Getting rid of permanent access helps your organization boost efficiency, cut costs, and better protect against cybersecurity threats. It also eliminates a big annoyance: password and key rotation. Here’s how it all works.
Since our beginning, as the creators of the Secure Shell Protocol, SSH has continued to pioneer the evolution of cybersecurity. Over the past 25 years, we’ve had the pleasure of helping encrypt critical IT infrastructures and improve privileged access management for companies across the globe.
Our company name pays homage to our history, but SSH is continuously evolving to meet the latest cybersecurity requirements. And today, we see a need for a new method of password and SSH key management — one that is more efficient, less costly, future-proof, and fool-proof.
SSH coined the term “Better Without” to refer to a temporary access solution that, unlike existing permanent access solutions, entirely eliminates the need for passwords, keys, and other permanent credentials.
But why is permanent access such a problem for enterprises? This article will explore the risks associated with permanent access, the advantages of relinquishing it, and introduce the modern solutions that are shaping the future of secure access management.
Understanding Permanent Access and Its Risks
What is Permanent Access?
To put it simply, permanent access refers to access that is granted indefinitely. It does not expire and must be manually revoked.
In a sufficiently secure environment, privileged users are only granted permanent access if they require continuous or repeated access to certain documents, databases, or network devices. But in reality, permanent access is often granted to employees who only need access for a short period of time.
On average, every employee has access to 11 million files — and for every unnecessary instance of access, a vulnerability exists.
What’s the Problem with Permanent Access?
1. Difficult and costly management
Managing permanent access can be complex, time-consuming, and very expensive. In large organizations, potentially thousands of employees will need to have their permanent access credentials manually managed. This typically involves deleting accounts when necessary and updating credentials — repetitive and menial tasks for your IT specialists.
We have calculated that a customer’s cost of managing their SSH keys with in-house tools and personnel averages at upwards of three million dollars per year.
2. Continuous vulnerability
All credentials can be copied or shared, including permanent access credentials. In fact, according to Kaspersky, 90% of all cyberattacks are successfully executed with information stolen from employees who unwittingly give away their system ID and access credentials to hackers. Often, this is a result of a hacker impersonating another staff member and requesting credentials.
The ability to share credentials with so little oversight means that these instances are more common than many organizations realize.
By nature of being indefinite and requiring manual management, permanent access is a continuous source of vulnerability.
3. Forgetting to remove collaborators
When not closely managed and revoked appropriately, individuals who have previously been granted access to a target can slip through the cracks and continue to have access long after it is necessary.
Failure to remove accounts when appropriate can put the entire company at risk. This risk might manifest as a disgruntled employee, untrained staff member, or someone who has left to work for a competitor. Each of these individuals could be responsible for confidential or critical information being accessed, compromised, or exploited.
4. Ample opportunity for error
According to Forrester Wave, 80% of data breaches begin with the misuse of privileged credentials. Moreover, Kaspersky has found that 90% of cyberattacks are caused by human error.
Permanent access plays a key role in making these statistics a reality.
Whenever permanent credentials pass through human hands, there is a significant chance of human error occurring. Errors might include failure to update or remove access, or the sharing and copying of credentials.
But in addition to the ample opportunity for manual mistakes, organizations also face the risk of failed compliance. Permanent access credentials must be manually modified to comply with changing data laws or company policy changes. This is time-consuming and extremely difficult to manage at scale.
5. Rotation is detrimental to security
Password rotation is an age-old security practice that has been seen as necessary. That is changing. It turns out that these practices lead to users creating easy-to-guess passwords that are often composed of sequential letters and numbers.
This is why Microsoft doesn’t recommend password rotations or character compositions:
“Don't require mandatory periodic password resets for user accounts”
“Don't require character composition requirements. For example, *&(^%$”
The US Government is following suit. In their memorandum — called Moving the U.S. Government Toward Zero Trust Cybersecurity Principles — the government advises their agencies to move away from password rotation and requiring special characters.
“[...] agencies must remove password policies that require special characters and regular password rotation from all systems within one year of the issuance of this memorandum. These requirements have long been known to lead to weaker passwords in real-world use and should not be employed by the Federal Government.”
