Credential-less is more: why password rotation doesn’t mean ‘zero trust’

Biden’s endorsement of compulsory zero trust access management and quantum-safe cryptography is shifting the C-suite’s cybersecurity agenda for the US government and global businesses
Rsz 2pexels Olia Danilevich 4974914

With cyberwar becoming more sophisticated, President Biden mandated that all US federal agencies adopt a zero-trust access security model early last year. As a result, the world is charting a course to a new system of continuous verification, credentials management and mandatory encryption of digital communications, regardless of whether the user is inside or outside the network.

Miikka Sainio, CTO at defensive cybersecurity company SSH, believes that the White House’s actions indicate a step change in the popularity of zero-trust principles across the board. “It’s significant that they mandated it not just for IT infrastructure but also for critical infrastructure like water and electricity,” he says.

In May 2021, Biden encouraged government agencies to mitigate the security risks posed by quantum computing, which could one day be used to decrypt sensitive data that today’s computers have encrypted retroactively. This sentiment was echoed in the response from heads of executive departments and agencies worldwide.

This move is a striking reminder for business leaders that static secrets for access control and quantum computing threats should be on their radars. Encrypted critical traffic is being captured and recorded today. So IPR, account numbers, credit card details, ID codes and health information that are currently protected are all at risk of being revealed in the future. This could spell staggering financial losses, reputational disaster, and heavy fines for firms and other establishments that miss the mark.

Preparing for the quantum threat is not mere future gazing. Tools that address tomorrow’s quantum computing threats are already available. Quantum safe (or post-quantum) cryptography is a prime example of preventing data from being decrypted by quantum computers in the years to come.

Optimising credentials management

For convenience and continuity, colleagues or external organisations may create universal or shared password credentials for multiple company accounts. Add unsecured messaging apps and personal devices into the mix, sprinkle in a global shift to the cloud, and businesses have a recipe for a security breach.

Some companies have turned to privileged access management (PAM) tools to vault and rotate passwords and ensure their employees use them responsibly. However, these often fail to fully support the management of other vital credentials like SSH keys.

Passwords have the potential to grant access to all manner of things, from credit card data to medical and tax records, intellectual property rights, CI/CD pipelines, cloud servers, firewalls and network devices. But SSH keys almost always grant access to these critical systems.

“In the digital world, your suppliers are climbing over the fence … they have underground tunnels and you have no idea who’s coming in”

DevOps teams, for example, use SSH keys to commit code changes to code repositories. “The developers have uploaded their public keys to the repository and authenticate with their private key, which is on their laptop but without a recognisable link to the user,” says Sainio. “Now, what happens if somebody steals the private key? They will have access to the code repository that contains company IPR. What’s more, there’s no way to verify who is using the key, as keys can be copied, and they never expire.”

Running application-to-application connections within cloud or hybrid environments and frequently hidden in repositories or behind other servers, SSH keys often constitute 80% of all credentials in large organisations. At best, most PAM solutions discover only 20% of keys, leaving thousands of them scattered across the IT environment at a given moment.

SSH key and password adoption are booming in line with the rise in internal and external users accessing critical cloud assets.
There are issues on the operational technology side too. Rami Raulas, vice president for EMEA at SSH, says that many remote connections to factories, plants and power stations, which are needed to enable industry 4.0, have created security holes.

“When you physically go to a manufacturing site, power plant or water facility, someone checks your identity at the gate; you go in escorted and do your job”, he explains. “In the digital world, your suppliers are climbing over the fence, there’s a hole in it, they have underground tunnels, and you have no idea who’s coming in or doing what.”

Realising zero trust and quantum-safe access management

Reaching the level of defensive cybersecurity that SSH proposes starts with recognising the need for coherent risk mitigation strategies. For businesses, centralising the management of all keys and passwords could allow for greater visibility, accountability and command over credentials.

Without overcomplicating the matter, SSH’s Zero Trust Access Management provides organisations with enhanced centralisation and control by reducing the number of passwords and keys floating about the IT and OT environment. This could mean transitioning to efficient passwordless and keyless zero-trust architectures in connected businesses.

The same protocols needed to connect people and machines are still used, but each session is verified “just-in-time” when making the connection. Access to infrastructure is temporary by default, as all users need to be authenticated, authorised, and continuously validated. No permanent keys or passwords are left behind because permanent authorisation or credentials to systems
are non-existent.

Teemu Tunkelo, CEO of SSH: “It’s about being able to keep your data where you want it, in your data centre or in various clouds. You don’t use permanent keys or passwords, and you don’t rotate them, making the system resilient and less complicated.” He continues: “You always know where your vital data and systems are, who has access to them, and where your critical credentials are. If needed, you can wrap your connections inside an ironclad quantum-safe tunnel to make them future-proof and virtually impenetrable.”

Although most organisations have a long way to go before reaching a defensive cybersecurity posture, “the quantum threat” shows that even when grappling with today’s security concerns, businesses can’t afford to be complacent about future ones. Biden’s push for “bold changes in cybersecurity” indicates that companies must be prepared. For organisations, starting to implement zero trust and quantum-safe access control for critical data and infrastructure is an essential journey to embark upon.

For more information, visit