Full Report
Identity security is all the rage right now, and rightfully so. Securing identities that access an organization’s resources is a sound security model. But IDs have their limits, and there are many use cases when a business should add other layers of security to a strong identity. And this is what we at SSH Communications Security want to talk about today. Let’s look at seven ways to add
Analysis Summary
# Best Practices: Extending Identity Security for Critical Sessions
## Overview
These practices focus on adding essential, granular security layers ("bolt-ons") on top of existing Identity and Access Management (IAM) solutions (like Microsoft Entra ID) to secure high-impact user access to critical and sensitive IT and Operational Technology (OT) assets. The goal is to move beyond basic identity verification to implement Zero Trust principles for privileged sessions.
## Key Recommendations
### Immediate Actions (Quick Wins)
1. **Establish Real-Time IAM Synchronization:** Configure systems to integrate natively with your primary IAM (e.g., Entra ID) to receive real-time updates on user identity, group membership, and permissions changes.
2. **Automate Joiner/Mover/Leaver (JML) Revocation:** Ensure that access privileges and active sessions are instantaneously revoked when a user is removed or changed in the IAM system.
3. **Audit Existing SSH Key Usage:** Initiate an immediate inventory and audit of all SSH keys in use across cloud, hybrid, and on-premises environments, as these often bypass traditional PAM tools.
### Short-term Improvements (1-3 months)
1. **Implement Privilege Elevation and Delegation Management (PEDM):** Begin mapping roles to apply fine-grained controls, ensuring users only gain "just enough access" (Least Privilege) for the specific duration of a task.
2. **Define Role-Based Access Control (RBAC) Mappings:** Explicitly map IAM security groups to defined internal roles associated with privileged access, ensuring no role-based access exists without a validated identity source.
3. **Discover Unmanaged Privileged Accounts:** Conduct a comprehensive scan to discover privileged accounts across all environments, specifically targeting local administrator accounts and Linux/Unix administrator accounts that might be shadow IT.
### Long-term Strategy (3+ months)
1. **Adopt Path to Passwordless/Keyless Access:** Develop a roadmap to eliminate shared credentials (passwords and static authentication keys) by prioritizing Just-In-Time (JIT) access mechanisms.
2. **Standardize Hybrid/Heterogeneous Access Control:** Implement a unified, centralized access logic that consistently governs access across both IT assets and critical OT environments (supporting protocols like Ethernet/IP, Profinet, Modbus TCP, etc.).
3. **Deploy Quantum-Safe Encryption Strategy:** Investigate and pilot quantum-safe encryption for high-security data transport, utilizing end-to-end tunnels to obscure data transmission even over untrusted public networks.
4. **Mandate Comprehensive Session Protection:** Implement mandatory session recording, logging, monitoring, and auditing for all privileged access sessions to facilitate forensics and compliance reporting.
## Implementation Guidance
### For Small Organizations
- **Focus on Identity Source Consolidation:** Prioritize native integration with your existing IAM system (e.g., Entra ID) as the single source of truth for identity and RBAC assignment.
- **Initial JIT Implementation:** Immediately implement JIT access for any existing privileged accounts to minimize standing privileges while other controls are being rolled out.
- **Browser Isolation Pilot:** If remote access to sensitive web applications is common, pilot browser isolation for those specific HTTP(S) connections to create an isolated environment between the user and the resource.
### For Medium Organizations
- **Develop a PEDM Policy:** Formalize policies for time-bound, task-specific access grants (PEDM) and start enforcing them for common administrative tasks.
- **Inventory IT/OT Convergence Points:** Identify administrative access paths bridging IT networks and OT environments and apply the centralized, multi-protocol access management solution across these boundary points.
- **Begin SSH Key Remediation:** Develop a specific playbook for centrally managing, tracking, and expiring SSH keys, rather than allowing them to be manually managed indefinitely.
### For Large Enterprises
- **Establish an Isolated Identity Source Strategy (Optional):** If there are compliance or architectural reasons to prevent certain third-party identities from reaching the main IAM, establish a secondary, verified, and isolated identity source for those specific access flows requiring external approval.
- **Implement External Administrator Verification:** For high-risk environments, mandate an external verification step (e.g., approval from a designated security team or manager) before granting high-privilege access, even after IAM authentication.
- **Achieve Multi-Protocol Coverage:** Roll out the solution to cover all specialized OT protocols alongside standard IT protocols (SSH, RDP, VNC) to ensure consistent security policy enforcement across the entire asset estate.
## Configuration Examples
* **Fine-Grained Access Limitation:** Configure PEDM to grant access **only** to a specific application executable or command line utility on a server, rather than granting full administrative shell access (e.g., limiting access to running *only* a specific configuration script via SSH).
* **External Approval Workflow:** Configure the access control system to require explicit approval from an "External Admin Approver" group within the IAM before a JIT session to a production database server is provisioned.
* **Multi-Protocol Session Recording:** Ensure logging and recording mechanisms are configured to capture all session data for IT protocols (SSH, RDP) and log connection events for OT protocols (Modbus TCP, OPC UA) for compliance review.
## Compliance Alignment
- **NIST SP 800-53:** Alignment with controls related to Access Control (AC), Session Management (AU), and System and Information Integrity (SI). Specifically supports controls requiring least privilege and session monitoring.
- **ISO/IEC 27002:** Supports Annex A controls related to managing access rights, securely using privileged access, and monitoring activities.
- **CIS Controls:** Directly addresses CIS 4 (Secure Configuration of Enterprise Assets and Software) and CIS 5 (Account Management), especially regarding authentication management and privilege separation.
## Common Pitfalls to Avoid
- **Relying Solely on IAM for Privileged Sessions:** Do not assume that standard IAM MFA satisfies the security needs for highly privileged users accessing tier-0 assets; granular session control is still required.
- **Ignoring SSH Key Governance:** Underestimating the risk posed by SSH keys because they function differently than passwords; SSH keys require specialized management tooling separate from traditional password vaults.
- **Inconsistent Policy Application:** Applying robust controls only to IT assets while granting lax or standard access to OT assets, creating an exploitable asymmetry.
- **Static Access Grants:** Allowing privileged access to remain active indefinitely; failure to deploy JIT or time-bound access significantly increases the risk window of a compromise.
## Resources
- **IAM Integration Documentation:** Refer to documentation for native integration capabilities with major IAM platforms (e.g., Microsoft Entra ID integration documentation).
- **PEDM Frameworks:** Consult guides on defining role context, task scope, and time limits in privilege elevation management schemes.
- **OT Security Standards:** Review ISA/IEC 62443 guidance for managing access controls specifically within Industrial Automation and Control Systems (IACS).