Running privileged access management in containers with PrivX 20
TL;DR; PrivX 20 can now be deployed in containers orchestrated by Kubernetes, OIDC login support for native SSH clients and the option to launch our Zero Trust Universal SSH Key Manager from PrivX for future proof enterprise SSH key management.Containers have been around since 2013. Even though the technology itself is eight years old, it is still considered to be relatively modern and even futuristic by many companies, and therefore its large-scale use has been rather limited.
But as often is the case, a shift to something new is first gradual until it gains momentum.
We at SSH.COM launched our container support for our Zero Trust and just-in-time (JIT) privileged access management (PAM) solution PrivX two years ago at RSA. Since then, we have been developing the technology further together with our key customers.
Now, the first Kubernetes implementations are being deployed in customer environments, and we announced our first “container-first” privileged access management (PAM) deal just recently
Companies at the cutting edge of technology are serious about securing their Kubernetes-orchestrated environments. Learn more about why a Fortune 500 company decided to implement our container-friendly PAM solution to secure their SSH connections to container environments.
PrivX 20 and secure Kubernetes orchestrationBuilding a solution that not only solves the problems that exist today but is also future-proof takes some first-mover courage. And now, there’s growing interest for solutions that allow customers to not only solve their current privileged access management (PAM) challenges, but migrate from legacy to the future at their own pace.
Companies who are already running their applications and services in containers orchestrated by Kubernetes, or are planning to make the move in the future, can really benefit from the new deployment model of PrivX.
Running PrivX on Kubernetes takes full advantage of the PAM solution’s modern microservices architecture. Case in point: service-specific scalability can be done based on the load. For example, if there is a sudden spike in the number of concurrent SSH sessions needed, you only need to scale up the PrivX SSH proxies, instead of entire instances. The same logic applies to all other PrivX microservices.
Since PrivX saves resources by scaling up only the services needed at a particular time, it has a direct link to reducing costs. In an environment with thousands of users and thousands of dynamic hosts, these resource and cost savings are significant. No need to buy extra hardware or processing power to secure your environment. Instead, you can optimize the use of existing resources to the maximum with a containerized approach while still maintaining the required redudancy levels.
On-prem, cloud or hybrid: choose your deployment
Auto-scaling of PrivX instances has been available for cloud deployments (AWS, Azure, GCP) for a while, but with PrivX 20, this feature is now possible on your own hardware. The result is that high availability (HA) environments are easier to setup. With PrivX 20 you can run your container estate in the cloud, on-premises or as hybrid, since you still get the same level of performance and automation in both worlds.
Some generic benefits of running applications and services on Kubernetes apply to PrivX:
- Easy maintenance
- Monitoring and access management on the Kubernetes level
- Security isolation, immutabilty (learn more about access management and immutable infrastructure here)
- Self-healing environments and resiliency
Running PrivX in container environments takes the already future proof solution to the next level. Since we don’t live in an ideal world, we understand that the customer environments host technologies at various stages of maturity. That is why the array of supported technologies in PrivX range all the way from legacy on-prem installations to cloud services to modern containers.
Passwordless, keyless and just-in-time access aligning with Zero Trust
PrivX builds you a path to passwordless, just-in-time (JIT) and Zero Trust access. Simply put it means that your privileged users never handle or see any secrets when establishing a connection. In fact, the connection is made using short-lived, ephemeral certificates that are created just-in time at the time of the connection. They contain all the secrets needed for the session (like passwords), but after the connection is made, the certificates expire automatically.
This means that there are no credentials, passwords, keys or secrets to manage, lose or misuse! Furthermore, this approach radically reduces the overhead of managing secrets, since there are less of them to manage. With thousands of users and thousands of dynamic servers, the reduction in processing power is radical.
Since a new session is verified in a similar fashion every time, PrivX aligns perfectly with Zero Trust, since no one has permanent access to the environment.
Environments very in their technological maturity level. This is why PrivX comes equipped with a secrets vault for those contexts where passwordless authentication is not possible but you still need to vault secrets.
PrivX simply is your trusted and centralized gatekeeper to manage access to legacy and future-driven apps.
OIDC login support for native SSH clients
We highly recommend using browsers to make SSH connections, but in some cases there is a need to use native clients. That is why the support for native clients has been in PrivX for years.
In PrivX 11 we introduced the feature to use the bastion syntax for making SSH connections through PrivX. PrivX 18 made it possible to use native clients without a need to make any changes to existing commands or scripts (no need to use bastion syntax).
Now we bring the Open ID Connect (OIDC) to the fold. With PrivX 20, it is possible to do a browser based OIDC login and then use authorized keys to log in to the SSH-bastion.
Zero Trust Universal SSH Key Manager and PrivX - better together
You might have noticed that we have aligned our entire solution portfolio with the Zero Trust and Just-in-Time frameworks. In release 20, it is possible to launch our enterprise key management solution - Universal SSH Key Manager- directly from the PrivX UI.
Our classic Universal SSH Key Manager (UKM) solution allows customers to take control of their large SSH key estates by discovering rogue keys and providing a complete view of how their keys are used. Customers can identify policy or compliance violating keys, find those that grant access from test to production or are still used by that 3rd party consultant who left the project two years ago – and then remedy the situation.
This solution is largely used by heavily-regulated and audited Fortune 500 companies with large, legacy key estates.
Zero Trust key management with just-in-time access
Our UKM Zero Trust solution not only allows customers to manage keys, but significantly reduce the number of keys they need to manage in the first place. In this model, an SSH connection is no longer established using keys but with ephemeral certificates that are created just-in-time (JIT) and that contain the key secrets needed for the connection. If this sounds familiar, it's because I explained it just a few sections before!
So why to bring certificate-based authentication to key management?
Think about the reduction in the management overhead in key estates that encompass tens or hundreds of thousands of keys and servers. With Fortune 500 companies, this is often the case. Even with the best solution on the market, we are talking about rotating thousands of keys per day!
When you gradually start moving to ephemeral access, you simply decrease the size and complexity of the risk you are trying to manage in the first place. It really boils down to the question: would you rather manage thousands of secrets by using more and more resources or manage less without the need to add resources?
With the combined Just-in-Time Zero Trust solution of UKM and PrivX, you have a lot of bases covered: you manage, secure and vault those secrets (keys, API tokens, passwords, etc) that you still have to while you gradually start to migrate to a keyless and passwordless world. That's where the future is heading anyway.
PS. The PrivX project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 881221.
Esa Tornikoski is Product Manager for PrivX and Crypto Auditor products. Esa joined SSH late 2017. Prior SSH he has been working in Product management roles at Telecom and IT security companies (Elisa, F-Secure and Siemens). He has a Master of Science degree in Computer Science from Lappeenranta University of...