This article describes how Okta Advanced Server Access creates an automated solution to managing identity and access controls using SSH.
Let’s be friends:
Comment (0)
Join the DZone community and get the full member experience.
As the great Mark Twain once wrote in response to reading his own obituary in May of 1897, “reports of my death have been greatly exaggerated.” Fast forward nearly a hundred years to 1995, and a Finnish computer scientist named Tatu Ylönen created a secure transport protocol known simply as Secure Shell (SSH). What do these things have to do with each other? Nothing, aside from perception.
In its most practical terms, SSH enables users to establish a secure, remote connection with a Linux-based machine via a Command Line Interface (CLI). SSH is the de facto standard for secure server access, and has survived the test of time, despite a significant shift in how infrastructure is operated in the cloud.
At Okta, we embrace the shift towards the cloud operating model, where resources are dynamic and ephemeral, by adapting the underlying security properties of SSH to fit. Our customers use Okta Advanced Server Access (Okta ASA) to securely automate identity and access controls for their teams to use SSH safely. And we’ve just reached a significant adoption milestone by registering over 1 million SSH logins per month… and growing!
In this post, I’d like to talk through some of the trends surrounding the cloud operating model, the continued role SSH plays in securing remote access, and how Okta has helped our customers elegantly solve a nagging pain point.
As the de facto standard for remote access to Linux servers, SSH is naturally a common target for attackers attempting to infiltrate a company’s network. The transport protocol is inherently secure; however, the backing credential mechanism is prone to human error-with potentially catastrophic results. SSH Keys, which are cryptographic key pairs designed to be an attestation of trust, require great care to ensure they don’t fall into the wrong hands. There is no way to guarantee a link between an SSH Key and an identity, so in many ways, possession is 10-tenths of the law.
As such, companies have traditionally been forced to do one of the following:
I imagine you can see the pattern here: as with so many things, you get out what you put into it. But look, security is changing, and fast. First of all, the hardest solution isn’t always the most secure, but more importantly, who has time for all that extra hard work??!! We’re all forced to do more with less, but security teams also have the added challenge of protecting the company without getting in the way of the business. Not an easy thing to be on the hook for by any means.
We understand this continued balancing act, and design our products to be the most secure and easiest to use solution on the market. Before we get to the details of how we enable our customers to achieve a better outcome with Okta ASA, I’d like to address the perception that SSH is dead in the modern cloud era.
With the shift towards the cloud operating model, Kubernetes has emerged as everyone’s favorite configuration management plane/orchestration layer/CLI/runtime/service mesh/dev environment platform. Here’s a phrase I sometimes hear, “We’re all in on Kubernetes, we won’t need SSH access anymore.”
That sure sounds like a dream: a unified abstraction layer that removes all human interaction from managing elastic, multi-cloud infrastructure. Kubernetes is certainly poised to become the proverbial operating system of the cloud, but it does introduce a whole new set of complexities and considerations. Here’s a small sampling of scenarios where human interaction is still required:
Standing strong and tall amidst all this innovation and change is SSH, because you just can’t replace that sturdy, direct connection between a user and a host operating system.
