Let’s Talk About Digital Identity with Miikka Sainio, CTO, and Rami Raulas, Vice President EMEA, at SSH.com.
In episode 31, Oscar talks to Miikka and Rami about expanding identity beyond IAM and CIAM to Privileged Access Management. Listen for: what exactly Privileged Access Management (PAM) is; PAM benefits and use cases; the complexity and challenges with cloud, hybrid, and multi-cloud environments; ephemeral certificates; the principle and application of zero trust; and SSH’s PAM product – PrivX.
[Scroll down for transcript]
“Ideally you want to have a single pane of glass through which you control access to your whole estate.”
Miikka Sainio is CTO at SSH.com. He has been successfully building services and products for over 20 years as a coder, architect and product owner. Find Miikka on LinkedIn.
Rami Raulas is Vice President EMEA at SSH.com. He has a wealth of experience in IT, working at Fujitsu prior to joining SSH. His specialist area is in building successful customer experiences. Find Rami on LinkedIn.
SSH.COM (SSH Communications Security Oy) is an encryption specialist for safe data communications and a pioneer in data and internet security since its incarnation, when founder Tatu Ylönen invented the SSH Secure Shell Protocol in 1995. It is a global company with headquarters in Helsinki, Finland.
Or subscribe with your favorite app by using the address below
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello and thanks for joining today. Now, the organisations and the projects in the organisations are getting more and more complex, there is more complexity in these environments and there is a topic that is completely linked to that: it’s Privileged Access Management. So, we are going to hear from experts in this matter from the company called SSH.com. We have today two guests. They are Miikka Sainio. He’s CTO at SSH.com. He’s been building beautiful services and products for over 20 years as a coder, architect and product owner.
And our second guest is Rami Raulas. He is Vice President EMEA at SSH.com. He has long experience in IT from Fujitsu before SSH. His special area is in successful customer experiences. Hello Miikka. Hello Rami.
Miikka Sainio: Hello, nice to be here.
Rami Raulas: Hi, Oscar. Pleased to join.
Oscar: Yeah, very welcome and it’s nice talking with you and great to talk after some time from some company in Finland here where we are, so it’s great to hear. Let’s see what SSH, a Finnish company, is having for solving these very complicated problems for some organisations. We’ll hear more. But I would like to hear now a bit more about yourselves. So please could you tell me, each of you, what was your journey to this world of digital identity?
Miikka: For me, it goes way back. So, I’ve been in IT for over 20 years now and even before that in the ‘90s, I used to run dial-in bulletin board systems which of course already had user accounts and user identities, which you logged in to the systems. And from those I graduated to different textual multi-user online games, again with accounts and so forth. And from that to our first start-up and building social web experiences. So, building and having a digital identity has always been a part of who I am as long as I can remember.
Rami: Yeah, and for me, I’ve been working with the identity and authentication actually with different technologies like biometrics and user certificates or tokens. I’ve actually been putting, in the early ‘90s so a long time ago, smartcard readers and biometric readers into laptops. But now, the focus of course from our side is less so on the identification and authentication of the user. It’s more on using that authentication and authorisation then for managing critical access. But the authentication and identity proof behind that is critical, because you have to have a footprint of who has access to what, who is doing what on an individual level.
Oscar: Yeah. So, both of you have a long experience in identity so I’m sure you have great story to tell today. So, I would like to start with the connection between what Ubisecure is doing, IAM, CIAM and what we are discussing today. So let’s start with that. So, how to expand identity beyond IAM and CIAM for better governance?
Miikka: Well, I think Identity Management alone, even though it’s an important part, it’s only a part of the equation. With IAM, you kind of identify the users, but after identification, you also have to control what those identified users can do throughout your estate. So, ideally you want to be as granular as possible and only grant access just in time, audit the access and also set context limitations for the access. So, allowing access from specific network sources or at specific times and so forth.
