温馨提示:本站仅提供公开网络链接索引服务,不存储、不篡改任何第三方内容,所有内容版权归原作者所有
AI智能索引来源:http://www.ssh.com/academy/iam/identity-management
点击访问原文链接

What is Identity Management?

进入原网站 导航首页
What is Identity Management? About us Investors Partners Careers Solutions SOLUTIONS Zero Trust Suite Quantum-Safe Cryptography (QSC) SalaX Secure Collaboration Security Risk Assessment, Quantification & Mitigation By Topic Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & multi-cloud access management Interactive tour: Privileged Access in the Cloud M2M connections IT Audits & Compliance Secure file transfer By Industry Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Products SECURE ACCESS & SECRETS MANAGEMENT SECURE FILE TRANSFER & ENCRYPTION NQX™ quantum-ready encryption Tectia™ SSH Client/Server Tectia™ z/OS SalaX Secure Collaboration Secure Mail 2024 Secure Messaging 2024 SalaX Secure Collaboration Solutions SOLUTIONS PrivX Zero Trust Suite SalaX Secure Collaboration Strong ID-based access with Entra ID & Zero Trust Suite Quantum-Safe Cryptography (QSC) Security Risk Assessment, Quantification & Mitigation Device trust & access and identity verification Identity-based authentication & converged IAM and PAM TOPICS Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & Multi-Cloud Access Management Interactive tour: Privileged Access in the Cloud M2M Connections Management IT Audits & Compliance Secure File Transfer INDUSTRIES Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Healthcare Data Security OT Security IT/OT convergence of data & systems Zero Trust Access and ZSP Workflow approvals Secure remote access  Secure patch management  OT Compliance Discovery and threat intelligence Phishing-resistant MFA & device trust Products SalaX SECURE COLLABORATION Secure Mail Secure Messaging Secure Sign SalaX Secure Collaboration FQX File Encryptor SECURE ACCESS & SECRETS MANAGEMENT PrivX™ PAM PrivX™ OT Edition PrivX Key Manager SECURE FILE TRANSFER & ENCRYPTION Tectia™ SSH Server Tectia™ SSH Server for IBM z/OS PrivX Desktop NQX™ quantum-safe encryption Services SSH Risk Assessment™ Professional Services Support Contact us Customer cases PrivX Zero Trust PAM Enterprise Key Management UKM Tectia SFTP for servers & mainframes SSH Secure Collaboration Resources SSH Academy Content library Blog References Press releases Downloads Manuals Events & Webinars Media Legal Report a vulnerability Solutions SOLUTIONS PrivX Zero Trust Suite SalaX Secure Collaboration Strong ID-based access with Entra ID & Zero Trust Suite Quantum-Safe Cryptography (QSC) Security Risk Assessment, Quantification & Mitigation Device trust & access and identity verification Identity-based authentication & converged IAM and PAM TOPICS Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & Multi-Cloud Access Management Interactive tour: Privileged Access in the Cloud M2M Connections Management IT Audits & Compliance Secure File Transfer INDUSTRIES Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Healthcare Data Security OT Security IT/OT convergence of data & systems Zero Trust Access and ZSP Workflow approvals Secure remote access  Secure patch management  OT Compliance Discovery and threat intelligence Phishing-resistant MFA & device trust Products SalaX SECURE COLLABORATION Secure Mail Secure Messaging Secure Sign SalaX Secure Collaboration FQX File Encryptor SECURE ACCESS & SECRETS MANAGEMENT PrivX™ PAM PrivX™ OT Edition PrivX Key Manager SECURE FILE TRANSFER & ENCRYPTION Tectia™ SSH Server Tectia™ SSH Server for IBM z/OS PrivX Desktop NQX™ quantum-safe encryption Services SSH Risk Assessment™ Professional Services Support Contact us Customer cases PrivX Zero Trust PAM Enterprise Key Management UKM Tectia SFTP for servers & mainframes SSH Secure Collaboration Resources SSH Academy Content library Blog References Press releases Downloads Manuals Events & Webinars Media Legal Report a vulnerability About us Investors Partners Careers SSH Academy Cloud Cloud Access Management Cloud Applications Cloud Computing Cloud Computing Models Cloud Computing Pros and Cons Cloud Computing Security Cloud Computing Services: Characteristics Cloud Infrastructure Entitlement Management (CIEM) Cloud Security Buyer's Guide Cloud Security Maturity Model Cloud Service Providers IaaS Immutable Infrastructure in Modern IT PaaS SaaS Virtualization Technology Compliance Cybersecurity Compliance Basics of SSH Compliance Basics of SSH Key Compliance Basel III Digital Operational Resilience Act (DORA) Ensuring ISO 27001 with PAM Fips 200 GDPR HIPAA ISACA ISO 27001 NIS Directive A Guide to NIS2 Directive NIST Cybersecurity Framework NIST 2.0 Cybersecurity Framework NIST 7966 NIST 800-53 PCI-DSS Sans Top 20 Sarbanes Oxley Understanding PAM Standards Cryptography Cryptography Explained Cryptography and the Quantum Threat Encryption Key Management Private & Public Keys Quantum Computing & Post-Quantum Algorithms What is File Encryption? Identity and Access Management (IAM) What is Identity and Access Management (IAM)? What is IAM Zero Trust Framework? What is Zero Trust Network Access (ZTNA)? A Guide to Zero Trust Architecture Active Directory Entra ID by Microsoft Ephemeral Certificates & Ephemeral Access Gartner CARTA How PAM Complements Existing IAM IAM vs PAM Identity Governance and Administration (IGA) Identity