A Fortune 500 company secures access to containers
Premise: The customer, a global Fortune 500 corporation, operates primarily in the cloud and offers services purely online. The company has a large container estate orchestrated with Kubernetes. Generally, the company’s environment is dynamic and complex with thousands of access connections to manage.
The customer was planning to expand their containers within the organization. However, they realized that while their container setup is a great fit, they lack in secure access management. Therefore, they started looking for a solution that would help to manage access in their agile, modern environment.
Challenge: The company had several requirements – primarily, they wanted to keep the changes to their environment to a minimum. They wanted to keep their Kubernetes orchestration in-house. So, the solution needed to support on-premises installations and offer highly dynamic and automated functions that are native to container solutions. Also, the customer wished to maintain their target information in the Forgerock Identity management system (IDM), so they can automate the transfer of user identity information between identity domains and IT systems.
Based on the requirements, the customer identified PAM solutions as the desired category, but they struggled to find a solution that would be mature and complex enough to support their needs.
Change: At last, the company came across the PrivX PAM solution. As PrivX is built on modern microservices architecture, it is possible to run the solution on Kubernetes. This further allows the customer to run their PAM at the same speed, scalability, and automation as they were used to previously. The microservice architecture of PrivX allows the customer to scale or update only the functions they currently need, instead of scaling or updating the entire instance hosting the function. This is particularly important in container environments which are extremely dynamic.
PrivX also works in line with the customer’s IDM requirement – it allows users to get access to the target based on their roles. Their IDs, roles, and target information are in sync. Additionally, PrivX is a passwordless and keyless solution which means that users don’t handle or see any credentials or keys.
Thanks to PrivX, the customer was able to save resources and regain control of their critical data. Additionally, they were provided with expert advice and technical support during planning and deployment.
Third-party risk mitigation in three days
Premise: The customer is one of the largest network providers throughout the entire Asia-Pacific region. They support residential as well as enterprise consumers with innovative telecom solutions that allow users to configure and manage their home wireless service from any device.
The customer approached one of their third-party integration partners to help them design, develop, manage, and maintain their wireless network solution. However, the partner needed secure access to the customer’s IT infrastructure and cloud platforms.
Challenge: The customer needed to grant secure access not just to the third-party partner, but also to other actors, like software developers, network operators, and customer operation teams. Without a PAM solution, all of them would log into the customer’s servers with simple user accounts and passwords. This direct access, via using passwords, would pose a serious security risk, as passwords can be easily shared and are hard to monitor.
Additionally, the organization had a tight development and implementation plan and needed a fast-to-implement solution.
Change: The involved partner recommended a solution that is, based on their own experience, secure, fast, and easy to manage – PrivX PAM solution by SSH.COM.
PrivX offers fast, one-click access into any IT environment. The solution also provides strong, secure access management. As SSH or RDP connections are established via one-use-only ephemeral certificates, no passwords are needed. Therefore, no passwords can be shared. Access to the servers can be secured even more through multifactor authentication, and additional monitoring can be done via PrivX’s auditing feature that provides audit logs, session tracking, and session recording.
Lastly, PrivX enables rapid deployment – it was up and running within the customer’s environment in just three days. It integrates with corporate directories (like Active Directory, LDAP, and OpenID) or with identity management software and stays in sync with any updates in the identities or their authorizations.
Global IoT device provider ensures secure maintenance
Premise: The customer is a manufacturer of home appliances with a turnover of +10 billion euros, +50 thousand employees, +35 factories worldwide, and headquarters in Europe. The company’s portfolio includes more than 10 well-known appliance brands.
The customer has service and Quality Assurance (QA) staff all over the world and they need secure access to consumers’ devices, also located all over the globe. Therefore, the company was looking for a solution that would allow their staff secure access to the target devices.
Challenge: The QA staff was previously sharing a “golden key” that provides access to all target IoT devices. However, this approach is extremely risky as it offers no identification of the staff nor tracking of the usage of the key. Thus, the company wanted to increase their security and reduce risks connected to the sharing of the key, all while maintaining the flexibility and efficiency of using golden keys.
Change: At first, the customer wanted to solve the challenge in-house, but it turned out to be bigger than they anticipated. Then they came across our PrivX Privileged Access Management (PAM) solution.
With PrivX, the customer ensures that their QA staff is able to provide maintenance to the IoT devices as easily as before, but without handling, sharing, or seeing keys anymore. The company still uses golden keys, but only a few QA admins have access to the vault. So, the keys don’t need to be changed or rotated anymore.
Additionally, all sessions are identified and tracked, and the QA Engineers are assigned the right role for the task at hand at login. The golden key is safe from misuse, accidental misconfigurations, or ending up in the hands of bad actors looking to steal intellectual property.
