The next step up for high-impact identity authorization

Sponsored Feature As business enters the 2020s, organizations find themselves protecting fast-expanding digital estates using security concepts that are decades old.

The computing industry is supposed to be addicted to constant change and yet some core features – the password for instance - remain remarkably untouched.

The three primary ways in which attackers access an organization are stolen credentials, phishing and exploitation of vulnerabilities, according to Verizon. From a risk perspective, this could be interpreted as increasingly chaotic and insecure. Networks allow connectivity from anywhere and for anyone, including by third-party service providers whose access is difficult to monitor. Data moves constantly between networks, including to and from on-premise systems and remote cloud platforms that were built to be shared utilities rather than corporate security systems. Employees, meanwhile, communicate and collaborate using email and messaging platforms, exchanging sensitive data in ways the security teams can't even see.

It's a computing model serviced by a vast array of credentials, identities, and permissions whose underlying management has been creaking at the seams for years. Organizations have reacted with more management layers to lock down data, and a growing volume of security such as multi-factor authentication (MFA) that is always easier to plan than manage in reality.

In parallel, network complexity continues to grow, taking in operational technology (OT), cloud platforms, and orchestration systems, as well as the on-premise data centers kept through necessity. Adding to this in most sectors is an array of data transfer and remote connectivity based on RDP, VNC, SSH, and VPNs, firewalls as well as proprietary Operational Technology (OT) protocols (Modbus, Profinet, EtherNet/IP).

The long procession of security breaches

Unavoidably, there are gaps and oversights, which is why security breaches have become so routine. The biggest weakness seen in most breaches is the continuing reliance on password credentials. A good illustration of this is what happened to single sign-on (SSO) identity provider (IdP) Okta in September 2023, an incident during which admin credentials for the company's customer support system were inadvertently leaked through a privileged employee's personal Gmail account. This gave attackers access to session tokens for several customers, leading to the compromise of customer accounts whose number and scope are still not clear.

Another example of the same problem was the earlier ransomware compromise of the MOVEit file transfer application used by thousands of organizations to move data around their networks. From these incidents, several patterns jump out. The first is that the compromise of a single privileged account – or simply a privileged adjacent account - can undermine an entire organization in minutes. When this happens in a third-party service provider, that compromise can break open the carefully constructed security of thousands of other companies in one go. Worst of all, this can happen without anyone knowing about it until serious data loss occurs.

The second one is that companies are not using 'security-first' solutions to transfer critical or sensitive data. Since all data is not created equal, protecting high-impact information should be a priority.

Breaches have become more frequent despite regulators bearing down on organizations with onerous rules. At first, it was largely sector-specific regulations such as HIPAA and PCI DSS. But these soon expanded to universal regimes such as the GDPR and the EU's new Network and Information Systems Directive (NIS)2. Organizations must also accommodate increasingly complex data sovereignty requirements. Even an application as unremarkable as WhatsApp can lead to huge fines for organizations falling foul of SEC rules when it's used irresponsibly in regulated sectors or fails to meet record-keeping requirements.

Tackling tool sprawl and complexity head-on

Historically, data security has tended to be implemented on a piecemeal basis. But in many cases this leads to a fragmentation in which organizations deploy multiple tools and platforms to address problems connected to passwords, data encryption, OT security, and remote access. And that just serves to drive up complexity while guaranteeing additional management overhead and cost.

Security vendor SSH Communications Security recently took this issue of tool sprawl and complexity head-on with the launch of its PrivX Zero Trust Suite. This offers several capabilities in a single platform, which means a range of security issues can be addressed in a modular way through a single, integrated platform. It also allows organizations to implement the principle of zero trust across their infrastructure, critical when managing credentials for the tiny percentage of privileged accounts that spell danger in the wrong hands. To that end, the Suite comprises a range of capabilities divided into modules:

The core of the Zero Trust Suite is built on PrivX, a privileged access management (PAM) system designed to overcome the weaknesses of traditional password credentials when used with high-risk accounts. This includes abandoning passwords altogether in favor of ephemeral 'just-in-time' certificates which can only be used for a single session. This helps to manage third-party access while removing the possibility of permanent credentials being abused or lost.

