1 Introduction
SSH Communications Security Corporation is a publicly traded company based in Helsinki, Finland. It was established in 1995 by Tatu Ylönen, the inventor of the Secure Shell (SSH) protocol, one of the most popular network encryption protocols and the de-facto standard for remote administrative access and secure file transfers.
The company develops a number of products around the SSH protocol, including Tectia SSH - a multiplatform SSH client/server solution, CryptoAuditor for monitoring and managing privileged user activities, as well as the Universal SSH Key Manager, which is covered in this review. Currently, SSH Communications Security has a team of around 110 employees led by Tatu Ylönen and over 3000 customers around the world.
Despite being over 20 years old, the SSH protocol is still one of the most commonly used methods for both network encryption and secure user authentication. Every Unix and Linux server, many types of mainframes and the majority of embedded devices include an SSH server as a standard component. Most workstations either come equipped with an SSH client or one can be easily installed, making it one of the most widely available tools for IT professionals. In almost every organization, SSH is used daily to access remote systems, run automated processes or transfer data over the network. SSH keys play a crucial role in these processes, providing a stronger and more convenient alternative to passwords.
Unfortunately, as opposed to traditional public key infrastructure, SSH does not define a central authority for generating, distributing and revoking keys, and most organizations leave these functions to end users. With time, this has led to uncontrolled proliferation of keys spread across a large number of servers, devices and workstations, which makes it increasingly difficult to keep track of them, control who has access to where and revoke previously granted access rights.
Traditional enterprise Identity and Access Management solutions usually do not provide governance controls over SSH keys, leading to various security risks such as the inability to enforce access controls on existing keys, prevent their uncontrolled reuse or detect and revoke weak or compromised keys. Naturally, this exposes companies to potential hacking attacks, insider threats and compliance violations.
Manually managing thousands or even millions of SSH keys is not an option even for the largest companies with dedicated IT teams. Additionally, there is always a risk of disrupting a critical business process by accidentally revoking the wrong key. An automated Enterprise Key Management solution is therefore a must for every enterprise, not just those where they are already mandated by compliance regulations.
SSH Communications Security is offering a solution for this massive challenge with their Universal SSH Key Manager - a centralized, automated, non-disruptive solution for discovering, monitoring and managing the whole corporate SSH key infrastructure. Additionally, the product provides a self-service portal for users and a set of APIs for integration with existing IAM systems. Although not a complete Enterprise Key Management system in a strict sense, Universal SSH Key Manager provides a feature-complete solution for SSH key infrastructure management, which can greatly reduce administration effort, improve protection against external and internal threats and resolve many compliance issues.