Rami: So, effectively, IAM or Customer IAM are really the source which Privileged Access Management uses then to federate not only the identity but also the entitlement or authorisation. And as much as a least privilege, just in time basis as possible. So not leaving standing authorisations or, even worse, standing credentials like passwords or keys, lying around especially in the cloud environment which would be quite detrimental for security.
Oscar: Yeah, definitely. So, what is Privileged Access Management?
Miikka: Privileged Access Management is a methodology which basically allows organisations to audit access to critical resources. The resources can be physical computers, they can be virtual machines, hypervisors, databases, container orchestration tools, routers, firewalls, applications and I mean even kind of organisation’s social media accounts can be considered to be within that scope. And usually, PAMS or Privileged Access Management Solutions are implemented either on-demand identity federation or via password vault in which case you don’t really get an audit trail what happens in the target. Or, through proxy or bastion architecture audited and more controlled ephemeral access.
Oscar: Yeah, quite interesting what you said, that even social media is considered there.
Miikka: Yeah, I think that even social media accounts for a company are critical resources in a sense that how companies communicate and express themselves through social media channels and who does it and how it’s done, it’s part of the scope.
Rami: And how it’s controlled because you can do a lot of damage with misuse or intentional bad usage. Not only for IPR issues like stealing productive allotment data or customer data from CRM environments for instance. But it’s more and more social media accounts are the visibility of companies globally so really an important asset in a way.
Oscar: Yes, exactly, exactly. Social media as you say can damage the reputation of a company and that’s true. When I had the idea of Privileged Access Management it was more like what the big part is I think the critical systems et cetera, and someone accessing from outside. And in the case actually of social media, it’s true someone can hack the account that can damage definitely, that will be the reason to do that. But also, someone from inside who should not be let’s say tweeting on behalf of the company, the wrong person having that access can also cause big damage.
Miikka: And perhaps that can be even expanded to tools like Salesforce or HubSpot or whatever CRM systems you have in place. So, if this company wide web application users use to communicate with the either customers or the audience, public audience as a whole, I think that also needs to be controlled to some degree.
Rami: Yeah, so it’s much wider topic than just outsider hacks, you know malware and hacks and insider threats, you know insider stealing data for commercial purpose. Or fired people doing damage because they are bitter towards the company. I mean this will be the typical fear on certain projects to Privileged Access Management. But it’s more of a governance issue, how do you make sure that right people have right access and you have governance and control and auditing on that.
Oscar: Yeah, I can see. Tell us now a bit of the complexity of these environments, some challenges that you have identified, identity challenges that are in cloud, hybrid and multi-cloud environments.
Miikka: Well, I have an on-off start-up career going back 20 years. So I tend to work in a start-up, then the larger company and then back at the start-up. And especially now when the kind of the de facto way of building new services is really cloud service providers – usually hyper cloud service providers – I have seen that the standing privileges are really a significant problem. So with standing privileges here I mean like having SSH private keys, or cloud service provider access keys, which are given and granted to users, but never cleaned up.
Miikka: In some cases, these keys or access tokens may even end up to code repositories in which case there has been quite a few public cases and I think the most famous one was the Uber case in 2017, in which they basically there was three access credentials to a code repository and leaked customer information and driver information.
In other large companies, the problem kind of applies to subcontractor or maintenance temporary access, where you really don’t want to add these contractors or temporary people to your company IAM but would rather grant them temporary automatically expiring access rights to very specific resources. And ideally you want to also be able to set context limitation to that access so that the traffic or the access comes from specific IP ranges at specific times and so forth. And again, it should expire automatically.
And recently, in many of the companies we’ve talked to, the large problem they have seen is that, and it has also been identified by analysts like Gartner, that large companies often want to reduce their reliance to a single cloud provider, be that Amazon, Azure or Google. They want to have a multi-cloud strategy or even a hybrid strategy in which they have computer uploads and data assets in public and private clouds or even on-premise hosts. So, controlling access through that whole hybrid multi-cloud environment is a problem.