For environments that require conventional secrets (passwords, API tokens, certificates), PrivX offers a secure Secrets Vault, which avoids the problem of hackers breaking into the network and stealing hardcoded or unsecured credentials, says the company. For OT environments, all of the above applies, but PrivX is also equipped with Network Target Access (NTA) functionality that enables access based on industrial communication protocols.

SSH Communications Security argues that this ability to track and manage every type of credential in a centralized way is fundamental to securing privileged accounts, citing one customer who discovered it had a million SSH keys alone throughout its environment. Equally, being able to dispense with permanent credentials such as passwords removes the chore of having to constantly rotate and store them.

To verify the ID of high-impact users, comes equipped with strong, phishing-resistant multi-factor authentication (MFA) for access, says the company. When extended with device trust, the security posture of the device and the validity of the session is continuously monitored, and in case of anomalies (such as anti-virus going offline), is also automatically terminated.

Customer use cases and UKM show worth

PrivX is currently used by customers across a variety of industry verticals:

- A Fortune 500 company used it to manage secure access for admins and DevOps to its large Kubernetes container environment without the risk associated with traditional credentials and keys. Built on microservices, like the Kubernetes environment itself, PrivX was able to meet the high-performance and scalability requirements set by the customer. With an agentless deployment, the solution also ensured a zero touch environment without the customer having to change the configurations of production scripts or targets.

- A telecom company used it to enable secure access to its network by multiple third-party service providers (static credentials would have created a risk of password sharing or compromise for accounts with high privileges). An added advantage was PrivX's simple integration with an existing Windows Active Directory (AD) for authorization and access control.

While PrivX includes the ability to manage SSH keys centrally alongside other credentials, some customers require dedicated SSH management, particularly within the context of machine-to-machine and test-to-production connectivity. That's where the second module - the Universal SSH Key Manager (UKM) – comes into play.

The UKM allows customers to uncover SSH keys of all types in their environment, create a policy report of compliance, remedy to ensure key management complies with local regulations and best practice (ie the NIST framework), and automatically rotate these when they reach a given age. As with PrivX, the UKM allows migration for an entirely keyless access with just-in-time authentication, and integrates with AD and IAMs such as Entra ID (formerly Azure AD) via SAML 2.0.

UKM's features include the ability to scan SSH keys for encryption schemes that might be vulnerable to future quantum computers. Through this, organizations can discover which algorithms they are using currently will need to be replaced with quantum-safe post-quantum cryptography (PQC) equivalents over time. This might sound like a worry for the future but the rapid maturing of PQC algorithms under NIST suggests the issue of quantum-safe migration should be assessed as soon as possible.

Overcoming email data security weaknesses

SSH Secure Collaboration is a suite of applications designed to overcome the data security weaknesses that arise from using email, video conferencing and instant messaging applications to share data between employees or with customers. The obvious use case for this is in regulated environments where data exchange is tightly controlled. Customers can access a secure application where conventional email or IM would be too risky, with all data stored in encrypted form while at rest or in transit. All communication can be verified with digital signing to ensure document integrity, and there's a solid audit trail of activities to help organizations avoid the fate of the Wall Street companies which were fined for not following the record-keeping requirements.

Tectia is a secure remote access and file transfer/secure tunneling tool for moving data between machines using SFTP or SCP, eliminating static credentials and identities in favor of role-based access control (RBAC). The latter allows organizations to adhere to the principle of zero trust. Use cases include exchanging patient data in healthcare in a compliant way, secure software distribution, and sending and receiving orders or quotes in manufacturing.

Where organizations in highly sensitive environments are concerned about the threat posed by quantum computers, a separate Quantum-Safe Edition implements post-quantum cryptography (PQC) to resist attacks, including that public-key encrypted data might be stolen today and stored until a quantum device able to decrypt it becomes available (the uncomfortably plausible 'download now, decrypt later' scenario).

The biggest problem with zero trust is that it is a security principle – trust nothing - rather than a defined technology. It tells people what to do but not how to do it. What's clear is that the assumed trust of traditional password credentials and security perimeters no longer cuts it. This is a difficult message to deliver; simply abandoning passwords is challenging and, in some cases, impossible. Authentication happens in so many ways today that organizations need multiple systems for different contexts. This is perhaps the biggest promise of Zero Trust Suite, namely that complex security requirements can be managed through a single access management system that offers a unique set of applications for securing communications between humans, systems, applications and networks.

Sponsored by SSH Communications Security.