Skip to main content

Improved Credentialess and Secure Cloud Access

Periodic Reporting for period 1 - EPICA (Improved Credentialess and Secure Cloud Access)

Reporting period: 2019-10-01 to 2020-09-30

Privileged access management (PAM) consists of the cybersecurity strategies and technologies for exerting control over the elevated (“privileged”) access and permissions for users, accounts, processes, and systems across an IT environment. By dialing in the appropriate level of privileged access controls, PAM helps organizations condense their organization’s attack surface, and prevent, or at least mitigate, the damage arising from external attacks as well as from insider malfeasance or negligence.

Privileged credentials (also called privileged passwords) are a subset of credentials that provide elevated access and permissions across accounts, applications, and systems. Privileged passwords can be associated with human, application, service accounts, and more. SSH keys are one type of privileged credential used across enterprises to access servers and open pathways to highly sensitive assets.

Privileged account passwords are often referred to as “the keys to the IT kingdom,” as, in the case of superuser passwords, they can provide the authenticated user with almost limitless privileged access rights across an organization’s most critical systems and data. With so much power inherent of these privileges, they are ripe for abuse by insiders, and are highly coveted by hackers. Forrester Research estimates that 80% of security breaches involve privileged credentials.

The cost of security breaches is staggering. A study by the law firm DLA piper indicates that there were more than 160,000 data breaches in the EU area during the first 18 months of the GDPR rule. Another study, by Accenture, indicates that the average cost of a data breach can be as high as €10 million.

The IT landscape has changed with cloudification and dedicated servers provisioned to a specific role have been transferred to a cloud. The number of servers is growing exponentially, so traditional Privileged Access Management (PAM) systems do not scale at sufficient speed or cost-effectively in a cloud environment. Traditional on-premise PAM systems are no match for an agile mindset and the demands of a fast-moving production environment.

SSH plans to introduce a new generation of Privileged Access Management systems with PrivX. PrivX is designed to make PAM faster to implement, easier to use, and better suited for cloud environments.
The work has centered around the development of a PAM-as-a-Service (PAMaaS) platform, and the development and piloting of a PAMaaS produxr offering on top of the platform. Integrations into IAM, SIEM, and other supporting systems has been studied.

The work has progressed as planned and the results from the testing of both the platform and the product offering have been positive.
SSH has advanced its credentialess PAM paradigm based on ephemeral certificates and developed a solid leadership position in the industry. External validation of the results includes placement in the Leader category in the Privileged Access Management Leadership Compass report by the renowned analyst firm KuppingerCole.
A diagram of key PrivX functionality