So, within the kind of the vertical or within the CSP, they offer a number of tools for creating restrictive uncontrolled access through their IAM solutions. But they are very much islands, so if you do the configuration in Amazon you need to replicate the same configuration in Azure and Google cloud and often the kind of structure of the IAM and the nomenclature and the properties are different. So basically, you need to know all of those domains to be able to create an effective IAM strategy and keep it up to date.
Rami: And manage the authorisations and access for same individual differently in different environments. I just had a discussion with a cloud service provider selling services and providing services for Google, Azure and AWS. And they said that even though, yeah, for sure the IAM environment and it’s all good but they don’t talk to each other. So you kind of need a gatekeeper or a front-end access manager in front of everything to be able to centralise it well.
Oscar: Yeah, I see the complexity and there are reasons to make it complex as you have mentioned. Sometimes the organisations want have some independence from these big cloud providers such as you say Amazon, Azure and they want to have a hybrid or the other, the competitor, some other environment – so there are reasons to be complex, valid reasons. So, as things get complex, how do we simplify? How do we simplify access management to this critical infrastructure?
Miikka: I think I kind of alluded to this already in the previous answer. So ideally, you want to have a single pane of glass through which you control access to a whole estate. So, the challenge is often that you have a number of different systems, different access methods you need to control. Some you can do via ephemeral certificates like SSH or RDP access, some you need to do using public key authentication or you even may have to do some through stored credentials or password vaulting. But since using ephemeral certificates is the best way since the end-user never gains access to permanent kind of secret access target with, we promote that for SSH and we want desktop access and that way you don’t even need to worry about the password rotation.
Oscar: And what’s ephemeral certificates?
Miikka: Ephemeral certificates are a mechanism to authenticate connections to target hosts using short-lived authentication tokens. So, the target hosts can be SSH hosts or Windows domains that have been configured to trust the PrivX certificate authority and PrivX gives or creates short-lived and otherwise restricted certificates to PrivX proxy or bastion components with which connections to the target hosts are authenticated. And traditionally, these certificates are valid for five minutes or less.
And for interactive users like the end users, actual people using the target systems, this would also mean having a single web portal or an access point into which you authenticate with your company credentials or with your IAM credentials, and get taken to a user interface which automatically lists all the infrastructure you are entitled to based on your reference.
Rami: So it effectively becomes like a single sign-on portal towards critical data applications and resources, infrastructure resources.
Miikka: Even though the privileged access landscape is quite difficult, it doesn’t have to be hard. But solutions can be easy to deploy, they can be easy to configure for admins and they should be easy to use for end users. And what we at least try to do is that we make the product so easy to use that the actual end user workforce are more convenient using the PAM solution than being without.
Rami: And then if that’s the user approach, it’s actually making the user more productive than less productive. The security normally means burden.
Rami: Complexity, so we try to make it simpler. So especially if you have a lot of targets or lots of application to go to- you know. There is a problem of having to remember a lot of details.
Miikka: If a PAM solution adds complexity or friction, people tend to try to look for ways to go around it.
Rami: The other aspect to simplification of Privileged Access Management is of course to have a modern infrastructure environment like what we have done with our solution, so that you’ll fully utilise the especially native cloud deployment models and infrastructure as code and automatic deployments and auto scaling and auto discovery so that there’s much less work to maintain and keep systems up and running. And when people come and go, you don’t need to configure everything on the target site so that adds to automation.
Oscar: Yeah, one detail is that came to my mind as you were describing this is that in an organisation that is using a tool like yours, a Privileged Access Management solution, means that the majority of employees, majority of users are going to use the user interface side of the Privileged Access Management or is it a portion of the employees?
Rami: Yeah, I think you can layer users. Of course, you have the critical users which would be systems administrators, network administrators, database administrators. Data application developers, you know DevOps developers, and then what I would say power users or power administrators, like social media account managers and CRM managers stuff like that. So those are the kind of definitely they need to be more governed, and their access should be controlled in a more just in time manner and kind of correct privilege manner rather than all doors open. I mean you don’t want to put the VPN for externals and let them go everywhere. You want to control just for the time and for those sources that they really need to work on qnd then automatically revoke it.
