Customer case studies

A Fortune 500 company secures access to container environments

Premise: The customer, a global Fortune 500 corporation, operates primarily in the cloud and offers services purely online. The company has a large container estate orchestrated with Kubernetes. Generally, the company’s environment is dynamic and complex with thousands of access connections to manage.

The customer was planning to expand their containers within the organization. However, they realized that while their container setup is a great fit, they lack in secure access management. Therefore, they started looking for a solution that would help to manage access in their agile, modern environment.

Challenge: The company had several requirements – primarily, they wanted to keep the changes to their environment to a minimum. They wanted to keep their Kubernetes orchestration in-house. So, the solution needed to support on-premises installations and offer highly dynamic and automated functions that are native to container solutions. Also, the customer wished to maintain their target information in the Forgerock Identity management system (IDM), so they can automate the transfer of user identity information between identity domains and IT systems.

Based on the requirements, the customer identified PAM solutions as the desired category, but they struggled to find a solution that would be mature and complex enough to support their needs.

Change: At last, the company came across the PrivX PAM solution. As PrivX is built on modern microservices architecture, it is possible to run the solution on Kubernetes. This further allows the customer to run their PAM at the same speed, scalability, and automation as they were used to previously. The microservice architecture of PrivX allows the customer to scale or update only the functions they currently need, instead of scaling or updating the entire instance hosting the function. This is particularly important in container environments which are extremely dynamic.

PrivX also works in line with the customer’s IDM requirement – it allows users to get access to the target based on their roles. Their IDs, roles, and target information are in sync. Additionally, PrivX is a passwordless and keyless solution which means that users don’t handle or see any credentials or keys.

Thanks to PrivX, the customer was able to save resources and regain control of their critical data. Additionally, they were provided with expert advice and technical support during planning and deployment.

Third-party risk mitigation in three days

Premise: The customer is one of the largest network providers throughout the entire Asia-Pacific region. They support residential as well as enterprise consumers with innovative telecom solutions that allow users to configure and manage their home wireless service from any device.

The customer approached one of their third-party integration partners to help them design, develop, manage, and maintain their wireless network solution. However, the partner needed secure access to the customer’s IT infrastructure and cloud platforms.

Challenge: The customer needed to grant secure access not just to the third-party partner, but also to other actors, like software developers, network operators, and customer operation teams. Without a PAM solution, all of them would log into the customer’s servers with simple user accounts and passwords. This direct access, via using passwords, would pose a serious security risk, as passwords can be easily shared and are hard to monitor.

Additionally, the organization had a tight development and implementation plan and needed a fast-to-implement solution.

Change: The involved partner recommended a solution that is, based on their own experience, secure, fast, and easy to manage – PrivX PAM solution by SSH.COM.

PrivX offers fast, one-click access into any IT environment. The solution also provides strong, secure access management. As SSH or RDP connections are established via one-use-only ephemeral certificates, no passwords are needed. Therefore, no passwords can be shared. Access to the servers can be secured even more through multifactor authentication, and additional monitoring can be done via PrivX’s auditing feature that provides audit logs, session tracking, and session recording.

Lastly, PrivX enables rapid deployment – it was up and running within the customer’s environment in just three days. It integrates with corporate directories (like Active Directory, LDAP, and OpenID) or with identity management software and stays in sync with any updates in the identities or their authorizations.

Secure access for robots to critical data

Premise: MOST Digital, a technology consultancy company, focuses on automating routine, workday tasks, like filing reports, updating documentation, or sending emails. They provide robotics-as-a-service (RaaS) solutions to more than 200 major companies.

To connect to customer environments, the company previously used VPN tunnels and jump hosts, but they found this system to be difficult to manage. So, they started looking for a simpler access management solution.

Challenge: MOST Digital needs to orchestrate secure access to customers’ systems not just for their staff and robots, but also for other third-party actors. Also, their customers might use cloud-based or hybrid environments or they have on-site infrastructure only. MOST Digital must make sure that their robots can connect to all these kinds of environments with access restricted only to internal customer systems. MOST Digital must ensure that the access is provided only to the required target systems.

At the same time, developers also need to interact with multiple cloud-based systems within owned and clients’ IT environments. Therefore, a crucial requirement for the new solution was that it needs to simplify and quicken the process. In addition, the developers handle sensitive customer data, so security and monitoring capabilities were high on the requirements list too.

Change: When MOST Digital came across the PrivX lean PAM solution, they wanted to test the solution first. The test proved to the company that PrivX provides exactly the simplicity, speed, and security they needed. Setting up the test environment itself took only four hours, and once the company decided to fully implement the solution, they were able to retrieve data they already used during the test.

Another feature of PrivX that was proven to be extremely useful is its auditing and monitoring feature. MOST Digital needs to demonstrate to their customers what they’ve done in their systems and with their data – this is exactly what PrivX’s audit logs and tracking provide.

