Password managers, long heralded as the gold standard for consumer password safety, have been shown to have vulnerabilities. Research shows that password managers can leak login credentials to the PC’s memory, making them vulnerable to hacking.
In light of this research, it’s certainly time for consumers to examine their password management best practices. Consumers should move towards more secure authentication methods, like multi-factor authentication, dedicated authenticator devices (like YubiKey), or enabling more secure authentication protocols (WebAuthn).
But, what about businesses and access to their critical IT infrastructure in particular? Is it also time to rethink password and access management – long administered by traditional privileged access management (PAM) solutions – on the enterprise side?
The short answer is yes. Here’s why. With traditional PAM solutions, privileged access used to be metered out on a permanent basis. There are a number of reasons why that’s no longer feasible and why enterprises should look to ephemeral certificates as the solution.
Traditional permanent access credentials are obsolete
Traditional PAM solutions allow enterprises to grant access per user and per host. But, the number of people who need privileged access today is increasing rapidly. As external contributors and contractors, temporary workers, and new types of job roles have become more prevalent, it’s become increasingly complex to provide – and keep track of – privileged access to a larger and more diverse group of people who deal with the lifeblood of a company, including network infrastructure, software production environments, credit card data or health records. As a result, it’s easy for companies to lose track of who has access to what.
These users require all kinds of access depending on their role: from least-privileged to highly privileged (root), all for different periods of time. Their access needs are ad-hoc, and often short-lived. In the cases of machine connections, it’s possible that a “user” might need access for only a few milliseconds.
Existing PAM solutions on the market also aren’t built for the age of digitalization. The pace of change in the digital world is astronomical, and users today might need to access virtual servers, multiple cloud services, and even containers.
Software developers also want to work faster, developing new products at the speed of digital. The product development cycle today means that a developer might be updating their product up to a hundred times each day. Developers don’t want to have to wait for access, and with traditional PAM, they tend to need access faster than it can be granted. That doesn’t just hurt developers. It’s a time- and money-sink for the organization at large. Every three minutes it takes to access a resource can cost a company near half a million dollars a year.
Permanent access credentials can be stolen, forgotten, or duplicated, even if you protect them carefully. Fortunately, there’s a better way of ensuring that privileged access is granted, changed, tracked, managed and revoked properly: ephemeral certificates.
Ephemeral certificates, explained
Ephemeral certificates are short-lived access credentials that exist for only as long as they are needed to authenticate and authorize privileged connections. They’re automatically issued as needed, so users don’t have to input credentials when connecting. And once the user’s session is complete, the certificates disappear automatically. Each session is still based on established and robust encryption technologies like SSH and RDP, but managing the access lifecycle is super streamlined and the solution eliminates the risk of permanent credentials.
Ephemeral certificates offer a smarter solution for secure IT access, streamlining operations, accelerating business speed and improving security. Here’s how.
What are the benefits?
Ephemeral certificates are a more secure solution than permanent access credentials precisely because of their ephemerality. They automatically expire, usually within a few minutes, which reduces the concern that credential access might linger after it’s no longer needed. It also means that admins don’t have to worry about revoking access if the users’ access roles change.
Because there are no credentials to steal, misplace or forget, ephemeral certificates reduce the number of potential entry points for a hacker, as well as the attack surface. This helps minimize the risk of a breach. When the access credentials are generated, they aren’t stored on the target server, which means target systems don’t contain any user-specific access credentials. It’s more secure, and less admin work, since it eliminates the need for access credential management on those target systems.
Access credentials are created on-demand when the access is initiated, and they’re generated by a trusted entity. There’s no manual work required to enroll the credentials. Also, since the access credentials are recreated for each access request, any role changes can be applied in real-time. This approach adheres to the principle of zero trust, since every session is authenticated, authorized upon opening the connection without anyone having an “all access pass” regardless of their role. Individual accountability is also strong, since every session is recorded for auditing.
With no agents to install, configure or update, ephemeral certificates enable your developers to focus on working, instead of managing or waiting for access. At the same time, they’ve vastly easier and more time-efficient for administrators to manage. And as if by magic, companies mitigate risk and improve security. That’s a business win, all around.
The use cases for ephemeral certificates run far and wide: enabling the DevOps team with lean and credential-less privileged access, managing multi-cloud and hybrid cloud servers centrally, and enabling secure, temporary third-party access to company assets are just a few examples. It’s in businesses’ best interest to reexamine their access management and make a move toward ephemeral certificates.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.