There’s an element of end kind of user and so I think typically Privileged Access Management solutions are for this kind of people. But we’ll be extending our solution as well so that such a platform can be used also for as a single sign-on for a worker or an automator, for accessing webpage application. So I think the PAM solutions will expand into that direction moving forward.
Oscar: Yeah, I can see. Yeah, yeah, now I know I think it’s clear the idea that besides the technical, people who need the privileged access, so some business, nontechnical people like social media you said, CRM and sales people or customer service people, some of them need but of course not the whole organisation.
- Another trend that I hear about access governance is talking about Zero Trust for instance, zero standing privileges and passwordless, what’s your take on all these?
Miikka: It’s all converging on a single theme I think that users should not be trusted and I don’t mean that users couldn’t be, but you need to make sure that kind of that a compromised work station for a forgotten credential for an account doesn’t compromise your security perimeter. And all of the terms mentioned just mean that there should be no standing privileges, access should be granted through ephemeral certificate or both the credentials via bastions or proxies which can audit the connections and create alerts as needed and even terminate connections when they kind of detect abnormal usage.
Rami: Yeah, I mean standing credentials like passwords, you know two-thirds of people borrow their passwords to colleagues, so I think that is a security issue definitely. So why keep such burden alive? Automate it, take that issue away. Then for Zero Trust, it’s kind of an overhype term everybody in this industry is talking about Zero Trust, I mean the network device manufacturers you know the firewall vendors and others, they said that access management should be done on network level with Zero Trust. I mean that’s a really complicated approach. So we see it more as a layered approach, for just in time access is that you have some elements of that on the network access level but most of the logic is governed on a Privileged Access Management level in terms of kind of application logic level rather than network level logic.
Miikka: Yeah. I think the basic idea is that the user or the source – be that user or the host – doesn’t have the credentials in their possession to act directly access the target hosts. And that’s it.
Oscar: Yeah, this ephemeral or time-limited access, privileged access. Yeah, that comes to my mind for instance now, you mentioned social media earlier so in events for instance, in events you say, “OK, Oscar, you have to tweet for this event.” Yeah, so typically if that happens, well without privileged access management there is no layers in Twitter for instance, so you have to give me the user and the password and until the one who gave me that access will change the passwords also. How that happens for instance with Privileged Access Management?
Miikka: So, with Privileged Access Management, if you kind of take for example that social media use case, how we could solve that with PrivX is that there would be a shared account on the social media platform which is accessed through our products web access interface. And the access goes so that the user logs in to our solution, clicks on target host, gets taken to the Twitter experience and is automatically logged in to the platform. The user himself never gains the password but the password is automatically filled to the Twitter login dialogues and so forth. So, it’s all automatic and nobody knows the password, it can be configured by programmatically or it can be configured by the super admin or whatever person.
Oscar: Yeah. That absolutely solves that potential problem that yeah, I keep access to the company social media account more than needed, yes.
Rami: There’s one more aspect to add here as well which we have implemented in the solution is that people typically are a bit afraid or not familiar to use shared accounts because typically shared accounts means that you don’t know who used the account or who did what. But in a modern access management environment, you always have those four steps. You identify the user so you have the user ID. You have the authentication of the user, authorisation of the user, entitlement of the user. Then you know what role that user used and you know what was the end application or end account that was used. So even when you have a shared account and people of course who use that shared account don’t know the secrets.
PrivX either creates a temporary ephemeral certificate for the access which is no longer valid after use. Or, if it’s a stored credential like a password, the user never sees it. But in the aftermath and audit trails and visibility after the session, there’s always visibility who was the individual who used this common role and shared account. So that visibility is always embedded in the audit trails and alerting and reporting and recordings.
Oscar: Now, moving into also more than the technical benefits, how Privileged Access Management can mitigate business risks? There are also some benefits like financial or operational benefits with Privileged Access Management?