Streamlined access management & session monitoring

Premise: The customer is a department of the Hong Kong government with a large workforce and frequent access changes due to internal transfers, promotions, and new hires. They manage thousands of connections, access requests, and access changes coming from employees, third-party vendors, associates, and partners. To manage their access systems and comply with auditing requirements, the organization previously used two separate solutions for access management and session monitoring.

However, the system has proven to be costly, time-consuming, and unreliable. Therefore, the customer started looking for a lean PAM solution, which would also include monitoring, to replace their outdated password sharing system.

Challenge: The client required a solution that would allow simplified access management for employees as well as third-party actors. The solution also had to offer a way to streamline the access requests and approval workflow. Additionally, the customer was looking for a solution that would allow easy integration with their native tools (including Putty and RDP Client) to prevent end users from having to change their behavior.

Change: The PrivX solution allowed the customer to modernize and simplify their access management and improved their monitoring capabilities.

PrivX utilizes an agentless approach which helped the customer to decrease the time investment and costs needed to manage their access management system. The solution minimizes the amount of manual updating required and introduces a new way of defining access based on roles (compared to access for specific individuals). This way, frequent changes of personnel as well as access for third-party actors could be handled easily and securely.

Also, PrivX utilizes a password-less approach that allowed the customer to adopt a secure access management system based on ephemeral certificates. Rather than traditional passwords that need to be kept in a password vault, which involves expensive maintenance.

Lastly, the required session monitoring helps the organization to record access traffic, create full audit logs, and analyze user behavior in search for potential security issues. The monitoring feature also proved to be useful during the development of training materials for new hires.

Global IoT device provider ensures secure maintenance

Premise: The customer is a manufacturer of home appliances with a turnover of +10 billion euros, +50 thousand employees, +35 factories worldwide, and headquarters in Europe. The company’s portfolio includes more than 10 well-known appliance brands.

The customer has service and Quality Assurance (QA) staff all over the world and they need secure access to consumers’ devices, also located all over the globe. Therefore, the company was looking for a solution that would allow their staff secure access to the target devices.

Challenge: The QA staff was previously sharing a “golden key” that provides access to all target IoT devices. However, this approach is extremely risky as it offers no identification of the staff nor tracking of the usage of the key. Thus, the company wanted to increase their security and reduce risks connected to the sharing of the key, all while maintaining the flexibility and efficiency of using golden keys.

Change: At first, the customer wanted to solve the challenge in-house, but it turned out to be bigger than they anticipated. Then they came across our PrivX Privileged Access Management (PAM) solution.

With PrivX, the customer ensures that their QA staff is able to provide maintenance to the IoT devices as easily as before, but without handling, sharing, or seeing keys anymore. The company still uses golden keys, but only a few QA admins have access to the vault. So, the keys don’t need to be changed or rotated anymore.

Additionally, all sessions are identified and tracked, and the QA Engineers are assigned the right role for the task at hand at login. The golden key is safe from misuse, accidental misconfigurations, or ending up in the hands of bad actors looking to steal intellectual property.

Stock trading company passing audits after a swift PrivX Zero Trust deployment

Premise: The customer is a successful finance and stock trading company that offers their customers an intuitive online brokerage platform and specializes in East Asian trades. As the company operates in the financial sector, they are regularly subject to strict audits and security checks to ensure they follow regulations.

Challenge: The client previously used a traditional password sharing approach to manage access to their systems. A system administrator had to give users the login details and to prevent misusage of the credentials, they were regularly changed. This approach was time-consuming, resource-intensive, and not secure.

Additionally, monitoring of this kind of access is difficult – the client previously used log records that allowed them to see who logged into the system and when, but they couldn’t see what actions were taken. The system also wasn’t able to accurately distinguish between users, as a lot of them logged in under the same credentials.

Change: PrivX helped the customer to shift away from password sharing and implement a passwordless approach, using ephemeral certificates authentication and MFA. PrivX also gives the customer a complete and comprehensive record of all changes made in their digital systems which improves security, makes identifying problems easier, and simplifies the required audits. Like this, monitoring of users’ access is easy, as all users are tracked based on their individual authentications. PrivX also allows for access to be set up based on roles, with just-in-time, temporary access rights. Once the given time period is over, the access is automatically revoked.

Lastly, the customer benefited from a swift deployment of PrivX which took only two weeks, compared to other PAM solutions that might take up to several months to implement.

Leading university centralizes and standardizes access management to improve security

Premise: The customer, one of the most prestigious universities in Hong Kong, works with an exceptionally high number of third-party vendors, contractors, and users. The university is structured into independent departments and to receive access to the university systems, the departments and third-party actors were sharing passwords.

Challenge: Despite the high demand for access, the process of receiving access to the systems was decentralized and complicated. Each department had their own request and approval workflows, which were handled manually. That was also complicated for third-party vendors who needed to work with various departments – each request and access process was different.

On top of that, sharing passwords was not secure nor ideal for the educational institution. The university also lacked the ability to track and record who was accessing their systems.

Change: The university decided to introduce PrivX to their systems, to standardize access management across departments, improve security, and enable role-based access.

PrivX solved the password sharing issue, as it utilizes a password-free approach to access management. The departments now use ephemeral certificates, instead of passwords, and users are authenticated through MFA to ensure that only approved users are granted access.

