Getting rid of permanent access helps your organization boost efficiency, cut costs, and better protect against cybersecurity threats. It also eliminates a big annoyance: password and key rotation. Here’s how it all works.
Since our beginning, as the creators of the Secure Shell Protocol, SSH has continued to pioneer the evolution of cybersecurity. Over the past 25 years, we’ve had the pleasure of helping encrypt critical IT infrastructures and improve privileged access management for companies across the globe.
Our company name pays homage to our history, but SSH is continuously evolving to meet the latest cybersecurity requirements. And today, we see a need for a new method of password and SSH key management — one that is more efficient, less costly, future-proof, and fool-proof.
SSH coined the term “Better Without” to refer to a temporary access solution that, unlike existing permanent access solutions, entirely eliminates the need for passwords, keys, and other permanent credentials.
But why is permanent access such a problem for enterprises?
To put it simply, permanent access refers to access that is granted indefinitely. It does not expire and must be manually revoked.
In a sufficiently secure environment, privileged users are only granted permanent access if they require continuous or repeated access to certain documents, databases, or network devices. But in reality, permanent access is often granted to employees who only need access for a short period of time.
On average, every employee has access to 11 million files — and for every unnecessary instance of access, a vulnerability exists.
Permanent access can be problematic for enterprises, especially large organizations with potentially thousands of credentials. It is notoriously difficult to manage such a significant number of keys and passwords, and unmanaged credentials can pose a considerable security risk. Moreover, since permanent access rights do not automatically expire, unmanaged permanent access credentials can quickly accumulate.
According to Forrester Wave, 80% of data breaches begin with the misuse of privileged credentials. Moreover, Kaspersky has found that 90% of cyberattacks are caused by human error.
Permanent access plays a key role in making these statistics a reality.
Managing permanent access can be complex, time-consuming, and very expensive. In large organizations, potentially thousands of employees will need to have their permanent access credentials manually managed. This typically involves deleting accounts when necessary and updating credentials — repetitive and menial tasks for your IT specialists.
We have calculated that a customer’s cost of managing their SSH keys with in-house tools and personnel averages at upwards of three million dollars per year.
All credentials can be copied or shared, including permanent access credentials. In fact, according to Kaspersky, 90% of all cyberattacks are successfully executed with information stolen from employees who unwittingly give away their system ID and access credentials to hackers. Often, this is a result of a hacker impersonating another staff member and requesting credentials. The ability to share credentials with so little oversight means that these instances are more common than many organizations realize.
By nature of being indefinite and requiring manual management, permanent access is a continuous source of vulnerability.
When not closely managed and revoked appropriately, individuals who have previously been granted access to a target can slip through the cracks and continue to have access long after it is necessary.
Failure to remove accounts when appropriate can put the entire company at risk. This risk might manifest as a disgruntled employee, untrained staff member, or someone who has left to work for a competitor. Each of these individuals could be responsible for confidential or critical information being accessed, compromised, or exploited.
Whenever permanent credentials pass through human hands, there is a significant chance of human error occurring. Errors might include failure to update or remove access, or the sharing and copying of credentials.
But in addition to the ample opportunity for manual mistakes, organizations also face the risk of failed compliance. Permanent access credentials must be manually modified to comply with changing data laws or company policy changes. This is time-consuming and extremely difficult to manage at scale.
Password rotation is an age-old security practice that has been seen as necessary. That is changing. It turns out that these practices lead to users creating easy-to-guess passwords that are often composed of sequential letters and numbers.
This is why Microsoft doesn’t recommend password rotations or character compositions:
“Don't require mandatory periodic password resets for user accounts”
“Don't require character composition requirements. For example, *&(^%$”
The US Government is following suit. In their memorandum — called Moving the U.S. Government Toward Zero Trust Cybersecurity Principles — the government advises their agencies to move away from password rotation and requiring special characters.
“[...] agencies must remove password policies that require special characters and regular password rotation from all systems within one year of the issuance of this memorandum. These requirements have long been known to lead to weaker passwords in real-world use and should not be employed by the Federal Government.”
In the past, companies have attempted to resolve the issues associated with permanent access through manual interventions such as:
These methods require you to regularly sift through thousands of servers to make the appropriate modifications, which requires a significant amount of time and resources, even when point solutions are being leveraged.
For many companies, the time, money, and effort required to manage their permanent access problem is simply too great. Some even choose to ignore the problem, which exacerbates it further. This leads to keys and passwords being shared, policies being violated, and rogue keys accumulating in your IT environment — all of which pose massive cybersecurity threats.
Fortunately, there’s a better way.
Enterprise key management solutions can help you manage the challenges associated with permanent access, but the fact remains that managing passwords, keys, and credentials at scale is a complicated operation.
SSH offers a solution in the form of our just-in-time Zero Trust Access Management. This tool was designed specifically for companies hoping to more effectively manage their long-standing permanent credentials. But as the creators of innovative technologies like the SSH protocol, it’s in our DNA to look ahead and forge new paths in cybersecurity. That’s why we decided to take enterprise key management to the next level and launch a temporary certificate -based access solution that allows you to migrate towards a fully passwordless and keyless environment at a pace that suits you.
There are three simple steps involved with SSH temporary access, which are as follows:
You can feel confident in the safety of your data, your end-users, and your company.
There are many benefits to going passwordless and keyless - and leaving permanent access behind. Here are just a few:
Keeping track of permanent credentials is incredibly challenging. By completely removing permanent access credentials from the equation, there’s no need to waste time and energy creating, deleting, updating, and managing permanent credentials.
When you eradicate permanent access, you eliminate the need to store large amounts of permanent credentials. Think of all the time, resources, and processing power you’ll get back when you don’t have to store or manage potentially thousands of permanent credentials.
Without permanent access credentials, your environment will be cleaner and simpler to use. Not only does this reduce points of failure associated with the system’s complexity, but it also removes access bottlenecks from your environment and can even boost your team’s productivity.
Once you begin using passwordless authentication, your end-users will no longer need to recall, store, or enter their credentials into disparate systems — or worse, forget their credentials and go on long digital journeys to find them. Instead, users can be granted secure access quickly and easily. This will help your teams work faster and with fewer interruptions.
Less permanent credential management means less room for human error — eliminating the risks associated with weak passwords, poor SSH key management, and credential sharing. This reduces compliance and security concerns, enabling you to effectively prevent and respond to cyberattacks.
Companies that eliminate the need for permanent access demonstrate a commitment to innovative, forward-thinking cybersecurity approaches like passwordless authentication. This positively reflects on your brand and prepares your organization for the future.
With Zero Trust Access Management it’s easy to gradually onboard a credential-less approach to your existing permanent access environment. With no modifications required post-deployment, you can benefit from a fully immutable infrastructure that promotes consistency and reliability.
With Zero Trust Access Management, you can remove the risks and challenges associated with permanent access and leverage a better, future-proof approach to privileged access management.
Key features include:
Learn more about how Zero Trust can help you keep pace with the future of cybersecurity.