NetBridge Zero Trust SSH Key Management Whitepaper
Securing Infrastructure Access with Zero Trust SSH Key Management
Executive Summary
In today's complex security landscape, organizations face unprecedented challenges in managing and securing access to critical infrastructure. SSH keys, while essential for secure system access, often become unmanaged security liabilities that bypass traditional access controls and create significant compliance gaps.
NetBridge represents a paradigm shift in SSH key management, offering a Zero Trust approach that addresses the inherent risks of unmanaged keys while providing the automation, visibility, and control that modern security frameworks demand.
Key Challenges in SSH Key Management
- Proliferation of unmanaged keys across environments
- Keys without ownership, expiration, or proper controls
- Bypassing of existing PAM solutions
- Transitive trust relationships enabling lateral movement
- Compliance and audit failures
- Machine-to-machine connections without proper oversight
The Hidden SSH Key Problem
Most organizations are unaware of the scale of their SSH key problem. Our research shows:
- Large enterprises typically have 10x more SSH keys than passwords
- Only 20% of keys are managed by traditional PAM solutions
- 45% of production keys lack proper ownership documentation
- 70% of organizations have no automated key rotation process
- 65% of organizations have failed audits due to unmanaged SSH keys
NETBRIDGE POLICY COMPLIANCE
7 Policies • 40 Servers
┌─ POLICY COMPLIANCE SUMMARY ───────────────────────────────────────────────────┐
│ │
│ StrongKeyEncryption [████████░░] 89.5% (Policy ID: 101) │
│ 90DayKeyRotation [█████████░] 92.3% (Policy ID: 102) │
│ NoRootKeyAccess [██████████] 100.0% (Policy ID: 103) │
│ JustInTimeAccess [███████░░░] 75.0% (Policy ID: 104) │
│ RequireMFA [█████░░░░░] 50.0% (Policy ID: 106) │
│ DevOpsKeyPolicy [██████████] 100.0% (Policy ID: 201) │
│ RestrictedAccessHours [██████████] 100.0% (Policy ID: 107) │
│ │
└────────────────────────────────────────────────────────────────────────────────┘
┌─ NON-COMPLIANT ITEMS ─────────────────────────────────────────────────────────┐
│ │
│ 1. Key ID 301 (mjohnson-laptop): No passphrase protection │
│ Violates: StrongKeyEncryption (Policy ID: 101) │
│ │
│ 2. Key ID 303 (webdeploy-key): No passphrase protection │
│ Violates: StrongKeyEncryption (Policy ID: 101) │
│ │
│ 3. Key ID 301 (mjohnson-laptop): Using weaker RSA-2048 encryption │
│ Violates: StrongKeyEncryption (Policy ID: 101) │
│ │
│ 4. Server ID 3 (db01.lan): JIT access policy violations detected │
│ Violates: JustInTimeAccess (Policy ID: 104) │
│ │
│ 5. Server ID 4 (db02.lan): No MFA setup despite policy requirement │
│ Violates: RequireMFA (Policy ID: 106) │
│ │
└────────────────────────────────────────────────────────────────────────────────┘
┌─ SUGGESTED REMEDIATION ──────────────────────────────────────────────────────┐
│ │
│ 1-3. Rotate non-compliant keys: │
│ netbridge-cli key rotate 301 │
│ netbridge-cli key rotate 303 │
│ │
│ 4. Configure JIT access on db01.lan: │
│ netbridge-cli server policy configure 3 104 │
│ │
│ 5. Enable MFA on db02.lan: │
│ netbridge-cli server mfa enable 4 │
│ │
└──────────────────────────────────────────────────────────────────────────────┘
Commands: [D]etails [R]emediate [E]xport Report [B]ack [H]elp [Q]uit
The NetBridge Zero Trust Solution
NetBridge implements a comprehensive five-step approach to SSH key management:
1. Discover
Scan your environment and discover all SSH access (automated and interactive) across your IT infrastructure. Identify trust relationships and all policy-violating SSH keys. Discover different types of accounts.
2. Audit
Implement systematic company policies. Monitor and control your environment via centralized SSH key management.
3. Remediate
Remediate your environment. Remove keys that are uncompliant, unmanaged, or bypassing your controls.
4. Automate
Automate the full lifecycle of SSH keys and simplify the effort of staying compliant. Ensure all your sessions are audited, logged, and tracked.
5. Migrate
Radically reduce the overhead of managing permanent SSH keys and move to keyless, just-in-time Zero Trust access with short-lived certificates.
Case Studies
Global Financial Institution
Challenge: Internal and external auditors identified gaps in access control due to lack of visibility and control on SSH keys. Audit identified PAM bypass and cross-environment trusts.
Solution: NetBridge provided visibility of SSH keys and their usage. Discovered 1.9 million keys. Created policies to classify violations. Locked down servers to prevent users from provisioning and distributing keys. With bulk key action capability, mitigated risk around privileged accounts within 9 months.
Global Retailer
Challenge: Customer was aware of pseudo access being provisioned using SSH keys but not of the extent. Suffered a data breach 6 months prior. Started assessing gaps in access control despite having a PAM.
Solution: Discovered "root" user's private and public key on every machine with NetBridge. Identified several other violations. Discovered 800K keys. Using NetBridge, customer was able to mitigate high-risk keys within 9 months and secure their entire infrastructure within 18 months.
Conclusion
The security of your infrastructure depends on properly managing SSH access. NetBridge provides the comprehensive tools and methodology needed to transform unmanaged SSH keys into a secure, compliant, and automated access control system.
For more information or to schedule a security audit, contact our team at info@netbridge.defrecord.com.