Businesses are moving away from insecure passwords to authenticate employees and customers accessing their resources. Passwordless mechanisms, such as certificate-based tokens, are being employed to establish strong authentication and to support remote work trends.
However, not all solutions are fit for every scenario. Privileged access management (PAM) practices need to be rethought to adapt to the changing environment. How can organizations ensure verified and authenticated access to critical infrastructures? Is it time we adopted ephemeral certificates?
Using traditional PAM solutions enterprises grant access per user and per server or system. In modern business environments, with organizations opting for new operational models and adopting digital transformation and emerging technologies, the number of privileged credentials has skyrocketed. Provisioning, maintaining visibility and tracking these high value credentials has become more complex as a larger and more diverse group of people require access to critical assets, such as network infrastructure, software production environments, credit card data or health records. As a result, it is easy for organizations to lose track of who has access to what.
The type of access these users require depends on their roles and responsibilities: from least privileged to highly privileged root access. Their access needs are ad-hoc and often for a short time span. In the cases of machine-to-machine connections, it is possible that the access is required for only a few milliseconds.
The problem is that these privileged credentials are permanent and are not adequate for cloud services and ephemeral containers. Weak management of these credentials can result in these credentials being stolen, forgotten, or duplicated. Ephemeral certificates can be the solution to this problem and ensure that privileged access is granted, changed, tracked, managed, and revoked properly.
Ephemeral certificates are short-lived access credentials that are valid for as long as they are required to authenticate and authorize privileged connections. In an authorization mechanism based on ephemeral certificates, the critical target systems are accessed without using permanent access credentials, explicit access revocation or traditional key management.
Ephemeral certificates are automatically issued as needed from a Certificate Authority (CA); hence users are not required to manually input their credentials when accessing critical systems. The Certificate Authority controls access to the target system based on user roles and associated access rules which are generated according to security policies and access requirements. The Certificate Authority fetches the access rules from an identity and access management system and uses them to determine proper authentication. This system alleviates setting up access for each individual user and enables streamlined updates to groups of users.
Once the user’s session is terminated, the certificates disappear automatically. Each session is based on established and robust encryption technologies, like SSH protocol or RDP. The access is also called “credentialess”, since on establishing the connection the user does not handle access credentials at all.
To support and establish “credentialess” access, the target systems must be configured in advance. The system configuration is static, and it needs to be done only once when the servers are initially provisioned. The configurations that allow “credentialess” access are like templates that serve a function. While multi-cloud instances, such as Amazon Web Services, Microsoft Azure, or Google Cloud can be scaled up and down, the templates will remain immune to the changes and continue to provide access as per purpose.
Ephemeral certificates are a more secure solution than permanent access credentials because of their ephemeral nature. They automatically expire, usually within a few minutes, which reduces the burden for managing credentials which are no longer required. In addition, security teams do not have to worry about revoking those credentials if the users rotate and their roles change.
Because the ephemeral certificates are deleted automatically, there are no credentials to steal or compromise. As a result, ephemeral certificates reduce the number of potential entry points an attacker could exploit, as well as the attack surface, minimizing the risk of a breach. When the ephemeral credentials are generated, they are not stored on any system. Therefore, the use of ephemeral access credentials helps protect privacy since no user-specific access information is stored in any system.
Since ephemeral access credentials are created automatically and on-demand when each session is initiated, there is no manual work required to enroll them. Role changes can be applied in real-time because the ephemeral certificates are recreated for each access request. This approach enables the implementation of zero trust policies and practices, since every session is authenticated and authorized upon opening the connection without anyone having a “pass par tout” certificate. Strong authentication is coupled with strong accountability since every session is recorded for auditing.
Finally, ephemeral certificates are ideal in a DevOps environment and enable developers to focus on producing and testing code, instead of managing or waiting for access. At the same time, they are an enabler of security, since they are easier and more time-efficient to manage.
Back in 2018, Scott Helme had mentioned that he would “much rather see a push towards ephemeral keys than static keys wherever possible.” The use of ephemeral certificates is a win-win case for organizations: enhanced security and reduced management complexity. With many use cases to benefit from, organizations need to revisit their privileged access practices and think seriously where they will profit from a move towards ephemeral certificates.