The Perks of Saying Goodbye to Permanent Access
There are many benefits to going passwordless and keyless - and leaving permanent access behind. Here are just a few:
1. Convenience of use
Keeping track of permanent credentials is incredibly challenging. By completely removing permanent access credentials from the equation, there’s no need to waste time and energy creating, deleting, updating, and managing permanent credentials.
2. Lower storage and support costs
When you eradicate permanent access, you eliminate the need to store large amounts of permanent credentials. Think of all the time, resources, and processing power you’ll get back when you don’t have to store or manage potentially thousands of permanent credentials.
3. Reduce complexity
Without permanent access credentials, your environment will be cleaner and simpler to use. Not only does this reduce points of failure associated with the system’s complexity, but it also removes access bottlenecks from your environment and can even boost your team’s productivity.
4. Streamline operations
Once you begin using passwordless authentication, your end-users will no longer need to recall, store, or enter their credentials into disparate systems — or worse, forget their credentials and go on long digital journeys to find them. Instead, users can be granted secure access quickly and easily. This will help your teams work faster and with fewer interruptions.
5. Minimize security and compliance risks
Less permanent credential management means less room for human error — eliminating the risks associated with weak passwords, poor SSH key management, and credential sharing. This reduces compliance and security concerns, enabling you to effectively prevent and respond to cyberattacks.
6. Demonstrate your dedication to security
Companies that eliminate the need for permanent access demonstrate a commitment to innovative, forward-thinking cybersecurity approaches like passwordless authentication. This positively reflects on your brand and prepares your organization for the future.
7. Go passwordless at your own pace
With Zero Trust Access Management it’s easy to gradually onboard a credential-less approach to your existing permanent access environment. With no modifications required post-deployment, you can benefit from a fully immutable infrastructure that promotes consistency and reliability.
How Have Companies Tried to Solve the Permanent Access Challenge?
Traditional Manual Interventions
In the past, companies have attempted to resolve the issues associated with permanent access through manual interventions such as:
-
Enforcing passwords on issued keys
-
Rotating passwords, keys, and credentials to invalidate old ones
-
Identifying users behind certain keys and passwords
-
Restricting or preventing the sharing of credentials
These methods often do not account for the complexities introduced by cloud environments and remote work scenarios.
Issues with Traditional Approaches
These traditional methods require you to regularly sift through thousands of servers to make the appropriate modifications, which requires a significant amount of time and resources, even when point solutions are being leveraged.
Managing such interventions can also fail to implement least privilege effectively, leaving non-privileged accounts vulnerable.
For many companies, the time, money, and effort required to manage their permanent access problem is simply too great. Some even choose to ignore the problem, which exacerbates it further. This leads to keys and passwords being shared, policies being violated, and rogue keys accumulating in your IT environment — all of which pose massive cybersecurity threats.
This lack of control can make your systems susceptible to ransomware and other cyber-attacks, undermining your overall security strategy.
Fortunately, there’s a better way.
Introducing the Modern Access Management Solutions
Next-Gen Cybersecurity: Just-in-time (JIT) Zero Trust Solution
Enterprise key management solutions can help you manage the challenges associated with permanent access, but the fact remains that managing passwords, keys, and credentials at scale is a complicated operation. Fullview of all access activities is critical to maintaining security in such environments.
SSH offers a solution in the form of our just-in-time Zero Trust Access Management. This tool was designed specifically for companies hoping to more effectively manage their long-standing permanent credentials.
With Zero Trust Access Management, you can remove the risks and challenges associated with permanent access and leverage a better, future-proof approach to privileged access management.
Integrating zero trust exchange ensures that access is always verified and authorized, based on location and context.
Key features of Zero Trust Access Management include:
-
Reduce the number of static permanent credentials, passwords, and keys
-
Ensure internal and external end-users don’t come in contact with private keys
-
Link access back to identified users or machines
-
Shrink your attack surface and minimize policy-violating credentials
-
Gain full visibility into credentials on a centralized key access estate
-
Avoid unwanted modifications with just enough access (JEA)
-
Increase simplicity and efficiency of SSH key and password management
-
Cut down on total costs by reducing time, money, and resources
Learn more about how Zero Trust can help you keep pace with the future of cybersecurity.
