Skip to main content

Improved Credentialess and Secure Cloud Access

Periodic Reporting for period 2 - EPICA (Improved Credentialess and Secure Cloud Access)

Reporting period: 2020-10-01 to 2022-03-31

Privileged access management (PAM) consists of the cybersecurity strategies and technologies for exerting control over the elevated (“privileged”) access and permissions for users, accounts, processes, and systems across an IT environment. By dialing in the appropriate level of privileged access controls, PAM helps organizations condense their organization’s attack surface, and prevent, or at least mitigate, the damage arising from external attacks as well as from insider malfeasance or negligence.

Privileged credentials (also called privileged passwords) are a subset of credentials that provide elevated access and permissions across accounts, applications, and systems. Privileged passwords can be associated with human, application, service accounts, and more. SSH keys are one type of privileged credential used across enterprises to access servers and open pathways to highly sensitive assets.

Privileged account passwords are often referred to as “the keys to the IT kingdom,” as, in the case of superuser passwords, they can provide the authenticated user with almost limitless privileged access rights across an organization’s most critical systems and data. With so much power inherent of these privileges, they are ripe for abuse by insiders, and are highly coveted by hackers. Forrester Research estimates that 80% of security breaches involve privileged credentials.

The cost of security breaches is staggering. A study by the law firm DLA piper indicates that there were more than 160,000 data breaches in the EU area during the first 18 months of the GDPR rule. Another study, by Accenture, indicates that the average cost of a data breach can be as high as €10 million.

The IT landscape has changed with cloudification and dedicated servers provisioned to a specific role have been transferred to a cloud. The number of servers is growing exponentially, so traditional Privileged Access Management (PAM) systems do not scale at sufficient speed or cost-effectively in a cloud environment. Traditional PAM systems meant purely for on-permise access management are no match for an agile mindset and the demands of a fast-moving production environment.

SSH plans to introduce a new generation of Privileged Access Management systems with PrivX. PrivX is designed to make PAM faster to implement, easier to use, and better suited for cloud environments, dynamic, immutably deployed infrastructures and DevOps use cases.
The work centered around PrivX product and feature development, making it a one stop solution for all privileged access management needs.

Initially, this work included building and trialing a complete PrivX SaaS platform running on a public cloud platform. This entailed developing Infrastructure as Code (IaC) tooling, end user experience, monitoring and administration systems. The SaaS platform was built to fully utilize cloud platform services to achieve high availability, complete customer tenant isolation and ease of management.

We also produced an infrastructure as code toolchain to deploy standalone PrivX instances in Amazon Web Services using AWS Cloud Development Kit.

Considerable time was spent further securing PrivX as a product and documenting and formalizing secure development practices.

The product feature work involved creating a secure PrivX secrets vault, secrets API, clients and an extensible secrets rotation functionality for selected target systems. The PrivX observability was improved by adding and enriching audit event data and integrating PrivX against a market leading SIEM solution. PrivX integrations to identity systems were improved, making it possible to integrate PrivX to additional identity and host sources, and supporting additional authentication methods for native client connectivity.

We also launched the PrivX online public documentation experience through which customers can interact with the documentation and send feedback, we have to ability to focus on most read articles.
SSH has advanced its credentialess PAM paradigm based on ephemeral certificates and developed a solid leadership position in the industry. External validation of the results includes placement in the Leader category in the Privileged Access Management Leadership Compass report by the renowned analyst firm KuppingerCole.

PrivX has been developed to be a single pane of glass to the whole customer infrastructure, be it on-premise, public cloud, multi-cloud or hybrid cloud. With public networks becoming increasingly more unsafe for organizations, a need for well-managed and safe privileged access management solution will only grow. Also, the nature of privileged access management is changing, from administrative access to access concerning any kind of sensitive data.

With constant development, and through adding new supported use cases, SSH aims to maintain its leadership position be on the forefront of safe data access.
A diagram of key PrivX functionality