Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

The Top 5 PAM Tasks IT Teams Must Automate Part 4: SSH Key Management

Written by Jordan True

July 5th, 2017

Automating SSH Key Management: Management of SSH keys can be tough, especially if best practices require the keys to be updated periodically, or when someone who possesses some of the keys leaves the company. Manual management is a daunting task, yet many SSH key management tools are limited in their capabilities.

In this 5-part Thycotic educational series, we focus on five areas of Privileged Account Management where automation can be utilized to not only reduce the amount of work typically associated with certain IT tasks, but also to significantly improve the security posture of your organization:

Part 1: Account Discovery
Part 2: Changing Network Passwords
Part 3: Team Password Sharing
You’re reading: Part 4: SSH Key Management
Part 5: Compliance Reporting

Why automate at all? With data centers constantly expanding across multiple geographic locations, IT teams are increasing the physical and virtual servers they have to manage. Yet the resources that enable them to accomplish required tasks rarely keep pace with their demands. So it’s not surprising that automating repetitive, rote tasks is a key component of success for any IT Operations group. There are areas where automation efforts are often overlooked, especially for managing the accounts IT teams use every day: non-human privileged accounts and service/application accounts.

Why Automate SSH Key Management?

If your organization has moved beyond simple user name and password schemes for accessing Unix and Linux systems, and relies on SSH keys to allow access, then you have greatly increased your overall security posture.

However, the management of these keys can be a very difficult process, especially if best practices require those keys to be updated periodically, or when someone who possesses some of those keys changes positions or leaves the organization. Public Key Infrastructure (PKI) schemes, such as those used to generate SSH keys, may help assure better security, but they can be difficult to maintain because of the encryption mechanisms involved.

While there are a number of tools that can perform this sort of automation, many of these tools are limited to only rotating and updating keys on the target systems. This does not allow for assignment to teams, solid audit trails or other basic management functions which create true operational efficiencies.

Manually updating SSH keys on Unix / Linux systems within an environment can be a daunting task as the number of systems increasesWhile it is possible to manually update SSH keys on Unix/Linux systems within an environment, this can be a daunting task as the number of systems increases. Consider the example of a network with 50 Unix systems, all of them needing access to the others.

The key pairings that are being passed around require 50 unique private keys (one on each system), and the assignment of each of the matching public keys to be placed on every other system. That’s nearly 2,500 instances of public keys that would have to be updated, if ever those private keys were updated themselves. Adding more systems only adds exponential complexity of the problem.

Fortunately, enterprise-level software such as Thycotic Secret Server provides robust API capabilities that can link home-grown SSH key generators (a common occurrence in many organizations), or other SSH key creation tools, to a formal account management system and harness the automation efficiencies of both tools.

This enables SSH key rotation to occur on a more frequent basis, with little to no impact to the IT Operations team members while at the same time linking up with role-based access control and policy enforcement that seamlessly provides access to the appropriate employees.

SSH Key Management feature in Thycotic Secret Server:

Already securing privileged account access for more than 10,000 organizations worldwide, including Fortune 500 enterprises; Thycotic Secret Server is simply your best value for PAM protection.



IT Admins: Our collection of free IT tools makes your life easy and your organization safer!