Management Jump Server Just-in-Time Access Just-in-Time Security Tokens Key IAM Concepts for IT Professionals Multi-Factor Authentication (MFA) OpenID Connect (OIDC) Privileged Identity Management (PIM) Radius Sudo User Account Types User IDs Unified IAM-PAM solution Internet of Things (IoT) IoT Security IoT: Accessing IoT devices for SSH What is IIoT? Operational Technology What is OT Security? Best OT Security Solutions Best Practices for Secure Remote OT Access Critical Infrastructure Cybersecurity: Key Concepts Explained How to Safeguard Your OT Network Without Separate IT/OT Solutions How to Secure IoT and OT Systems: A Practical Guide ICS OT Security Industrial Automation Cybersecurity: Key Considerations and Risks IT vs OT Navigating OT Security Standards OT, ICS, SCADA explained OT Risk Management: What It Is and Why You Need It OT Security Assessment OT Security Best Practices OT Security Essentials OT Governance: Key Principles for Effective Implementation PAM and IACS Integration PAM & IEC 62443 Access Control Standards PAM for Energy Sector PAM for Manufacturing PrivX for Energy Sector PrivX for Forestry Industry Remote Diagnostics for Ships Remote Maintenance of Pulp&Paper Machines SCADA Security Essentials: Your Need-to-Know Guide What Is OT Monitoring and Why Is It Important? What is the IT/OT Convergence? Why Is Zero Trust Access Important in OT? Password and Secrets Management A Guide to Passwordless and Keyless Authentication Break-Glass Access Credential Management System Password and Key Rotation Password Attack Types Password Generator Password Strength Best Practices Password Vaults Passwordless Authentication - Advantages Passwordless Authentication - Implementation Passwordless Explained pt. 1 Passwordless Explained pt. 2 Secrets Management Guide Secrets Vault Zero Standing Privileges (ZSP) Privileged Access Management AI in PAM for Predictive Security Automating PAM Best PAM Solutions 2025 Comparing PAM Solutions Challenges in Cross-Platform PAM Integrating PAM with SIEM KPIs for PAM Least Privilege PAM Best Practices PAM Checklist PAM Enhances Remote Work Security PAM Lifecycle Management PAM Vendors: Must-Have Capabilities for Effective Access Control Privileged Access Management (PAM) Privileged Access Management (PAM) in the Cloud PrivX MFA The Strategic Role of PAM PAM - IT Benefits for Different Industries PAM for Pharmaceuticals Data Security PAM for Healthcare PrivX PA; for Financial Industry Data PrivX PAM for Government and Public Sector PrivX PAM for Healthcare Industry PrivX PAM for Manufacturing PrivX PAM for Media and Entertainment Industry PrivX PAM for Pharmaceutical and Biotechnology Data Privileged Accounts and Sessions Privilege Elevation and Delegation Management Privileged Account PrivX Against Privileged Account Hijacking Privileged Account and Session Management (PASM) Root Accounts Public Key Infrastructure (PKI) What is Public Key Infrastructure (PKI)? PKI Background PKI Certificates X.509 Certificates Secure Information Sharing (SIS) Business Email Compromise (BEC) Business Email Compromise: How to Prevent BEC Attacks Digital Signatures Email Phishing Enterprise Email Security Secure Data Sharing Secure Email Gateways (SEGs) Secure Shell (SSH) What is Secure Shell (SSH)? What is the Secure Shell (SSH) Protocol? Automated M2M Connections Network Monitoring OpenSSH OpenSSH Server Process (SSHD) Port 22 Remote File Copy (RCP) Remote Login (rlogin) Remote Shell (RSH) Secure File Copy (SCP) Session Key Single Sign-On (SSO) Using SSH Agent SSH Command SSH Configuration SSH for Windows SSH Software Downloads SSH Server SSH Server Configuration Tectia SSH Server Telnet WinSCP SSH protocol Vs Microsoft: A Comprehensive Guide Security Orchestration Basics of Security Orchestration Data Loss Prevention (DLP) Security Information and Event Management (SIEM) Security Operations Center (SOC) Security Orchestration, Automation, and Response (SOAR) SFTP & Secure Remote Access File Transfer Protocol (FTP) Clients File Transfer Protocol (FTP) Legacy File Transfer Protocol (FTP) Servers Obsolescent Secure File Transfer Protocol (FTPS) Secure Remote Access (SRA) SSH File Transfer Protocol (SFTP) SSH Clients What are SSH Clients? Tectia SSH Client PuTTY Background PuTTY Download PuTTY for Linux PuTTY for Mac PuTTY for Windows PuTTY for Windows Installation PuTTY Public Keys PuTTYgen for Linux PuTTYgen for Windows SSH Keys A Basic Overview of SSH Keys Authorized Key Authorized Keys File Authorized Keys in OpenSSH CAC and PIV Smartcards Copy ID Passphrase Passphrase Generator Public Key Authentication SSH Host Key SSH Key SSH Key Identities SSH Key Management SSH Key Proliferation SSH Keys for SSO SSH Keygen SSH Tunneling SSH Tunneling SSH Tunneling Example Hacks, Threats & Vulnerabilities BothanSpy & Gyrafalcon Breaches in Operational Technology Breaches Involving Passwords & Credentials GoScanSSH Malware Man-in-the-Middle Prevent Data Exfiltration with PrivX PAM PrivX PAM Against Malware & Ransomware Password Sniffing Identity and Access Management & SSH Keys Identity and access management (IAM) is the foundation of information security. IAM addresses the basic need of any organization to be able to reliably identify users, and to be able to control which users get access to which resources.

