Identity security is all the rage right now, and rightfully so. Securing identities that access an organization’s resources is a sound security model.
But IDs have their limits, and there are many use cases when a business should add other layers of security to a strong identity. And this is what we at SSH Communications Security want to talk about today.
Let’s look at seven ways to add additional security controls for critical and sensitive sessions for privileged users as a bolt-on to other systems.
Since strong ID is a key element in privileged access, our model is to natively integrate with identity and access management (IAM) solutions, like Microsoft Entra ID. We use IAM as a source for identities and permissions and make sure your organization stays up–to–date with any changes in Entra ID on identities, groups, or permissions in real-time.
The native integration allows automating the joiners-movers-leavers process since if a user is removed from IAM, all access privileges and sessions are revoked instantaneously. This keeps HR and IT processes in sync.
Our solution maps security groups hosted in Entra ID with roles and applies them for role-based access control (RBAC) for privileged users. No role-based access is established without an identity.
With IDs linked to roles, we kick in additional security controls not available in IAMs, such as:
A versatile critical access management solution can handle more than just IT environments. It can provide:
Some of the most common access credentials, SSH keys, go undetected by traditional PAM tools as well as the Entra product family. Thousands of sessions are run over the Secure Shell (SSH) protocol in large IT environments without proper oversight or governance. The reason is that proper SSH key management requires special expertise, since SSH keys don’t work well with solutions built to manage passwords.
SSH keys have some characteristics that separate them from passwords, even though they are access credentials too:
Ungoverned keys can also lead to a privileged access management (PAM) bypass. We can prevent this with our approach, as described below:
Managing passwords and keys is good but going passwordless and keyless is elite. Our approach can ensure that your environment doesn’t have any passwords or key-based trusts anywhere, not even in vaults. This allows companies to operate in a completely credential-free environment.
Some of the benefits include:
Overall, passwordless and keyless authentication allows levels of performance not achieved by traditional PAM tools, as described in the next section.
Machines, applications and systems talk to each other, for example, as follows:
IAMs can’t often handle machine connections at all, and traditional PAMs can’ t handle them at scale. Often the reason is that SSH-based connections are authenticated using SSH keys, which traditional PAMs can’t manage well. With our approach, automated connections can be secured at scale while ensuring that their credentials are under proper governance, largely because of the credentials-free approach described in section 4.
Solutions like Entra ID lack a proper audit trail. Typical features missing in it but found in our solution include:
Quantum-safe connections do not only make your connections future-proof, even against quantum computers but are a convenient way to transmit large-scale data between two targets in a secure fashion.
As great as IAMs like Microsoft Entra ID are, they are lacking features that are a must for high-impact users accessing high-risk targets. Our PrivX Zero Trust Suite natively integrates with a number of IAMs, even simultaneously, and extends their functionality for cases when just an identity is not enough.
Contact us for a demo to learn why you need to bolt a critical security solution onto your Entra IAM to tighten the screws for production environments.
