SAN FRANCISCO -- Organizations challenged with managing SSH login credentials, as well as digital certificates...
related to the hosts they connect to, now have another choice for key and certificate management.
At the 2018 RSA Conference this week, SSH Communications Security, an encryption and access control company based in Helsinki, joined forces with AppViewX Inc., a management, automation and orchestration platform vendor headquartered in Seattle, to roll out a service for managing SSH login keys. These keys are used to access organizational systems and digital certificates that authenticate access to websites and applications.
Especially important for the many organizations that use the secure shell program to securely connect to and control remote systems, key management for SSH has long been complicated by the ease of creating secure channels, coupled with the tendency of the credentials used for those channels to persist over long periods of time.
The new offering combines the SSH key management service already provided by SSH's Universal SSH Key Manager with AppViewX CERT+, which provides management services for digital certificates across an organization's networks, including automated discovery, expiry alerting, renewal, provisioning and certificate revocation.
CERT+ is a cross-certificate authority certificate management product, said Joe Scaff, vice president of U.S. operations and customer services at SSH. He added that SSH discovered current and potential customers are seeking tools for both key and certificate management from a single vendor.
"In many ways, the management of those two things are different; they're not managed exactly the same. In SSH, key management is primarily around login access, and certificate management is around access to applications, websites and other resources," Scaff said. "We have seen with our customers that many of them see both certificate management and SSH key management as being managed in the same way. And we are embracing that in this partnership with AppViewX, because it's allowing us to talk to our customers broadly about key management in general," instead of just being limited to talking about SSH key management.
Craig Riddell, senior solutions architect for SSH, said the company aimed to go outside the standard approach to key and certificate management in order to "solve a use case for our customers that are either growing in a public cloud or a private cloud, where a traditional SSH key cannot be tied to an individual identity."
"One of the things we've been asking ourselves is how can we confirm that who's logging in to our cloud resources is actually who they say they are," Riddell said. He added that SSH is taking a two-step approach, starting with issuing a certificate from the new key and certificate management platform for any devices being used for access; that certificate then goes into an inventory control system. The second step occurs as SSH's PrivX on-demand access manager sends queries to the inventory control system when the device attempts to authenticate in order to ascertain that the device is a company-approved client, after which the authentication process can proceed.
"Our PrivX platform is just-in-time or ephemeral-based certificate access, so a certificate is literally provisioned every time somebody tries to authenticate," Riddell said. "So, if I authenticate for 30 seconds and then terminate my connection, that certificate is destroyed. And when I go back through authentication again, a new certificate will be provisioned and I'll use that for access to the endpoint."