Rami: Yeah, I think that’s a very valid question. I think typically you know if you think from a CFO point of view, risk management is a big topic and IT is definitely part of that and cyber security is an element within that. So, it’s definitely risk management topic. So, I would say that for the financial aspect of Privileged Access Management there are two aspects. One is of course the risk management. So, you know you don’t want your product development IPR data be stolen so that somebody can setup a competitive company to do. So, we have an example here in Finland with Nokian Renkaat and Black Donuts in Russia where it was too easy to establish an operation by misusing product developmental IPR data.
And you have others, you know it wouldn’t be too nice for somebody to change the payroll accounts from our own accounts to their account for monthly salaries payments and these are kind of the misuses of critical data that have been taking place. So, they of course can be prevented or mitigated by having a proper IAM and Privileged Access Management combination in place. And then the other financial impact is then more kind of the return of investment, you know why would a solution that by default sounds complicated, how on earth could that actually productivity or increase productivity? But they are totally different topics in the financial sense, of course.
Oscar: Yes. So yeah, it’s important to convince the financial decision makers about the importance of tools like this.
Oscar: So, what makes PrivX, your approach, unique?
Miikka: PrivX, three years ago, we started building a lean mean, easily deployable and agile PAM. So, there are kind of the traditional PAM solutions so far had been and still are kind of mammoths in a sense that they are quite big task to deploy and taken into use…
Rami: Sorry, Miikka. One customer who migrated over from a traditional kind of legacy password vault solution, password rotation solution, told that they wanted to get rid of their monster infra into something cleaner. I think that was quite on the spot so to speak.
Miikka: Yeah, was it the guy who said that he hates it with the power of 10 000 suns, or something like that? So, one of the founding principles around which we built the product was the ephemeral certificate authentication or SSH. And that worked out really well and so we built a similar system for Windows, so it’s basically we have a virtual smartcard authentication to Windows domains. And usually the kind of the end user experience for both admin and normal users in solutions like these is somewhat lacking because it’s really not the focus. The focus is to make things secure and the user experience is the secondary factor or driver.
And for PrivX, we really have spent quite a lot of time to make the web experience as polished and beautiful as possible. So, that there’s as little friction as possible for people to make their daily tasks. It shouldn’t be any more difficult than using- if there wasn’t the PAM and actually should be easier with the PAM because it’s, as I said earlier, it kind of gives you your access targets directly on a single pane of glass when you login to PrivX.
Rami: Also since the incarnation of early days of Privileged Access Management, PAM solutions, 15 years ago when they first came to market, the world has also changed. I mean we’re now in the world of at least hybrid if not cloud environment and application logic is no longer command line approaches or web-based browser application based. So, we needed to adjust or build a solution around that rather than the old approach of on-premise and legacy protocols. Of course, we support them as well. But the building principle is kind of modern way of building and using systems and applications.
Oscar: So, for instance the user interface is web-based.
Oscar: Correct. Yeah, excellent that you have not only built a robust system for this but also focus a lot on the user experience because definitely that’s also critical.
Rami: Yeah, there was one also interesting aspect that came around a couple of years ago when we – of course, critical element of Privileged Access Management solution is session control, Privileged Session Management you know how to establish and control the sessions. And part of that typically of course is not only audit trails or sending audit trails and events and alerts to CIAMM and soft services but also to have recordings right. Many people want to have recordings.
And we’ve always kind of thought that recordings are for auditing purposes to audit those only. But actually, the bigger use is for e-learning. People configure like a network device once a year, they don’t remember what was done. OK, now you have a recording for it or training newcomers to that operational environment. They can see how things are done from the recording. So, there are other use and productivity elements than the interface itself also that we didn’t think about some years ago but now they have become very prevalent with customer cases.
Miikka: Yeah, and I must say we have done the auditing of the trails for connections quite a lot better than some of our competitors because we actually store actual protocol streams for access. So there’s no kind of lossy video or anything like that involved. It’s all basically the protocol that goes between the target and our proxies and that can be claimed back.
Oscar: Yeah, that sounds definitely super powerful. What have your customers after using your product been telling this is what we really like or what’s powerful about that?
