SSH users typically meet the criteria for privileged users and can quickly login to critical assets across the organization. This makes credential rotation a critical security capability for any organization leveraging SSH. GCM can rotate credentials in minutes, limiting attacker dwell time to a level well below the minimum required to defeat advanced malware and other fast acting and automated TTPs.

GCM’s ability to bind identities to devices ensures that identities are who they say they are. GCM leverages Trusted Platform Modules (TPMs) and other embedded security hardware to create an unbreakable link between an identity and the device to which they have authenticated. GCM issues ultra-short lived SSH credentials only when identities are anchored to trusted devices.

GCM uses platform configuration registers (PCRs) to ensure that a device is not compromised in some way. PCRs are designed to eliminate spoofing and validate certain conditions at system boot and during specified events on the machine. In the event that a PCR hash value changes in a manner that indicates a device is compromised, GCM will not issue new credentials on that device and any existing credentials tied to that identity and anchored to that device will stop working.