There are large numbers (even millions!) of unmanaged access credentials in practically every big enterprise network. Most of these credentials are SSH keys that are often self-provisioned by users. The lack of a central authority to oversee the process of issuing these credentials means there is no way to track credential lifecycles nor to ensure they are created according to policies and regulatory requirements.
What is UKM?
Universal SSH Key Manager® (UKM) is the ultimate software solution for enterprises in regulated and audited industries that must have an up-to-date SSH key inventory and full key lifecycle management to pass audits, stay compliant, and minimize the risk of data breaches cost-effectively.
Unlike competing solutions, UKM is process-driven, non-invasive, and agentless. This translates into fast deployment, efficient automation of SSH key management, and industry-leading ROI.
We recently released UKM version 2.3 with a set of new features that further improve its key management workflows, make policy violation detection even easier, and add customized views for users.
Below is a short breakdown of the most important new features and how they benefit users.
Improved SSH Key relocation workflow
Key remediation is a crucial phase in cleaning up the SSH Key environment from keys that should no longer be used or are obsolete. It includes:
- removing unused keys
- relocating keys to root owned directories
- updating and restricting authorizations
- renewing old, non-compliant keys
We tweaked the key relocation process a lot, and it can now be performed in three stages:
- Stage 1 - copying authorized keys to the root owned location
- Stage 2 - updating the SSH server configuration to take the new SSH Keys into account
- Stage 3 (optional) Remove the old keys
The benefit of this three stage approach is that it gives network administrators a more granular control over the key relocation process. They can verify that the user keys are successfully copied before proceeding with any configuration changes. Our recommendation is that you execute stage 3 only after a healthy transition period between stages 2 and 3 to ensure that you only delete the keys you really want to. But have no fear: if necessary, rolling back the process is now more much straightforward and faster from stage 2.
Highlighting policy violations
All big enterprises tend to have authorized but unmanaged SSH keys that existed before a solution like Universal Key Manager was implemented, and our product is great at finding these keys by scanning the environment. Now we decided to make it easier for system administrators to highlight policy violations caused by keys that were recently created outside Universal SSH Key Manager workflows. This makes it easier for companies to stay compliant and stop a nasty phenomenon called PAM bypass dead in its tracks. Privileged Access Management (PAM) solutions can be circumvented by using, for example, self-provisioned SSH keys. Learn more about PAM bypass here.
Customized User portal view
Since a typical enterprise network environment is extremely complicated, it is a good idea to share the burden of managing SSH Keys that provide access to critical resources. That is why Universal Key Manager comes with a User portal that enables the delegation of key remediation actions to those users that are responsible for certain applications and related keys. In addition, the User portal provides a simple way to request and provision SSH-based access from a central point in line with company security policies and with a full audit trail.
With release 2.3, application owners can select the information they want to see when listing private and authorized keys. This gives users more options to filter information based on their needs. The new functionality not only makes Universal SSH Key Manager more dynamic to use but also helps application owners make informed decisions when remediating keys in applications that they are responsible for.
Support for more environments
Since we are firm believers in allowing our customers to choose their preferred technologies, we decided to add a few more items on the list of supported technologies in Universal SSH Key Manager. These are support for:
- Oracle Real Application Clusters (RAC) which provides highly scalable and available database solutions used by enterprise customers for their business applications.
- PostgreSQL 10
- FreeBSD as a target host
Bonus feature: containers
Ok, this one is not really a part of the current release. But soon, Universal SSH Key Manager will support full key lifecycle management for container operating systems that host Docker. We think this is such a big deal that it deserves its own blog post, so please take a few minutes and read more right here
The next step
So there you have it: more control over key management, policy violation prioritization and support for containers. By having read about these new and cool features, we know that you are just itching get started on your journey towards taking control of your SSH Key inventory. You are in the right place. Our expertise in understanding how big enterprises can solve their SSH Key management issues and reduce the complexity of daily routines in access administration is simply unrivalled. We are the company that invented the SSH protocol. Talk to us. Getting started is easier than you might think with a free risk assessment.
Markku Rossi is CTO and responsible for R&D at SSH.COM. Markku was with SSH from 1998-2005 as a Chief Engineer and was a major contributor to the SSH software architecture. Prior to rejoining the company in 2015, he co-founded several companies such as Codento and ShopAdvisor, and served as CTO at Navicore and as...