These two basic controls - identity and access - lay the foundation of security in the corporate environment. Every regulatory system in cybersecurity starts from the requirement to control who has access to which systems and data and having a well-defined process for granting and revoking such access. It is the basis of information security. The rest is mostly just about enforcing this access.

Contents SSH Keys Grant Access SSH Keys Can Be Self-Provisioned and Never Expire SSH Keys Are Surprisingly Common Gaping Hole in Identity and Access Management Strategy Compliance Requirements for SSH SSH Key Based Access to Financial Data Environments SSH Keys Grant Access SSH keys are access credentials that are typically used for provisioning operating system-level access to servers for automatic processes, file transfers, and system administrators. The basic idea is to configure a private key on a client machine, and the corresponding public key on a server machine. Possession of the private key grants access to the server. In SSH, this is called public key authentication.

Most existing identity management frameworks focus on access control for normal end users. Service accounts used for running application software generally receive much less attention, yet such accounts can provide much more powerful access.

Many identity and access management projects focus on privileged access, typically meaning access by system administrators to root accounts and service accounts. Privileged access is typically controlled by forcing users to log into a jump server that logs all their access. This is generally achieved by having the passwords for controlled accounts stored in a password vault and changed frequently by an automatic process.

It is common for system administrators to install SSH keys on privileged accounts or root accounts that they regularly use, so that they can bypass going through jump servers. While this may be convenient, it violates policy and compliance, and eliminates accountability.

SSH Keys Can Be Self-Provisioned and Never Expire SSH keys are special that they allow self-provisioning and never expire. A user who logs into an account can install new authorized keys that permit that user (or anyone in possession of the key) to log into the account in the future, as long as the authorized key remains configured. This can be combined with port forwarding to allow access to the internal network from the outside and is a very common way for hackers to create backdoors into the corporate network.

It is possible to configure SSH to prevent self-provisioning by moving keys to root-owned locations. This generally involves modifying SSH configuration files to change the location of the authorized_keys files, and is often called lock-down. This is usually one of the first steps in managing SSH keys.

SSH Keys Are Surprisingly Common SSH is used for managing routers, server hardware, virtualization platforms, operating systems, and inside systems management and file transfer applications. It is present in every data center and ships by default with every Unix, Linux, and Mac server.

System administrators have been using and installing SSH keys for the last 15-20 years. They were a very technical concept, in the system administration domain, and very few people realized they had access management implications. Even most CISOs weren't aware of SSH keys or grossly underestimated their usage. We still frequently encounter organizations that initially say they don't use SSH, or that they don't use SSH keys, but upon closer examination turn out to use it massively with hundreds of thousands of SSH keys in place.

In large Fortune 500 companies, we generally find anywhere from several hundred thousand to over four million SSH keys. The number is generally 5-200 keys per server, and typically about 5-20 times the number of employees in the organization. The bigger and more complex information systems, and the more Unix/Linux usage, the bigger the problem with unmanaged SSH keys tends to be.

