{"id":565,"date":"2024-09-26T21:23:36","date_gmt":"2024-09-27T03:23:36","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/?p=565"},"modified":"2024-10-04T14:13:23","modified_gmt":"2024-10-04T20:13:23","slug":"a-passwordless-and-keyless-future-using-secure-priveleged-access-management","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/2024\/09\/26\/a-passwordless-and-keyless-future-using-secure-priveleged-access-management\/","title":{"rendered":"A Passwordless AND Keyless Future"},"content":{"rendered":"\n

What is Privileged Access Management (PAM)?<\/h4>\n\n\n\n

Privileged Access Management (PAM) is a package of cybersecurity strategies and access management tools utilized for controlling, monitoring, and safeguarding users with privileged access permissions.[3] A PAM system ensures your computers have a secured network that is able to decrease operational complexity and protects important resources such as data, user accounts, networks, devices, systems, and processes.[3] PAM manages shared accounts, super users, teams, and service accounts.[3]<\/p>\n\n\n\n

How does PAM work?<\/h4>\n\n\n\n

In most large companies with multiple levels of positions, users will need permissions and access requests to privileged accounts in order to effectively complete their day-to-day tasks. [3] The same users will need to provide justification to the server when requesting access. This is where PAM comes in to provide a secure means of communication while maintaining a well-balanced workflow.[3] PAM simplifies the process of approving or denying user access requests and logs all decisions.[3] Once approval is granted to the user, PAM temporarily provides the user higher access without manually requesting and remembering credentials for the privileged access.[3] Single Sign-On (SSO) integration which centralizes access to multiple user accounts while not compromising the integrity of passwords and Credential Management where the timespan of a password remaining valid is condensed are two examples of PAM tools.[3]<\/p>\n\n\n\n

Passwords, TLS certificates, and Accounts within a company are all typically secured with PAM solutions.[1] However, SSH key management is hardly discussed in this realm, simply due to the lack of technology available to implement it adequately.[1]<\/p>\n\n\n\n

Why can’t PAMs handle SSH Keys?<\/h4>\n\n\n\n

SSH Keys are access credentials in the Secure Shell (SSH) Protocol that are like passwords but function differently when compared to passwords.[1] Keys tend to further outnumber passwords by a 10:1 ratio.[1] While only some passwords are privileged, almost all SSH keys open doors to something valuable.[1] One key also has the capability to open doors to multiple servers.[1] Implementing PAM to handle SSH keys would solve these problems. However, PAMs unfortunately don’t manage SSH keys very well. Since PAMs were built to vault passwords, doing the same with keys simply does not work as keys must be secured at the server’s side.[1] Otherwise, keeping keys under control becomes extremely difficult. Moreover, to manage these keys, our solution must first discover the keys which PAMs cannot do.[1] <\/p>\n\n\n\n

ISSUE<\/strong>: Despite these concerns, PAMs are not complete without SSH key management. Even if an organization manages 100% of your passwords, the chances are that 80% of your critical credentials are still missing if SSH keys are not managed.[1]<\/p>\n\n\n\n

What solution has been proposed to solve this issue?<\/h4>\n\n\n\n

Modern ephemeral access (MEA)! [1,2] With MEA, secrets needed to access a target are granted when needed and automatically expire once the authentication is done leaving a passwordless and keyless method to manage access. Passwords have been the weakest factor within cybersecurity and are the easiest to crack, forget, and lose making it a targettable source. [4,5] SSH says ‘the best way to manage passwords and keys is to not manage them at all’.[1,2] <\/p>\n\n\n\n

\n

<\/p>\n<\/blockquote>\n\n\n\n

\"ZT_Suite_2024\"<\/figure>\n\n\n\n
Figure 1: Zero Trust Suite Access Control system displaying the safety network mechanism. [2]<\/h6>\n\n\n\n

SSH Zero Trust Suite is a modular software suite that allows companies to communicate securely. [1,2] This suite secures communications up to a quantum-safe level in instances such as when:<\/p>\n\n\n\n