After a password-sniffing attack at his university network, Tatu Ylönen designed the first version of the Secure Shell (SSH) protocol. 25 years later, more than 95% of the servers used to power the internet have SSH installed. The internet as we know is largely managed using SSH.
But how did this all happen? How did the protocol become a cornerstone of a safe internet, and what does a European Commissioner or a lego brick have to do with it?
Universal SSH Key Manager & the growth of SSH
SSH made it possible to build secure channels over unsecured networks by using SSH keys. The channels themselves were safe, but a new problem emerged when managing the massive amount of SSH keys the customers had. The keys did not expire, have an identity associated with them or could be shared , which was a huge issue for companies that had tens of thousands of current and former employees. If someone outside the organization got access to a key, that access could go undetected for months, even years..
“There were several cryptographic issues I didn’t understand when I started. And those made me sleep bad at night.” There was a true need for a proper key management solution.
“We had many SSH key management projects way before the actual product launched. We have developed all our services together with our customers, thinking, what kind of solutions would serve them the most, and UKM is a great example of that” Suvi Lampila says.
Universal SSH Key Manager (UKM) was designed to keep track of SSH keys. It manages SSH key inventories and automates policy enforcement, consolidates visibility, and simplifies compliance, according to enforce policies.
“It is not uncommon to find hundreds of thousands of unnecessary SSH keys when auditing our customers’ systems. And those are all putting information security at risk.” Ylönen says.
UKM solved the issue and is widely known as the most comprehensive, least intrusive and most robust solution on the market. It quickly became the number one SSH key management solution in the world. “Never in my wildest dreams could I imagine people started using it on a scale people are using it now.”
At the same time, also the SSH protocol had spread even wider. It quickly turned out to be one of the greatest discoveries of the internet era.
Today, more than 95% of the servers used to power the internet have SSH installed. It is safe to say that SSH keeps the world running: retail, cashiers, logistics, supply chain, landholdings, health information, even banks and militaries heavily depend on SSH, and many of them are also clients of SSH.COM. Suvi Lampila is well-aware of the responsibility that comes with clients like that:
“It can be thrilling to work in technical support. When a call comes, you know, that there have been several people before me, trying to solve the problem without success. Every second counts. There are people troubleshooting, different vendors, operating systems, no one knowing, where the problem lies.
In most cases the issue does not track down to our products, but as long as the problem is under investigation, the stress is real. And it must be if information security is at risk. At the same time, when the problem is solved, there is no better feeling – to have solved something no one else has solved before.”
Future: the threats and connections without keys or passwords
Digital transformation and adoption of cloud services will keep SSH.COM busy for years to come. Solutions for cybersecurity threats and safe but convenient remote work must be agile and easily integrated with enterprise information systems. Identity management, access management, and cloud security are something to consider in the era where concepts like Zero Trust, Zero Standing Privileges and Just-in-Time Access have emerged.
The future growth of the company will be fueled by building better, easier, and more cost-effective Intelligent Access Management solutions. “Combining static, permanent access credentials like SSH keys and privileged, superuser passwords with dynamic and short-live services has been an issue for a time now.”
“But what if there was no need for admins, subcontractors or developers to use passwords or SSH keys to establish a secure connection? We put a lot of effort into building a solution that is easy to use so that privileged users just SSO to our solution and automatically have access to only their available servers with the right level of privilege based on their role. That is what PrivX is all about.” Lampila says. “It also supports RPD and HTTPS connections”, Lampila adds.
PrivX was also designed to eliminate the need to manage, rotate or vault SSH keys or other permanent credentials when establishing secure connections in hybrid multi-cloud environments. Instead, it authenticates users with ephemeral certificates that are created on-demand and just-in-time, when the connection is made. After a short time period (typically 5 minutes), the authentication expires automatically, leaving no keys or privileged passwords behind to forget, steal, lose or misuse - or manage.
This ensures that third parties don’t walk away with your privileged credentials or bad actors cannot find them lying around in your environment, since permanent credentials are eliminated from the equation.
“The cloud environment work like an automated lego brick builder: itis built by a touch of a button from only those components that are needed in the moment. This is why fast deployment and automation matter: PrivX can be deployed in days, maintenance needs are minimal, scalability is great and linking admins and developers to their target hosts is automated, even if there are changes in the cloud environment. ”
That is great news considering the wide variety of cyber threats we are facing these days. Now that the society is fully dependent on cyber security, the solutions must do their best to be ahead of the threats.
But wait, what are the biggest cyber threats, anyway?
“We are, again, at a point where some governments are trying to make encryption look like a bad idea as a whole. They argue it is because of terrorism, but in the end, it is all about cyberwarfare. And not everyone is aware of the consequences of handing all the data over to another nation.” Ylönen says. “The current atmosphere around the topic is what really concerns me.”
Sam Curry agrees: “Cyber is another form of other means, another tool to continue to get advantages from other countries into winning diplomacy in doing trade and to avoid having to resort to use of physical force. “
And then there is the organized crime. As Curry puts it: “If you're an organized criminal and you're using a gun and a mask to do a robbery you're pretty stupid.”
“The bad guys are running a race and the good guys are running a race. Whoever wins, gets a control over that environment. So, anything that slows the bad guys down or speeds up the good guys will help.”
Now, as before, SSH.COM will be in the job of producing solutions that enable working safe in the ever-changing internet environment.