Rami: Yeah, two aspects. One is the kind of ease of taking this into use. We have one bank in the middle of Africa of all places and they deployed this over weekend and started using it on Monday. I mean I have never heard of an IT project in that speed of deployment. Normally, it’s days, weeks, months or years. And that’s also that kind of quick deployment. Of course, you have to have your IGA and IAM infrastructure in place, you know who should have access to what and cover all role-based access thought through. But if that is in place then the deployment can be really swift especially in cloud environments. And then more and more of course services like this are already being offered as a- a-service structure. Then the deployment is clicking a button and starting to configure and starting to use without having to even install anything. So that’s one.
The other is the user productivity, so people are saying that their users don’t hate the PAM, which they normally did earlier. And don’t try to find the ways to bypass it, it actually makes connections very quickly, it’s very intuitive and so it kind of helps them in their daily work. And customers all say, that’s unique. They never have that experience earlier. Normally, cyber security and securities are hindrance, a problem for people to deal with. So, at least we’ve be spending a lot of effort in trying to make it understandable and easy to use even for intelligent and complicated people.
Miikka: Yeah, and even for technical people like admins and others, the way they have implemented the SSH and RDP clients within the browser, they have been quite impressed on the quality and the usability of the clients so that has been good. And for deploying PrivX we even provide a tool link to deploy PrivX to for example Amazon using Cloud Development Kit or CDK infrastructure’s code. And the whole deployment, running the PrivX deployment takes like 10 to 15 minutes and the longest time there is the kind of when Amazon provisions the actual database instance for you. So it takes basically from downloading the CDK script and running it and having a running PrivX installation is 15 minutes.
Oscar: OK. Excellent. The last thing I would like to ask you is for both of you, if you can give us a tip, a practical advice for anybody to protect our digital identities?
Miikka: Yeah, this might be kind of self-evident but use a password manager, either the operating system password manager or browser’s password manager or a stand-alone version. And I have a pet peeve with services who force you to create a password with numbers, capital letters, your mother’s maiden name and special characters because that’s what most end up – because when that happens, most users just end up doing trivial characters substitutions or running numbers in the password.
Rami: Or using the same one in all services.
Miikka: Yeah. It would be so much better if you just were able to have nonsensical sentence as the password because the entropy would be so much greater. And I think you also need to understand your personal security perimeter. So, if a service you are signed up in gets hacked and your password leaks, or some other leak, how does that hack propagate from that? Can they access your email account and if they can, does it mean that they can access your bank accounts and can get a hold of your credit card details? So, it would be wise to segment the services you use to trusted and untrusted entities and use different accounts on those. And like Rami just said, never share passwords between services. And always also try to use multifactor authentication whenever possible either through one-time password applications, SMS or one device applications or whatever.
Rami: Yeah, then of course, it makes logical sense to add for instance biometrics, you know palm readers or others. And we have places in government environment in the US and especially here in Finland which seemed to be more advanced, but also in other countries, also using a user device like a smartcard. Smartcard with a pin code and with a stored credential which means a certificate, a user certificate. So users don’t even have to remember, don’t need to play with passwords anymore. They are identified differently.
Oscar: Well, excellent. Thanks for your advice. Very, very helpful and it was great talking with you learning more about Privileged Access Management and how SSH.com is mitigating this problem with a really solid product. So please let us know how people can be getting in touch with you or learning more about your work.
Rami: Yeah, the easiest way of course is to go to SSH.com on the webpage. For PrivX, the lean, modern, just in time access, Privileged Access Management solution, the hidden secret place for that is help.ssh.com which has much more technical details and deployment guidelines. We have interesting blogs as well, they are found on blog.ssh.com and then of course, you can always approach us [email protected], via email as well. Or other social media accounts we are present obviously in all the social media environments as well.
Oscar: Well great. Again, thanks a lot Rami and Miikka for this conversation and all the best.
Miikka: Thank you.
Rami: Thank you, Oscar.
Oscar: Thanks for listening to this episode of Let’s Talk About Digital Identity, produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
[End of transcript]