared credentials such as passwords and authentication keys by managing them when needed or opting for just-in-time access without passwords and keys.
- Registration, monitoring, recording and auditing sessions for forensics and compliance.
Bolt-on 2: a field-proven and future-proof solution for hybrid cloud security in IT and OT
A versatile solution for managing critical access can work with more than just the IT environment. It can provide:
- Centralized access control to the hybrid cloud in IT and OT: Use the same, consistent and consistent logic to access any mission-critical target in any environment.
- Automatic discovery of cloud, on-premises and OT assets: Get a global overview of your assets automatically for easy access management.
- Support for multiple protocols: IT (SSH, RDP, HTTPS, VNC, TCP/IP) and OT (Ethernet/IP, Profinet, Modbus TCP, OPC UA, IEC61850) are supported.
- Privileged application security: When you host privileged applications (such as GitHub repositories), we apply fine-grained security controls for each access.
- Browser isolation for critical connections via HTTP(S): Establishing isolated sessions to targets to control web user access to resources to protect resources from users and users from resources.
Fix 3: Prevent bypassing of security controls
Some of the most common access credentials, SSH keys, remain undetected by traditional PAM tools as well as the Entra family of products. Thousands of sessions run over Secure Shell (SSH) in large IT environments without proper monitoring or management. The reason is that properly managing SSH keys requires special expertise, as SSH keys do not work well with solutions built for password management.
SSH keys have some characteristics that distinguish them from passwords, even though they are also access credentials:
- SSH keys are not associated with IDs by default.
- They never pass.
- They are easy for power users to create, but difficult to track afterwards.
- They often outnumber passwords by 10:1.
- They are functionally different from passwords, so password-centric tools cannot work with them.
Unmanaged keys can also lead to bypassing Privileged Access Management (PAM).. We can prevent this with our approach as described below:
Fix 4: Better without passwords and keys – managing privileged credentials done right
Password and key management is good, but no password and key is elite. Our approach can ensure that your environment has no passwords or key-based trusts, even in repositories. This allows companies to operate in a completely credential-less environment.
Some of the benefits include:
- No credentials can be stolen, lost, misused or misconfigured
- No need to change passwords or keys to reduce processing and resources
- There is no need to change the production scripts on the server to make the repositories work
- Your company receives authentication keys under control – they usually require more attention than passwords
In general, passwordless and keyless authentication provides a level of performance that traditional PAM tools cannot achieve, as described in the next section.
Anchor 5: Securing automated connections at scale
Machines, programs and systems talk to each other, for example in the following ways:
- Connecting between apps (A2A): Machines send and receive data through APIs and authenticate themselves using application secrets.
- File transfer: Machine-to-machine file transfer helps disparate servers share important information without humans reading that secret data.
- Scheduled batch jobs from application to application: A batch job refers to a scheduled program created to run multiple jobs simultaneously without human intervention.
IAMs often cannot handle machine connections at all, and traditional PAMs cannot handle them at scale. Often the reason is that SSH-based connections are authenticated using SSH keys, which traditional PAMs cannot manage well. With our approach, automated connections can be secured at scale while ensuring that their credentials are properly managed, largely thanks to the credentialless approach described in Section 4.
Additional information 6: who did what and when – check, record and monitor compliance
Solutions like Entra ID do not have a proper audit trail. Typical features it lacks, but our solution does include:
- Dashboards for viewing audit events
- Policy reports on regulatory compliance
- Session recording and monitoring available for four-eye review if required
- User Object and Behavior Analysis (UEBA) is based on artificial intelligence and machine learning to detect any anomalies in sessions based on behavior, location, time, device and security status of the device.
Bolt-on 7: Quantum-secure connections between sites, networks and clouds
Quantum-safe connections not only make your connections future-proof, even against quantum computers, but are a convenient way to securely transfer large-scale data between two targets.
- Make any connection secure over open public networks with quantum-safe end-to-end encryption tunnels that leave no trace on servers
- Enclose any data or protocol – even unencrypted – in a quantum-secure tunnel
- Data sovereignty: manage your own secrets by using private encryption keys for connections
- Transport data at deeper layers of the network topology: layer 2 (link layer) or layer 3 (network layer)
PrivX Zero Trust Suite is the best addition to the Microsoft Entra family of products for critical connections
As great as IAMs like Microsoft Entra ID are, they lack features that are a must for high-influence users accessing high-risk targets. Ours PrivX Zero Trust Suite internally integrates with multiple IAMs, even at the same time, and extends their functionality in cases where just identity is not enough.
Contact us for a demonstration to learn why you need to include a mission-critical security solution in Entra IAM to tighten the screws on production environments.
