Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
It’s all about a select group of people: those who have access to mission-critical data and those who manage that access. These people are often referred to as power users or privileged users. With traditional privileged access management (PAM) solutions, you grant that access to a resource per user and per host. And therein lies the problem.
Can you really handle multi-cloud and third parties, PAM?
In the age of the cloud, you have your consultants, third parties, temps, developers and whatnots who all need secure access with various levels of granularity and for different periods of time. Then you have the ever-mutating multi-cloud environment where virtual server instances are spawned and killed at a moment’s notice.
All this creates a chain of work that is impossible to maintain manually: linking the user identities with the right level of access, configuring the user devices to open that access and configuring the servers to approve that access. And you have to rinse and repeat if there’s just one change along the way, like a new server, an employee changing teams, new devices or a new security policy.
We’ve already seen the results. Granting access might take up to two days, companies lose visibility into who has access to what resource and with what rights, you have externals running wild and there are leave-behind credentials that are “finders, keepers.”
It’s time to SLAM your PAM!
At SSH.COM, we believe the way to solve the problem is to take the traditional privileged access management functionality but strip it of bloatware and put it on steroids. We’ve designed an access authority that stands between users and hosts and builds a trust relationship between them. It also automates the bulk of access administration work and stays immune to changes in your front-end and back-end.
Today, I’m going to name it, right now, in front of you, just for you: Super Lean Access Management for privileged users (SLAM).
With SLAM, you get user identities from your corporate directory or identity management system (AD/LDAP). Automatically. SLAM!
“At SSH.COM, we believe the way to solve the problem is to take the traditional privileged access management functionality but strip it of bloatware and put it on steroids.”
Those identities are already associated with groups, so all your admin needs to do is to associate those groups with roles that define the power level of access per role. Then, the admin deploys the role configuration to your multi-cloud environment. Once. SLAM!
New users and cloud instances are discovered automatically after that. Your multi-cloud can change, you can scale your host needs up or down, and SLAM just keeps you up-to-date automatically. SLAM!
The user then logs in via SLAM and instantly gets served the right servers she has access to. She has a view to all her accessible servers. All it takes is one click and she’s in. SLAM!
Did you notice that I didn’t say anything about user-client configuration? It‘s because there isn’t any! This means that the user can change roles, teams or clients at will and this has no effect whatsoever on ease-of-access – neither does the admin need to manage anything. SLAM!
Say no to password vaults and credentials. SLAM backdoors shut.
With traditional PAM, you have to configure access per user and per host. SLAM is the quiet central authority that checks the legitimacy of access using unique, short-lived access tokens. It always checks that the user is legitimate and that she has the right to access a host at that time. The access is never permanent and stays open only for as long as it has a valid purpose.
“The access is never permanent and stays open only for as long as it has a valid purpose.”
If you remove a user from your AD or LDAP, the connection terminates automatically within 60 seconds. The same is true if the user logs out. You can also define the allocated time for access in advance for external contractors (for example for 12 hours). This means that you never have access backdoors that stay open indefinitely due to negligence.
Your users don’t exchange USB sticks or SSH keys that are the go-to methods in the traditional world. There are no password vaults that are target for an attack or passwords that need to be rotated. The session is encrypted but the technology is hidden from the user: it’s there to secure access, not to cause friction. In fact, credentials are not used at all in the traditional sense of the word. SLAM!
The lean alternative to the PAMdemonium out there
You are thinking about a massive IT project, aren’t you? Remember the bit about stripping down the bloat? We are serious about this.
All it takes is one day to deploy our solution and you are ready to go. If your business needs change, just add a few more cloud instances and you’ve scaled up your privileged access. Our software updates automatically, so you never have obsolete agents with serious security holes in them on the client or the host. That’s maintenance made easy.
You take a huge burden off your access admins’ backs. Your developers can focus on being productive instead of waiting for access. Your cloud set-up, staff roster and infrastructure in general can change as much as you need. Changes are always just a few clicks away.
The result is that you don’t just “manage access”: you take control of the whole privileged access lifecycle and put your business velocity on overdrive all at once. The best part is that you’ve made operations faster, smoother and more secure instead of adding complexity. Sometimes you can have it all!
Oh yeah, the bad boy that makes the magic happen is not really called SLAM. It’s called PrivX. Read about its latest features here!
Markku Rossi is CTO and responsible for R&D at SSH.COM. Markku was with SSH from 1998-2005 as a Chief Engineer and was a major contributor to the SSH software architecture. Prior to rejoining the company in 2015, he co-founded several companies such as Codento and ShopAdvisor, and served as CTO at Navicore and as...