Article Details

Seven Bolt-Ons to Make Your Entra ID More Secure for Critical Sessions. Identity security is all the rage right now, and rightfully so. Securing identities that access an organization's resources is a sound security model. But IDs have their limits, and there are many use cases when a business should add other layers of security to a strong identity. And this is what we at SSH Communications Security want to talk about today. Let's look at seven ways to add additional security controls for critical and sensitive sessions for privileged users as a bolt-on to other systems. Bolt-on 1: Securing access for high-impact IDs Since strong ID is a key element in privileged access, our model is to natively integrate with identity and access management (IAM) solutions, like Microsoft Entra ID. We use IAM as a source for identities and permissions and make sure your organization stays up–to–date with any changes in Entra ID on identities, groups, or permissions in real-time. The native integration allows automating the joiners-movers-leavers process since if a user is removed from IAM, all access privileges and sessions are revoked instantaneously. This keeps HR and IT processes in sync. Our solution maps security groups hosted in Entra ID with roles and applies them for role-based access control (RBAC) for privileged users. No role-based access is established without an identity. With IDs linked to roles, we kick in additional security controls not available in IAMs, such as: Bolt-on 2: A proven-in-use, future-proof solution for hybrid cloud security in IT and OT A versatile critical access management solution can handle more than just IT environments. It can provide: Bolt-on 3: Preventing security control bypass Some of the most common access credentials, SSH keys, go undetected by traditional PAM tools as well as the Entra product family. Thousands of sessions are run over the Secure Shell (SSH) protocol in large IT environments without proper oversight or governance. The reason is that proper SSH key management requires special expertise, since SSH keys don't work well with solutions built to manage passwords. SSH keys have some characteristics that separate them from passwords, even though they are access credentials too: Ungoverned keys can also lead to a privileged access management (PAM) bypass. We can prevent this with our approach, as described below: Bolt-on 4: Better without passwords and keys –privileged credentials management done right Managing passwords and keys is good but going passwordless and keyless is elite. Our approach can ensure that your environment doesn't have any passwords or key-based trusts anywhere, not even in vaults. This allows companies to operate in a completely credential-free environment. Some of the benefits include: Overall, passwordless and keyless authentication allows levels of performance not achieved by traditional PAM tools, as described in the next section. Bolt-on 5: Securing automated connections at scale Machines, applications and systems talk to each other, for example, as follows: IAMs can't often handle machine connections at all, and traditional PAMs can' t handle them at scale. Often the reason is that SSH-based connections are authenticated using SSH keys, which traditional PAMs can't manage well. With our approach, automated connections can be secured at scale while ensuring that their credentials are under proper governance, largely because of the credentials-free approach described in section 4. Bolt-on 6: Who did what and when - audit, record, and monitor for compliance Solutions like Entra ID lack a proper audit trail. Typical features missing in it but found in our solution include: Bolt-on 7: Quantum-safe connections between sites, networks, and clouds Quantum-safe connections do not only make your connections future-proof, even against quantum computers but are a convenient way to transmit large-scale data between two targets in a secure fashion. PrivX Zero Trust Suite – the Best Bolt-On for Microsoft Entra Product Family for Critical Connections As great as IAMs like Microsoft Entra ID are, they are lacking features that are a must for high-impact users accessing high-risk targets. Our PrivX Zero Trust Suite natively integrates with a number of IAMs, even simultaneously, and extends their functionality for cases when just an identity is not enough. Contact us for a demo to learn why you need to bolt a critical security solution onto your Entra IAM to tighten the screws for production environments.