KuppingerCole: SSH.COM a Leader in Privileged Access Management
We are proud to be included in KuppingerCole’s "Leadership Compass 2020: Privileged Access Management" as one of the Overall Leaders. A direct quote from the report:
“The PAM market is becoming more competitive and size alone will no longer keep vendors at the top. This is especially true in a period when vendors like SSH.COM can go from Challenger to Leader in one year due to a strong focus on technology and innovation."
– Paul Fisher, Leadership Compass 2020: Privileged Access Management
This is an important point for us. We believe that we offer a truly different and unique alternative for managing access for administrators, developers, 3rd parties and agile DevOps teams. Also, our customers often emphasize the following three benefits:
- Scalable architecture for accessing workloads in the hybrid cloud
- Just-in-time (JIT) access with zero standing privileges (vault-less and credentialess approach)
- Ease of use, deployment in days and minimal maintenance and training to facilitate work from home and 3rd party access control
Now is the time for natively multi-cloud and on-prem solutions for hybrid IT
If you are hosting a large environment where the majority of your applications are hosted on physical servers, we don’t even pretend PrivX is the only solution. Traditional PAM vendors built their solutions when ‘physical’ was all the rage.
PrivX uses a more modern approach, like microservices architecture. It is therefore a multi-cloud-native and on-premise friendly solution, where cloud features are not an add-on, but built-in from the very start.
If you run a host environment, where you use only one cloud service provider (like Azure), you can perhaps manage with native tools. When migrating to the cloud, however, you are more likely to mix your services, like adding Amazon Web Services (AWS) and Google Cloud Platform (GCP) to the mix, while still managing physical servers. Additionally, moving your applications to the cloud is rarely a ‘lift-and-shift’ project, it’s a gradual process.
All of a sudden, the number of configurations needed is multiplied, the tool stack grows, developers hop from one console to another – and your administrator runs the risk of losing sight of who has access to what resources, why, and at which level of privilege.
PrivX can centralize your access needs into one, UI-based solution. Your developers get a single sign-on (SSO) to only their available servers, automatically every time they log in. Your admins enjoy automated cloud host discovery (and painless dev onboarding and offboarding). Your R&D team enjoys operational efficiency at the speed of DevOps. It’s just one-click to hybrid cloud for them.
Cloud is where the savings are: choose an access solution that fits the bill when migrating.
Just-in-time (JIT) and certificate-based access for secure connections is the current trend
Uber has their own certificate authority, Facebook has built a scalable and secure access with SSH and Netflix has their BLESS. These are some of the most forward-looking companies, and they are looking for ways to solve their access challenges that are often related Secure Shell (SSH). These three companies have built certificate-based access solutions in-house instead.
Why? An SSH key is an access credential in the SSH protocol used for automated processes, and for implementing single sign-on by system administrators and power users. SSH keys are easy to use and configure, and for that reason they are being regularly generated in the thousands. This is a serious security and compliance risk, since these keys never expire by default, and can be used and shared without an identity associated to them and tend to accumulate over the years.
With certificates, you can operate differently. As described by Uber, Facebook and Netflix, the task of rotating, managing and deleting keys becomes easier. But even then, the problem of existing SSH keys in your critical IT infrastructure persists.
We took this innovation a step further. In fact, we can help your developer teams establish SSH and RDP connections, without anyone ever having to configure any access credentials (like SSH keys) at all. Our PrivX is a centralized access management gateway and a certificate authority (CA) that creates a method for just-in-time (JIT) authentication.
As opposed to always-on credentials like SSH keys or RPD passwords, our solution offers an always-temporary access.This has several benefits:
- Risk mitigation: The SSH and RDP secrets are baked in a short-lived ephemeral x.509 certificate. On establishing the connection, the certificate is validated against the Certificate Authority (CA), which is our PrivX.
Since both SSH keys and RPD secrets are inside the certificate, which expires automatically after the connection is established (within 5 minutes), both the SSH and RPD secrets disappear as well. - Passwordless IT: There is no need for key management, password vaults or password rotation, since permanent credentials do not exist anywhere in your IT environment.
- Convenience and security: The developer does not need handle any secrets at any point but gets SSO access. He or she also don't see any secrets when accessing the server. The admin doesn't need to configure access keys or revoke them.
- Nothing to steal: Accounts still exist on target servers, but they are disarmed because there are no credentials on the target server.
This aligns well with the Zero Trust framework (don’t trust verify) and Gartner’s Remove Standing Privileges Through a Just-In-Time PAM Approach. Now, KuppingerCole states in their report that:
“It’s an innovative approach but one that does bring functional and security advantages – access is faster, onboarding and offboarding of privileged users is quick and there are no passwords to issue or lose, since there are no permanent leave-behind credentials. Furthermore, users never handle or see any credentials or secrets at any point when accessing servers.” – Paul Fisher, Leadership Compass 2020: Privileged Access Management
Agreed.
Speed and scalability matter when your workforce is distributed, and on-prem access is limited
Working from home and secure remote access for developers, administrators and 3rd parties are here to stay. Case in point: Twitter announces employees will be allowed to work from home ‘forever’. How quickly can you scale your services when needed, and how fast can you can respond to changes is therefore more important than ever.
These are the questions to ask:
- Can you deploy your privileged access solution in days?
- Can you install, manage and maintain it remotely?
- Can you have mostly automated maintenance?
- Are your 3rd party access controls built-in and easy to use?
Forward-looking companies of all sizes choose credentialess JIT PAM for hybrid IT
We have been challenging the access market for some time. At the same time, modern companies are looking for solutions that help them migrate to cloud. Such as ensuring that:
- banks can handle their data-in-transit securely: Aktia Bank Chooses PrivX® from SSH.COM for Privileged Access Management.
- some of the bigger technology players in the market can provide more secure for their customers : PrivX® chosen as the Privileged Access Management solution by Fujitsu for their Customer Management Environment (CME) platform
- forest industry can secure their critical processes: A Top-20 European Bank and a Leading Multi-National Forest Product Company Choose PrivX® from SSH.COM
We are very proud to have risen from a KuppingerCole Challenger to an Overall Leader in just a year. Many other companies have taken years to make this leap. We’ve made sure that our product development cycles are fast and customer projects take just days, so that that we can deliver value to our customers quickly.
Maybe it's time for you to challenge your notions about what privileged access means and how it should be implemented?
Download the full 2020 KuppingerCole Leadership Compass: Privileged Access Management report for free here.
Jussi Mononen
Jussi is responsible for SSH's strategic and corporate development and investor relations. He is a 30-year IT industry veteran who is old enough to have coded in Fortran and Ada before switching to the business side of things.