About SSH self-service

There are times when you want to create a manual key in Trust Protection Platform so you can track the key, but you don't have the actual key data. Additionally, in large organizations, it is impractical to have only Information Security and Identity Access Management teams be responsible for SSH key access, so delegation of duties and a self-service model are important components of an SSH key management tool.

Trust Protection Platform provides the ability to create manual keys in SSH Protect (called self-service keys) that you can link to an orphan key to complete the keyset. You should do this, for example, when you can't discover the corresponding private key on a third-party system, or when the key is on a server that doesn't have a discovery tool installed. In addition, sometimes users have their own laptops, mobile devices, or other machines that are not managed by Trust Protection Platform, but who need to be able to connect those devices to specific servers in the Trust Protection Platform inventory. These users can create a self-service key for their non-managed device, and an authorized key on the desired server, giving them the necessary access. In addition, you can make this process part of an SSH workflow, to manage approvals for creating these keys.

SSH Protect allows you to delegate duties to application owners (key owners) or business groups for the management of SSH access that they use while allowing InfoSec and IAM teams tools to enforce policies and restrictions. In this context, an application owner is somebody who administers one or more applications or services, but they may not have full access to the devices where those applications or services are deployed. Application owners can create their own keysets, allowing them the ability to fully manage the lifecycle of their SSH keys in a true self-service model.

Self-service keys are similar to external keys, but provide additional functionality. With self-service keys, you can create a private key placeholder, but during the creation process you can create an authorized key. Then you can rotate the keyset, and provide the newly rotated key to the owner, thus permitting you to manage the keyset, with correct key data, in Trust Protection Platform.