Stock trading company passing audits after a swift PrivX Zero Trust deployment
Premise: The customer is a successful finance and stock trading company that offers their customers an intuitive online brokerage platform and specializes in East Asian trades. As the company operates in the financial sector, they are regularly subject to strict audits and security checks to ensure they follow regulations.
Challenge: The client previously used a traditional password sharing approach to manage access to their systems. A system administrator had to give users the login details and to prevent misusage of the credentials, they were regularly changed. This approach was time-consuming, resource-intensive, and not secure.
Additionally, monitoring of this kind of access is difficult – the client previously used log records that allowed them to see who logged into the system and when, but they couldn’t see what actions were taken. The system also wasn’t able to accurately distinguish between users, as a lot of them logged in under the same credentials.
Change: PrivX helped the customer to shift away from password sharing and implement a passwordless approach, using ephemeral certificates authentication and MFA. PrivX also gives the customer a complete and comprehensive record of all changes made in their digital systems which improves security, makes identifying problems easier, and simplifies the required audits. Like this, monitoring of users’ access is easy, as all users are tracked based on their individual authentications. PrivX also allows for access to be set up based on roles, with just-in-time, temporary access rights. Once the given time period is over, the access is automatically revoked.
Lastly, the customer benefited from a swift deployment of PrivX which took only two weeks, compared to other PAM solutions that might take up to several months to implement.
Leading university centralizes and standardizes access management to improve security
Premise: The customer, one of the most prestigious universities in Hong Kong, works with an exceptionally high number of third-party vendors, contractors, and users. The university is structured into independent departments and to receive access to the university systems, the departments and third-party actors were sharing passwords.
Challenge: Despite the high demand for access, the process of receiving access to the systems was decentralized and complicated. Each department had their own request and approval workflows, which were handled manually. That was also complicated for third-party vendors who needed to work with various departments – each request and access process was different.
On top of that, sharing passwords was not secure nor ideal for the educational institution. The university also lacked the ability to track and record who was accessing their systems.
Change: The university decided to introduce PrivX to their systems, to standardize access management across departments, improve security, and enable role-based access.
PrivX solved the password sharing issue, as it utilizes a password-free approach to access management. The departments now use ephemeral certificates, instead of passwords, and users are authenticated through MFA to ensure that only approved users are granted access.
PrivX also helped to centralize access management for the various departments, as it allows for access requirements to be tailored to each department’s needs. Admins at each department can define various degrees of access and assign appropriate roles internally as well as externally. This system is also easier for the third-party actors, as now they can request access for various departments in exactly the same way.
The PrivX solution also offers session monitoring, so the university can now track and record who received access, who granted the approval, what actions were taken in the systems, etc.
Secure role-based access for maintenance engineers
Premise: The customer is a leading manufacturing company operating in the field of industrial equipment. As a part of their services, the business offers remote maintenance of their operational technology (OT) devices.
The customer is using multiple connection protocols (including SSH, RDP, and VNC) that were previously managed via a combination of VPN- and firewall-based security controls.
Challenge: The prior security controls lacked granularity and functionality that the customer needs to be able to provide their services easily and securely. The previous solution lacked transparency and proper auditing capabilities. There was a clear need for a lean and easy-to-use solution that would provide secure access between the cloud, customer facilities, and end-target devices.
Change: The access to OT target devices is now done via the PrivX OT Edition solution, which is utilized as a part of the customer’s own service business. Maintenance engineers have access to over 30k devices in various customer environments in a fast and secure way. They are granted just enough access (JEA) in a just-in-time (JIT) fashion.
The PrivX OT solution provides the customer with a centralized management system that ensures increased, layered security. The system also provides improved verification capabilities to identify and authenticate users, without the end-users seeing any of the vaulted secrets. Additionally, the customer can audit and monitor maintenance-related sessions through optional sessions recording.
Secure Remote Access (SRA) in the forest industry
Premise: The customer is a manufacturer of fiber products, wood products, molecular bioproducts, and low-emission energy for the forest industry. They have more than 50 sites in 12 countries around the globe.
Challenge: With their multiple production sites, the business needed a transparent remote access solution, so their trusted vendors can access the sites securely. The customer had several clear requirements, including the need for an efficient and reliable approval process for session requests, limitations to view other vendor options when requesting access, or capability for each site to manage their own access and approval processes.
Change: The customer selected PrivX by SSH as their secure remote access solution. We at SSH worked very closely with the customer to achieve their objectives, including the development of new features not existing in the proposed solution.