PrivX also helped to centralize access management for the various departments, as it allows for access requirements to be tailored to each department’s needs. Admins at each department can define various degrees of access and assign appropriate roles internally as well as externally. This system is also easier for the third-party actors, as now they can request access for various departments in exactly the same way.

The PrivX solution also offers session monitoring, so the university can now track and record who received access, who granted the approval, what actions were taken in the systems, etc.

Secure role-based access for maintenance engineers

Premise: The customer is a leading manufacturing company operating in the field of industrial equipment. As a part of their services, the business offers remote maintenance of their operational technology (OT) devices.

The customer is using multiple connection protocols (including SSH, RDP, and VNC) that were previously managed via a combination of VPN- and firewall-based security controls.

Challenge: The prior security controls lacked granularity and functionality that the customer needs to be able to provide their services easily and securely. The previous solution lacked transparency and proper auditing capabilities. There was a clear need for a lean and easy-to-use solution that would provide secure access between the cloud, customer facilities, and end-target devices.

Change: The access to OT target devices is now done via the PrivX OT Edition solution, which is utilized as a part of the customer’s own service business. Maintenance engineers have access to over 30k devices in various customer environments in a fast and secure way. They are granted just enough access (JEA) in a just-in-time (JIT) fashion.

The PrivX OT solution provides the customer with a centralized management system that ensures increased, layered security. The system also provides improved verification capabilities to identify and authenticate users, without the end-users seeing any of the vaulted secrets. Additionally, the customer can audit and monitor maintenance-related sessions through optional sessions recording.

Secure Remote Access (SRA) in the forest industry

Premise: The customer is a manufacturer of fiber products, wood products, molecular bioproducts, and low-emission energy for the forest industry. They have more than 50 sites in 12 countries around the globe.

Challenge: With their multiple production sites, the business needed a transparent remote access solution, so their trusted vendors can access the sites securely. The customer had several clear requirements, including the need for an efficient and reliable approval process for session requests, limitations to view other vendor options when requesting access, or capability for each site to manage their own access and approval processes.

Change: The customer selected PrivX by SSH as their secure remote access solution. We at SSH worked very closely with the customer to achieve their objectives, including the development of new features not existing in the proposed solution.

Finance compliance audit success

Premise: The customer is a global bank whose brand is associated with trust and prosperity. Therefore, protecting the brand, passing internal as well as external audits, and having control over trusted access are essential.

However, when the customer ran an internal audit, it revealed an SSH keys vulnerability. The company’s developers were able to bypass existing privileged access management (PAM) solutions due to the unmanaged state of SSH keys. The bank immediately started looking for a solution that would help them regain full control over their SSH keys.

Challenge: Due to large server volumes, heterogeneous platforms, and wide software and vendor diversity, the customer’s IT environment requires strict SSH key management. So, the needed solution had to be deployed with minimal disruptions to the existing processes and operations. In other words, the deployment had to be risk-free and non-disruptive.

Additionally, the customer required not just strong expertise in the field, but also consultation and assistance services during planning, deployment, and rollout of the solution.

Change: SSH, as the original inventor of the SSH protocol, was a clear source of expertise for the customer. Also, due to the complexity of the environment and the strict requirements, SSH’s solution and services were a clear choice.

The PrivX Key Manager solution focuses on workflows for keys management, compared to competing solutions that are based on certificate management systems retrofitted for SSH keys. PrivX Key Manager discovers the trust relationships, monitors the usage of SSH keys, remediates the access to comply with policy, and manages the SSH-based access centrally. All this allowed the customer to regain control over the entire trusted access lifecycle.

Prevent PAM bypass and regain control

Premise: The customer, one of the largest banks in the world, was notified about a security and compliance issue discovered during an external audit.

The bank was using OpenSSH to manage their mission critical transactions. However, the audit showed that they need a new solution to handle their identity and access controls for application-to-application access and privileged users.

Challenge: The audit revealed a lack of governance over SSH keys, which grant access to critical systems and enable functions crucial to many banking operations. The unmanaged access system was violating compliance mandates (MAS and SOX) and posed a huge threat to the existence of the bank.

The customer needed a solution that would come with advice, support, and field expertise, so they can design and implement the solution quickly and efficiently. The bank realized that they don’t have sufficient expertise in-house, therefore, they turned to external vendors.

Change: The customer selected SSH to help them manage the challenge. Firstly, they deployed the SSH Key Discovery tool to see what the actual scope of the issue is. The institution had over 1.5 million SSH user keys, including more than 150 thousand keys granting root access, but without a clear track of who was in possession of those private keys.

Based on the discoveries, they implemented the PrivX Key Manager solution. PrivX Key Manager offers the bank monitoring and auditing features – they can easily monitor key usage, and outdated keys can be automatically removed. PrivX Key Manager also actively monitors the environment and alerts administrators in case a policy violation occurs.

Data Access, Data Protection, and Secure Data Intake

Sensitive Data Intake, Processing, and Storing