Kenna Security replaced SSH Keys with Certificates and increased security with less effort resulting in 60x faster Ansible deployments. Kenna Security is the enterprise leader in risk-based vulnerability management. Kenna Engineering Operations is responsible for maintaining the systems that run code across numerous environments running on GCP and AWS. The traditional method of delivering the right SSH access to developers by deploying static key files is a significant operational challenge that, Kenna found, demanded increasing time and attention as they grew.
Challenge: Managing User-Generated Keys At Scale
Moving quickly and keeping developers happy is not always easy. “We had a meeting about the ways to increase efficiency within our department, and people brought up some of our tooling pains, things like SSH access.” Said Joe Doss, Director of Engineering Operations at Kenna Security. Upon further examination, the team discovered that SSH access management had grown into an operational expense. “We had all the classic pain points with managing SSH keys.”
Like most organizations, new user onboarding was a manual process guided by a template that put the responsibility on new users to configure and secure. Not very scalable as we continue to grow.“
“Everyone's concept of a strong SSH key password is different and we needed a better solution to ensure consistently high security standards” -- Joe Doss
When the user finished creating the key, they would create a JIRA ticket with their new public key. The JIRA ticket would become the responsibility of the Fleet Operations Team. This team is responsible for maintaining order across all of the deployments using Ansible to automate configurations. “It started as a relatively straightforward task to update SSH keys across our environment,” said Tommy Santoyo, System Engineer at Kenna Security. “But now that we manage numerous environments, it's much more painful. It took hours to set up and run these playbooks.”
The challenge of managing SSH keys extended beyond new users. “We also have to consider deleting users who leave the company, rekey operations, and managing hostname reuse.” Tommy continued. “And let’s not forget the pain of when we have people blow away old laptops for a new one.” Like many, the toil of managing SSH keys added up quickly for the Kenna Security team.
SSH Certificates Are The Answer
Certificate Authorities (CAs) are not a new concept. They are the foundation for security on the internet. Historically these CAs have been challenging to operate. “When it came up that we should be doing SSH certificates, my immediate response was: do you want to run the CA? Because I don't,” said Joe Doss.
After a quick trial of the smallstep solution, Joe and the team were convinced. “We just configure the server once, and we are done. The users get created automatically on hosts, and permissions are managed and revoked, automatically,” said Tommy Santoyo.
“The I.T. department adds users to Okta, and they have access, from day one, reducing deployment pressure on us. User removes are equally simple, smallstep is definitely saving us a ton of time.” -- Tommy Santoyo
Read more about how Kenna improved SSH Key Management.
“Smallstep SSH is exactly what we needed. Significantly reducing the work required to manage SSH keys.”
Joe Doss
Director of Engineering Operations
Top comments (0)