Key distribution manager
AMI Praha a.s. has successfully deployed the Key Distribution Manager (KDM) application at a long-term client of CEZ Group. KDM is our own product that was developed by a team of experienced ICT security and identity management specialists.
CEZ Group hopes to strengthen the security of its critical applications, resolve authentication to UNIX and simplify user account management with the introduction of the KDM application.
As part of the project deployment at ČEZ, 8 UNIX and Linux end systems were connected to KDM – 2 instances for each OS type: IBM AIX, Red Hat Enterprise Linux, HP-UX and Oracle Solaris. In the second phase, which will take place during the autumn, another 40 systems will be connected. Subsequently, we plan to deploy several hundred end systems and KDM will thus completely control access to most of the supported systems in the CEZ Group. In addition to the “rollout” of new instances, the range of KDM functionality will be gradually expanded – management of shared application accounts or the so-called proof of real user identity will be added.
We have also integrated the system with identity management, deployed in ČEZ by our company several years ago. The integration consists in linking the account lifecycle to HR processes and KDM permissions to the concept of so-called business roles. As a result, we have centralized and partially automated the management of accounts and roles in the UNIX environment. External consultants accessing these systems can set up time-limited access to the OS thanks to IdM. Initial experiences from both users and OS administrators have been positive, with security personnel being the most satisfied, as security in the area of SSH key management and administration has been significantly improved with the introduction of KDM.
KDM is a unique solution for UNIX and Linux operating systems that combines the Privilege Identity Management (PIM) and PKI key distribution processes into a single interface. KDM uses a public/private key pair for SSH authentication of users to the OS. The public key and account is distributed to UNIX end systems using the KDM application, with the private portion stored securely on the KDM side in encrypted form. This placement allows the minimum requirements for the strength of the private key and its passphrase to be monitored programmatically. The private key is no longer located on the end user’s disk, but is securely distributed from the KDM to the memory of the so-called SSH Agent.