Finance compliance audit success
Premise: The customer is a global bank whose brand is associated with trust and prosperity. Therefore, protecting the brand, passing internal as well as external audits, and having control over trusted access are essential.
However, when the customer ran an internal audit, it revealed an SSH keys vulnerability. The company’s developers were able to bypass existing privileged access management (PAM) solutions due to the unmanaged state of SSH keys. The bank immediately started looking for a solution that would help them regain full control over their SSH keys.
Challenge: Due to large server volumes, heterogeneous platforms, and wide software and vendor diversity, the customer’s IT environment requires strict SSH key management. So, the needed solution had to be deployed with minimal disruptions to the existing processes and operations. In other words, the deployment had to be risk-free and non-disruptive.
Additionally, the customer required not just strong expertise in the field, but also consultation and assistance services during planning, deployment, and rollout of the solution.
Change: SSH.COM, as the original inventor of the SSH protocol, was a clear source of expertise for the customer. Also, due to the complexity of the environment and the strict requirements, SSH.COM’s solution and services were a clear choice.
The Universal SSH Key Manager (UKM) solution focuses on workflows for keys management, compared to competing solutions that are based on certificate management systems retrofitted for SSH keys. UKM discovers the trust relationships, monitors the usage of SSH keys, remediates the access to comply with policy, and manages the SSH-based access centrally. All this allowed the customer to regain control over the entire trusted access lifecycle.
Prevent PAM bypass and regain control
Premise: The customer, one of the largest banks in the world, was notified about a security and compliance issue discovered during an external audit.
The bank was using OpenSSH to manage their mission critical transactions. However, the audit showed that they need a new solution to handle their identity and access controls for application-to-application access and privileged users.
Challenge: The audit revealed a lack of governance over SSH keys, which grant access to critical systems and enable functions crucial to many banking operations. The unmanaged access system was violating compliance mandates (MAS and SOX) and posed a huge threat to the existence of the bank.
The customer needed a solution that would come with advice, support, and field expertise, so they can design and implement the solution quickly and efficiently. The bank realized that they don’t have sufficient expertise in-house, therefore, they turned to external vendors.
Change: The customer selected SSH.COM to help them manage the challenge. Firstly, they deployed the SSH Key Discovery tool to see what the actual scope of the issue is. The institution had over 1.5 million SSH user keys, including more than 150 thousand keys granting root access, but without a clear track of who was in possession of those private keys.
Based on the discoveries, they implemented the Universal SSH Key Manager (UKM) solution. UKM offers the bank monitoring and auditing features – they can easily monitor key usage, and outdated keys can be automatically removed. UKM also actively monitors the environment and alerts administrators in case a policy violation occurs.
Regaining Sarbanes-Oxley (SOX) compliance
Premise: The customer, a leading multinational energy company, supplies energy products and provides related services. These consist of, for example, service stations for cars and trucks, and general retail operations for automotive fuels, fuel oil, asphalt, etc.
The customer’s service segment operates an ICT production environment with over 500 servers. The secure access and file transfers to the servers are done via SSH protocol. At the same time, the environment includes a variety of SSH implementations from various vendors.
Challenge: The primary need of the customer was to comply with the regulatory requirements set in the Sarbanes-Oxley Act (SOX), which requires controlled and auditable privileged access. Even though they have previously invested in a privileged access management (PAM) solution, they wanted to improve their overall security. The client also required a transparent and non-disruptive installation process.
Based on the customer’s situation, they needed a centralized, interoperable, robust SSH user key management solution that controls the privileged SSH access in a multivendor environment. That is not easy as the environment includes various SSH server implementations across a various selection of versions and operating systems. Additionally, the solution must be capable of tracking key sign-offs by application owners.
Change: The customer chose Universal SSH Key Manager (UKM) as the solution to manage their SSH environment. The deployment of the solution was done in several stages to ensure no disruptions during the process. After each stage, the results and benefits were measured, analyzed, and acted on.
The final, deployed solution discovers SSH keys in the complex environment and finds out who has access to what. It also monitors the use of SSH keys and their authorizations. The solution adds, removes, and rotates SSH identities and keys as well as monitors the SSH use, in line with the SOX regulations. Additionally, the solution enhances the company’s operational and cost efficiency as the automated management of keys decreased the manual workload of the IT staff.
Securing Financial IT Environment
Premise: The customer is a large Asian financial institution, one of the biggest in the world, with billions of transactions happening every day. Thus, it is essential that their complex IT environment, which is being accessed by in-house as well as third-party experts, is secure. Another important factor is compliance with regulations.
