Identity security is all the rage right now, and rightfully so. Securing identities that access an organization's resources is a sound security model.
But IDs have their limits, and there are many use cases when a business should add other layers of security to a strong identity. And this is what we at SSH Communications Security want to talk about today.
Let's look at seven ways to add additional security controls for critical and sensitive sessions for privileged users as a bolt-on to other systems.
Bolt-on 1: Securing access for high-impact IDs
Since strong ID is a key element in privileged access, our model is to natively integrate with identity and access management (IAM) solutions, like Microsoft Entra ID. We use IAM as a source for identities and permissions and make sure your organization stays up–to–date with any changes in Entra ID on identities, groups, or permissions in real-time.
The native integration allows automating the joiners-movers-leavers process since if a user is removed from IAM, all access privileges and sessions are revoked instantaneously. This keeps HR and IT processes in sync.
Our solution maps security groups hosted in Entra ID with roles and applies them for role-based access control (RBAC) for privileged users. No role-based access is established without an identity.
With IDs linked to roles, we kick in additional security controls not available in IAMs, such as:
- Privilege Elevation and Delegation Management (PEDM) allows companies to employ fine-grained controls for tasks, providing just enough access with the least privilege only for the right duration of time. The access can be limited to specific tasks, applications, or scripts instead of entire servers.
- Privileged account discovery from cloud, hybrid and on-premises environments, including Local Administrator Accounts and Unix and Linux administrator accounts.
- Isolated and independent identity source: If anorganization doesn't want to introduce, for example, third-party identities to their IAM.
- External admin authorization for approving access to critical targets as an extra step of verification
- Path to passwordless and keyless: Mitigate the risk of shared credentials, such as passwords and authentication keys, by managing them when necessary or going for just-in-time access without passwords and keys.
- Logging, monitoring, recording, and auditing sessions for forensics and compliance.
Bolt-on 2: A proven-in-use, future-proof solution for hybrid cloud security in IT and OT
A versatile critical access management solution can handle more than just IT environments. It can provide:
- Centralized access management to the hybrid cloud in IT and OT: Use the same, consistent and coherent logic to access any critical target in any environment.
- Auto-discovery of cloud, on-premises and OT assets: Get a global view into your asset estate automatically for easy access management.
- Multi-protocol support: IT (SSH, RDP, HTTPS, VNC, TCP/IP) and OT (Ethernet/IP, Profinet, Modbus TCP, OPC UA, IEC61850) are all supported.
- Privileged Application security: When you are hosting privileged applications (like GitHub repositories), we apply fine-grained security controls for each access.
- Browser isolation for critical connections over HTTP(S): Establishing isolated sessions to targets to control user web access to resources to protect resources from users and users from resources.
Bolt-on 3: Preventing security control bypass
Some of the most common access credentials, SSH keys, go undetected by traditional PAM tools as well as the Entra product family. Thousands of sessions are run over the Secure Shell (SSH) protocol in large IT environments without proper oversight or governance. The reason is that proper SSH key management requires special expertise, since SSH keys don't work well with solutions built to manage passwords.
SSH keys have some characteristics that separate them from passwords, even though they are access credentials too:
- SSH keys are not associated with identities by default.
- They never expire.
- They are easy to generate by expert users but hard to track afterwards.
- They often outnumber passwords by 10:1.
- They are functionally different from passwords which is why password-focused tools can't handle them.
Ungoverned keys can also lead to a privileged access management (PAM) bypass. We can prevent this with our approach, as described below:
Bolt-on 4: Better without passwords and keys –privileged credentials management done right
Managing passwords and keys is good but going passwordless and keyless is elite. Our approach can ensure that your environment doesn't have any passwords or key-based trusts anywhere, not even in vaults. This allows companies to operate in a completely credential-free environment.
Some of the benefits include:
- There are no credentials to steal, lose, misuse or misconfigure
- No need to rotate passwords or keys for reduced processing and resources
- No need to change production scripts on the server for vaults to work
- You company gets authentication keys under control – they typically need more attention than passwords
Overall, passwordless and keyless authentication allows levels of performance not achieved by traditional PAM tools, as described in the next section.
Bolt-on 5: Securing automated connections at scale
Machines, applications and systems talk to each other, for example, as follows:
- Application-to-application connections (A2A): Machines send and receive data via APIs and authenticate themselves using application secrets.
- File transfers: Machine-to-machine file transfers help disparate servers share critical information without humans reading this secret data.
- Application-to-application scheduled batch jobs: A batch job refers to a scheduled program created to run multiple jobs simultaneously without requiring human interference.
IAMs can't often handle machine connections at all, and traditional PAMs can' t handle them at scale. Often the reason is that SSH-based connections are authenticated using SSH keys, which traditional PAMs can't manage well. With our approach, automated connections can be secured at scale while ensuring that their credentials are under proper governance, largely because of the credentials-free approach described in section 4.
Bolt-on 6: Who did what and when - audit, record, and monitor for compliance
Solutions like Entra ID lack a proper audit trail. Typical features missing in it but found in our solution include:
- Dashboards to view audit events
- Policy reports for compliance with regulations
- Session recording and monitoring for four-eyes inspection available when necessary
- User Entity and Behavior Analysis (UEBA) is based on artificial intelligence and machine learning to detect any abnormalities in sessions based on behavior, location, time, device, and the device's security posture.
Bolt-on 7: Quantum-safe connections between sites, networks, and clouds
Quantum-safe connections do not only make your connections future-proof, even against quantum computers but are a convenient way to transmit large-scale data between two targets in a secure fashion.
- Make any connection secure over open public networks with quantum-safe end-to-end encryption tunnels that do not leave a trace on servers
- Enclose any data or protocol – even unencrypted – inside a quantum-safe tunnel
- Data sovereignty: Manage your own secrets by using private encryption keys for connections
- Transport data in deeper layers of network topology: either Layer 2 (data link layer) or Layer 3 (network layer)
PrivX Zero Trust Suite – the Best Bolt-On for Microsoft Entra Product Family for Critical Connections
As great as IAMs like Microsoft Entra ID are, they are lacking features that are a must for high-impact users accessing high-risk targets. Our PrivX Zero Trust Suite natively integrates with a number of IAMs, even simultaneously, and extends their functionality for cases when just an identity is not enough.
Contact us for a demo to learn why you need to bolt a critical security solution onto your Entra IAM to tighten the screws for production environments.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.