SSH Temporary Access as Your New Permanent Solution
As the creators of innovative technologies like the SSH protocol, it’s in our DNA to look ahead and forge new paths in cybersecurity. That’s why we decided to take enterprise key management to the next level and launch a temporary certificate-based access solution that allows you to migrate toward a fully passwordless and keyless environment at a pace that suits you.
This approach is particularly beneficial for remote work environments, where secure and flexible access is essential.
In contrast to the permanent access model, SSH temporary access solutions offer a more secure and flexible alternative. These solutions grant access on an as-needed basis, typically for a limited duration, ensuring that users only have the necessary privileges for the time required to complete their tasks.
This approach aligns with the principle of least privilege, significantly reducing the attack surface and mitigating the risk of unauthorized access. Applications of such solutions span across various sectors, enhancing overall security posture.
There are three simple steps involved with SSH temporary access, which are as follows:
-
Instead of using permanent access credentials, Zero Trust Access Management issues a temporary access token called a just-in-time (JIT) certificate. JIT certificates contain all the secrets necessary to establish a connection, like the private key itself — however, they are completely invisible to the privileged user.
-
The user is authenticated using possession factors (something the end-user “has” like a phone, email account, or magic link) or inherent factors (something the end-user “is” like a fingerprint, eye or facial scan) instead of a password, SSH key, or other knowledge-based credential.
-
Once the user is authenticated, the certificate expires automatically and access is automatically revoked. Everything disappears without a trace — no permanent credentials left to manage, rotate, or revoke!
You can feel confident in the safety of your data, your end-users, and your company.
FAQ
How does implementing least privilege principles enhance security for remote desktop access?
Implementing least-privilege access minimizes risks by ensuring users only have the necessary access privileges, reducing privileged threat vectors. This approach is crucial for remote desktop access within a zero trust architecture, where authorization is based on context. It prevents privilege creep, secures privileged accounts, and limits the potential impact of cyber-attacks.
Adopting best practices like microsegmentation and segmentation strengthens security posture further, ensuring robust control over privileged access.
What are the pros and cons of using temporary access solutions for privileged accounts management?
Temporary access solutions enhance security by granting temporary privileges and eliminating full access. They align with zero trust security, reducing privilege creep and improving control over privileged accounts.
Pros include better traceability and minimized privileged threat vectors. Cons may involve complexity in implementation and potential impacts on productivity.
How can Zero Trust architecture reduce the risks associated with privileged threat vectors?
Zero Trust architecture enforces least-privilege access and continuous verification, reducing risks from privileged threat vectors. By applying microsegmentation and context-based authorization, it limits access privileges to what is necessary.
This approach minimizes the impact of compromised superuser accounts and root accounts, enhancing the security posture.
What features should be considered when selecting a remote device access solution to ensure security?
Key features for a secure remote device access solution include least-privilege access, context-based authorization, and robust authentication mechanisms. Support for zero trust security and microsegmentation is essential to minimize privileged threat vectors. Ensure traceability and auditing capabilities to monitor authorized activity. Carefully control unattended access and integrate with existing security strategies to enhance overall security posture.
How do temporary access solutions help resolve customer issues related to privileged accounts?
Temporary access solutions grant temporary privileges, reducing risks associated with full access and privilege creep. They improve control and traceability, ensuring access is revoked automatically after use.
This approach aligns with zero trust security principles, enhancing the security posture. By minimizing permanent privileged accounts, organizations better protect against cyber-attacks and unauthorized activity, effectively resolving common customer issues and building trust.
What are the alternatives to permanent access credentials in a Zero Trust environment?
In a Zero Trust environment, alternatives to permanent access credentials include temporary access and just-in-time (JIT) access.
These solutions provide temporary privileges based on context, ensuring minimal access rights. Implementing least-privilege access and microsegmentation enhances security by reducing privileged threat vectors.
Utilizing machine identities and robust authorization mechanisms helps maintain control, aligning with zero trust security principles and providing a secure approach to access management.
