Skip to main content
banner image
venafi logo

What Are Ephemeral Certificates and How Do They Work?

What Are Ephemeral Certificates and How Do They Work?

what-are-ephemeral-certificates-for-machine-identities
March 1, 2021 | Anastasios Arampatzis

Businesses are moving away from insecure passwords to authenticate employees and customers accessing their resources. Passwordless mechanisms, such as certificate-based tokens, are being employed to establish strong authentication and to support remote work trends.

However, not all solutions are fit for every scenario. Privileged access management (PAM) practices need to be rethought to adapt to the changing environment. How can organizations ensure verified and authenticated access to critical infrastructures? Is it time we adopted ephemeral certificates?

Traditional PAM credentials are not adequate for modern businesses

Using traditional PAM solutions enterprises grant access per user and per server or system. In modern business environments, with organizations opting for new operational models and adopting digital transformation and emerging technologies, the number of privileged credentials has skyrocketed. Provisioning, maintaining visibility and tracking these high value credentials has become more complex as a larger and more diverse group of people require access to critical assets, such as network infrastructure, software production environments, credit card data or health records. As a result, it is easy for organizations to lose track of who has access to what. 

The type of access these users require depends on their roles and responsibilities: from least privileged to highly privileged root access. Their access needs are ad-hoc and often for a short time span. In the cases of machine-to-machine connections, it is possible that the access is required for only a few milliseconds.

The problem is that these privileged credentials are permanent and are not adequate for cloud services and ephemeral containers. Weak management of these credentials can result in these credentials being stolen, forgotten, or duplicated. Ephemeral certificates can be the solution to this problem and ensure that privileged access is granted, changed, tracked, managed, and revoked properly.

What are ephemeral certificates?

Ephemeral certificates are short-lived access credentials that are valid for as long as they are required to authenticate and authorize privileged connections. In an authorization mechanism based on ephemeral certificates, the critical target systems are accessed without using permanent access credentials, explicit access revocation or traditional key management.

How do ephemeral certificates work?

Ephemeral certificates are automatically issued as needed from a Certificate Authority (CA); hence users are not required to manually input their credentials when accessing critical systems. The Certificate Authority controls access to the target system based on user roles and associated access rules which are generated according to security policies and access requirements. The Certificate Authority fetches the access rules from an identity and access management system and uses them to determine proper authentication. This system alleviates setting up access for each individual user and enables streamlined updates to groups of users.

Once the user’s session is terminated, the certificates disappear automatically. Each session is based on established and robust encryption technologies, like SSH protocol or RDP. The access is also called “credentialess”, since on establishing the connection the user does not handle access credentials at all.

To support and establish “credentialess” access, the target systems must be configured in advance. The system configuration is static, and it needs to be done only once when the servers are initially provisioned. The configurations that allow “credentialess” access are like templates that serve a function. While multi-cloud instances, such as Amazon Web Services, Microsoft Azure, or Google Cloud can be scaled up and down, the templates will remain immune to the changes and continue to provide access as per purpose.

Benefits of ephemeral certificates

Ephemeral certificates are a more secure solution than permanent access credentials because of their ephemeral nature. They automatically expire, usually within a few minutes, which reduces the burden for managing credentials which are no longer required. In addition, security teams do not have to worry about revoking those credentials if the users rotate and their roles change.

Because the ephemeral certificates are deleted automatically, there are no credentials to steal or compromise. As a result, ephemeral certificates reduce the number of potential entry points an attacker could exploit, as well as the attack surface, minimizing the risk of a breach. When the ephemeral credentials are generated, they are not stored on any system. Therefore, the use of ephemeral access credentials helps protect privacy since no user-specific access information is stored in any system.

Since ephemeral access credentials are created automatically and on-demand when each session is initiated, there is no manual work required to enroll them. Role changes can be applied in real-time because the ephemeral certificates are recreated for each access request. This approach enables the implementation of zero trust policies and practices, since every session is authenticated and authorized upon opening the connection without anyone having a “pass par tout” certificate. Strong authentication is coupled with strong accountability since every session is recorded for auditing.

Finally, ephemeral certificates are ideal in a DevOps environment and enable developers to focus on producing and testing code, instead of managing or waiting for access. At the same time, they are an enabler of security, since they are easier and more time-efficient to manage.

Conclusion

Back in 2018, Scott Helme had mentioned that he would much rather see a push towards ephemeral keys than static keys wherever possible.” The use of ephemeral certificates is a win-win case for organizations: enhanced security and reduced management complexity. With many use cases to benefit from, organizations need to revisit their privileged access practices and think seriously where they will profit from a move towards ephemeral certificates.

 

Related Posts

Like this blog? We think you will love this.
image representing big data
Featured Blog

Le chiffrement homomorphe : Définition et utilisation

Qu'est-ce que le chiffrement homomorphe ? Le

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more