SSH is used extensively throughout nearly every IT environment. While SSH brings many benefits, SSH access isn’t always properly managed. It is common to find SSH keys scattered throughout the enterprise on user workstations with limited security controls in place.
GaraSign makes SSH key management easy by enabling you to keep all SSH keys in an HSM, while granting end-users proxied access to the keys they need (and only the keys they need). With GaraSign, you can easily grant and revoke key access, enforce additional security measures like multi-factor authentication, and audit key usage, all without reconfiguring your SSH servers.
The number of SSH keys in a large enterprise can seem completely unmanageable. Numerous keys are distributed out to end-users and stored in software on workstations— and these keys are high-value targets for attackers. Additionally, many of these keys are not visible to InfoSec teams and are therefore difficult to audit.
When you deploy GaraSign, SSH keys remain secured and non-exportable in the HSM at all times. End-users receive proxied access to only the keys they are authorized to use. Since keys are always protected with hardware-level security, the risk of a key being compromised is minimal.
GaraSign can integrate with existing SSH clients to transparently provide advanced security controls, such as multi-factor authentication, device authentication, approval workflows, IP address whitelisting, notifications, and more. These features can be established on a per-key or per-user basis.
Since SSH keys are secured in the HSM and centrally managed, key management is easily auditable. Auditors can see which keys were used, at what time and by whom. Furthermore, administrators can alter users’ permissions to keys from a single interface.
There are several benefits, and they all come without having to install anything on the SSH server. The first benefit is enabling just-in-time access so that administrators can only SSH to servers when there is a need to do so. The second is seamless integration of advanced security controls such as multi-factor authentication, device authentication, approval workflows, IP address whitelisting, and more, when authenticating to a server via SSH. The third is centralized audit of any time an SSH key is used.
It depends on the SSH client you are using but it is typically done via an SSH-Agent that is capable of using keys managed in GaraSign.
Yes, GaraSign can also secure the SSH server keys in an HSM.
Yes, they should. Since GaraSign integrates via an SSH-Agent the commands should work without alteration, assuming you are using a supported client.
Since GaraSign proxies the client key used to complete the challenge-response handshake, it can enforce the additional security controls (e.g., MFA) before it allows the use of the key. In other words, the SSH server delegates the additional security controls to GaraSign, and is not even aware that the additional controls are taking place.
The need for frequent key rotation drops is drastically reduced since the keys are never exported from the HSM. While every key eventually should be rotated, you can do so less frequently since the keys are now well protected. Of course, please check with your enterprise's policies to make sure you will remain in compliance.
Schedule a demo to see how GaraSign can improve the security and performance of cryptographic operations throughout your environment.