Challenge: The company uses SSH keys to manage access to their IT environment securely. SSH keys are crucial and convenient for the customer, as they, for example, automate critical machine-to-machine connections that transfer sensitive information, like financial transactions. However, the keys also pose a security risk, due to their volume and variety. Thousands of keys are created every day, at the same time, many of the already existing keys are unused or outdated. Additionally, all the company’s SSH keys were previously stored in a single folder.
This made managing the keys and searching for the right keys extremely slow and inefficient. The company needed a solution that would help them regain control and manage their SSH keys.
A separate security risk was connected to secure file transfers (SFTP). As the company’s employees and third-party vendors heavily rely on file transfers within the organization, they need a secure way of managing the data-in-transit. So, the customer also needed a solution that would protect their data-in-transit without slowing down their staff’s productivity.
Change: To deal with both challenges, the company decided to choose solutions by SSH.COM: Universal SSH Key Manager (UKM) and Tectia SSH Client/Server.
The UKM solution secures the customer’s SSH keys by automatically scanning the IT environment in order to identify and create an accurate SSH keys inventory. This makes searching for the right key and establishing a connection much faster. UKM also keeps track of all keys’ validity and helps the organization to comply with security regulations.
To secure their file transfers, the customer selected Tectia SSH Client/Server. One of the deciding factors was that Tectia SSH provides the company with instant, local support. Additionally, the solution supports secure and compliant X.509 certificate-based authentication. It also allows transferring of large files up to twice as fast as OpenSSH.
Real-time cloud SSH key provisioning
Premise: The customer is a provider of a big data analysis solution to a range of end customers, from SMEs to big corporates. Their solution is provided as a managed cloud service. Therefore, it requires operators to have fully audited access to the end customers’ data in the cloud. The access is managed via the SSH protocol and connections are established with strong public-key authentication.
Challenge: The client was looking for an operationally efficient and cost-efficient solution that would integrate with their own user orchestration solution for user provisioning and de-provisioning. They required time-based access management that would allow them to provide access to their operators as well as server accounts. The customer also required a certain level of automation. In other words, they wanted to be able to define and approve the access validity period. Then once the access would expire, it would be automatically de-provisioned.
Change: Based on the criteria, product and service maturity, and subject matter expertise, the customer selected the Universal SSH Key Manager (UKM) as their solution.
The User Portal of UKM provides the customer with a single, unified interface to manage all request and approval workflows. The access, key provisioning, and key de-provisioning are done by the key management functions. UKM also tracks the validity of the access and once it expires, the access is automatically removed. The solution also tracks all requests, approvals, and other actions.
The UKM solution is fully integrated with the customer’s existing security solutions and within their cloud change management and provisioning solutions. Meaning, the access management workflow is fully integrated and automated, which provides wide visibility and easy governance.
Towards the keyless future with UKM Zero Trust
Premise: The customer is a manufacturing business with an estate of more than 6500 servers. To manage their secure access to and between the servers, they used SSH keys. The customer has a privileged access management (PAM) solution in-house, however, it was managing only part of their keys.
Challenge: The prior setup accounted only for around 20% of SSH connections, even with a PAM solution in place. The rest of the keys went unmanaged which led to an internal compliance audit failure. The customer knew that they must inspect the issue thoroughly.
Thanks to the customer’s own comprehensive discovery process of SSH keys, they gained a deep understanding of the scope and complexity of the challenge and recognized that they would not be able to manage the issue in-house. Therefore, they were looking for a solution provider with extensive expertise in the industry. They also required the solution to smoothly integrate and cooperate with their existing PAM while adding the necessary Enterprise Key Management capacity.
They wanted to find a solution that would help them manage their rogue keys challenge as well as prepare them for the keyless future. Their vision was not to be content with just managing keys but to migrate to a keyless approach.
Change: The company selected the Universal SSH Key Manager (UKM) Zero Trust solution by SSH. They valued the experience and expertise of SSH as the inventor of the Secure Shell protocol.
UKM Zero Trust helps with mapping, managing, and automating of SSH keys access. The solution also smoothly integrates with other PAM solutions. At the same time, it radically reduces the number of SSH keys that need to be managed – instead, it supports the transition towards keyless SSH access through short-lived, ephemeral certificates.
Currently, the customer adopted and fully migrated to keyless, just-in-time access. UKM helped the customer to solve their current challenge and, at the same time, it prepared the customer’s environment for the keyless approach to SSH access management.
It took us four hours to set up the test environment from start to finish. And the amazing part was when we connected to Azure, we could retrieve all the VMs right away without any kinds of hassle.”
Sami Säisä, Director, Head of Strategic Development, MOST Digital
PrivX makes life easier.”
IT manager at a large industrial equipment company