Bridging the Trusted Access Security Gap

Identity and access are vitally important to business continuity. Present identity and access management (IAM) solutions address these issues for end-users but fall short in addressing trusted access - the automated and privileged access by systems, administrators, developers, outsourcing partners, and other privileged users.

Today, the SSH protocol enables and controls trusted access for every Fortune 500 company and thousands of other organizations across the globe. The SSH protocol makes extensive use of SSH keys that are effective and easy to create. The SSH keys have proliferated unmanaged for so long that they often outnumber users tenfold. A typical large enterprise with 10,000+ servers is likely to have over 1 million SSH keys at large in its environment.

Trusted Access Security Gap

These unmanaged SSH keys have become so widespread they have been identified as “a gaping hole in your Identity & Access Management strategy” by IDC.

For most organizations, the widening “security gap” problem is twofold:

  1. The corporate IT teams lack an efficient way to manage and govern the large number of keys and access credentials that have proliferated unchecked throughout their organization.
  2. While the encrypted SSH protocol is secure, it provides IT teams with zero visibility into the appropriateness and security of the trusted network traffic.

Lack of Visibility, Control, Governance

It is estimated that trusted identities comprise as much as 80% of all enterprise identities - yet they typically receive little to no centralized management or monitoring (Gartner). This 80% of identities and credentials represents access that is unknown, unmanaged, and (in most cases) “under the radar” of present controls.

Trusted access with SSH protocol is typically provisioned and used by the IT administrators, developers, and automated processes that run unseen and below the access controls that govern the normal IT users. The majority of privileged access is outside the visibility, control, and governance of anyone but the privileged users themselves. This is a clear violation of security policy and the various legal and regulatory compliance mandates.

This lack of control is problematic and potentially dangerous for enterprises and government agencies alike. Regulations mandate appropriate management of trusted access and demand security compliance, especially so in critical infrastructure.

Gaping hole in IAM

The issues described above have created what IDC calls a gaping hole [in IAM strategy]. SSH Communications Security has unparalleled information security expertise - we bridge the trusted access security gap.

Download whitepaper