In many cases, more than 90% of all access credentials are SSH keys. Typically, the identities are existing accounts, but SSH keys can be used to add more access credentials for them. It is analogous to having multiple passwords for each account.

It is typical to find SSH keys granting access from one data center to another, including to disaster recovery data centers. Access from test and development systems into production is very common in unmanaged environments, violates separation of duties, and allows passwordless access to critical systems from systems that are not as well protected. We frequently see access to credit card payment processing environment using SSH keys that crosses the PCI boundary in violation of the PCI-DSS.

Gaping Hole in Identity and Access Management Strategy IDC published a white paper A Gaping Hole in Your Identity and Access Management Strategy in 2013 on SSH key management, and a Technology Spotlight SSH Governance Is Needed to Reduce Risk and Bridge the Trusted Access Gap in 2016.

NIST published Security of Interactive and Automated Access Management using Secure Shell (NIST IR 7966) in 2015, which provides guidelines for managing SSH keys and maps compliance requirements into the US Government Cybersecurity Framework and NIST SP 800-53.

There is ample evidence of malware and hackers leveraging SSH keys. SSH keys have been used as system level backdoors in attacks that have been made public, and there are likely to have been many attacks that have not been publicized. They can be combined with SSH back-tunneling to get inside corporate networks from the public Internet.

Unmanaged SSH keys expose organizations to grave, even existential risks. The risk is as grave as not managing user accounts and passwords. Given the government and analyst attention and the hundreds of articles written on SSH key management, nobody can claim ignorance anymore.

Compliance Requirements for SSH Unmanaged SSH keys frequently lead to access that is in violation of the compliance regimes that require controlling who can access what systems and data, segregation of duties, and enforcing boundaries. It is common to see configured key-based access from test and development systems into production environments, access from personal system administrator accounts into critical Oracle database accounts bypassing privileged access controls (e.g., bypassing Cyberark, Powerbroker, Xceedium, or Lieberman installations that are supposed to provide visibility into privileged access) and violating PCI, Sarbanes-Oxley, or NIST 800-53 boundaries.

SSH Key-Based Access to Financial Data Environments Of particular concern is access into financial data environments in public companies, in violation of Sarbanes-Oxley. Sarbanes-Oxley involves potential civil and criminal penalties for top management. For example, Section 302(a)(4)(B) requires the CEO and CFO to certify that they "have designed internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared." A knowing or willful misrepresentation can result in fines of up to $5 million and/or up to 20 years in prison.

If SSH keys allow access to the service accounts holding the databases and applications related to financial systems, financial data may be modified by an attacker to hide evidence of fraud, botched deals, theft, or injection of fraudulent or manipulative data. Clearly internal controls must reasonably prevent resulting misrepresentation. Given the ubiquity of SSH keys, it would be reckless not to control SSH key based access to financial systems.

 

SSH is a leading defensive cybersecurity company that secures communications between humans, systems, and networks. We specialize in Zero Trust Privileged Access Controls and Quantum Safe Network Security. Our customers include a diverse range of enterprises, from multiple Fortune 500 companies to SMBs across various sectors such as Finance, Retail, Technology, Industrial, Healthcare, and Government. 25% of Fortune 100 companies rely on SSH’s solutions. Recent strategic focus has expanded SSH business to Defence, Critical Infrastructure Operators, Manufacturing OT Security and Public Safety.

Leonardo S.p.A invests 20.0 million EUR in SSH, becoming the largest shareholder of the company. SSH solutions form a Center of Excellence for Zero Trust privileged access management and quantum-safe network encryption in Leonardo - a global industrial group that creates multi-domain technological capabilities in the Aerospace, Defence and Security sector with 17.8 billion EUR revenue in 2024. SSH company’s shares (SSH1V) are listed on Nasdaq Helsinki.

 

Solutions Zero Trust Suite Zero Trust Suite & Entra ID Integration Quantum-Safe Cryptography (QSC) SalaX Secure Collaboration Security Risk Mitigation OT security MSP Security Device Trust Monitoring & Threat Intelligence Credentials & Secrets Management IT Audits & Compliance Products PrivX™ Hybrid PAM PrivX Key Manager Tectia SSH Client/Server™ Tectia™ z/OS Secure Messaging Secure Mail Secure Sign NQX™ Quantum-Safe Services SSH Risk Assessment™ Professional Services Support Resources Careers References Downloads Manuals Events & Webinars Blog Company About us Contact Investors Partners Press Stay on top of the latest in cybersecurity Be the first to know about SSH’s new solutions, product updates, new features, and other SSH news!

Thanks for submitting the form. © Copyright SSH • 2025 • Legal

智能索引记录