The Key to Your Organization’s Well-Being Best Practices for Secure Shell Key Management
The Key to Your Organization’s Well-Being Best Practices for Secure Shell Key Management
By Jason Thompson, global director of marketing for SSH Communications Security
A lot can happen in twenty years. Over the past two decades, operating systems have moved from DOS to Windows to mobile platforms. The Internet has completely changed how we interact with technology, with the world and with each other. And unscrupulous individuals have taken advantage of every new advancement to find new ways to steal sensitive data from company networks.
For almost the past twenty years, the Secure Shell data-in-transit protocol has been the standard method for nearly all major organizations to safely and confidently transmit information from one machine to another while providing remote administrator access. Currently, some form of Secure Shell comes with every copy of Linux, Unix and Mac OS with implementation increasing for Windows devices as well. Presently, estimates have about half of all the world’s websites employing some kind of Secure Shell. While the total number of Secure Shell implementations is impossible to calculate, it is thought to be over one million, which makes it a near-universal standard for network security.
Since its invention, Secure Shell has cemented its spot as a security solution by handling more than one billion business transactions while never encountering any key serious security breaches caused by problems with the protocol itself. However, despite Secure Shell itself being quite secure, today’s ever-changing threat environment demands that organizations rethink their Secure Shell environment management processes.
Preparing for the Threats of the Future
Typically, Secure Shell has been deployed to transmit large amounts of sensitive business data like credit card numbers, personally identifiable information, healthcare records and classified intelligence. Therefore, to a knowledgeable attacker, Secure Shell is the only thing standing between him and a full vault just waiting to be cracked.
But if the protocol itself is secure, how could a malicious individual gain access to the information guarded by Secure Shell? The answer lies in the encryption keys themselves.
Whenever a connection is made via Secure Shell, a trust relationship is formed between a computer and the server with a cryptographic key pair. These relationships are created and managed internally, frequently on systems dating back to the mid ‘90s. However, none of these systems can search for – or find – where an organization’s trust relationship exists. Consequently, administrators have to track these relationships manually. In a network with potentially hundreds of thousands of keys, trust relationships will undoubtedly be lost. If a malicious individual – either internal or external – gains access to one of these keys, he or she could impersonate an authorized user without a problem.
Poor handling of Secure Shell keys is a glaring vulnerability that will inevitably be exploited by attackers. A recent study performed on the management operations of some of the largest global organizations revealed some unsettling tendencies:
• Few – if any – of the organizations surveyed rotated their Secure Shell keys or deleted them when user leaves or application decommissioned
- Secure Shell host keys were often shared across thousands of the organizations’ computers, making the network susceptible to man-in-the-middle (MitM) attacks.
- Roughly 10 percent of all SSH user keys provide root access, a major security and compliance issue
• Organizations rarely know what each key is used for, presenting not only a security risk, but also a business continuity risk
• Many SSH keys that grant access to critical servers are orphaned and no longer in use
• Key-based access grants are essentially permanent, in direct violation of SOX, PCI and FISMA requirements for proper termination of access, leaving the network vulnerable to attack
- Some organizations allow administrators the ability to create or destroy Secure Shell keys at their own discretion, which effectively grants them total and permanent access to systems and users’ data
Considering the rate at which threat vectors are increasing, organizations face serious risks without correct Secure Shell key management. The more an organization strays from a best practices approach to Secure Shell key management, the larger the risk to them.
On top of all the security vulnerabilities associated with poor Secure Shell key management, organizations should be conscious of federal compliance standards like PCI, SOX, NIST and HIPAA, which require organizations to keep a high level of control over access or get fined. The average large organization has more than 20,000 servers, which results in a cost of 40 million dollars over ten years for manual Secure Shell key management. Moreover, accounting for the significant reputation damage following a security breach should present any organization with plenty of incentive to rethink their Secure Shell management policies.
Improving Key Management Polices
Luckily for organizations, problems with access control in Secure Shell environments aren’t a result of any flaws in the Secure Shell protocol itself. Instead, the security and compliance risks are brought about by:
- A poor understanding of the scope and consequences of the problem
- Years of substandard guidelines or policies pertaining to SSH key management
- Not enough time and resources to gain understanding of the situation or develop solutions
- The focus of the access management field on interactive users without addressing automated access
- A lack of good tools and guidelines early on for solving key management issues
- A lack of concern from auditors to flag issues for which they don’t have effective solutions
One wonders why this issue has not been brought to light earlier, considering the severity of the potential consequences. The simple answer is that Secure Shell key management is very technical, so it has remained concealed in the realm of system administrators. Since each administrator usually only sees one part of the IT environment, they often don’t have a full picture what is going on. Furthermore, administrators are typically very busy, especially considering all the staff reductions in recent years, so they may not even recognize that a problem exists. Also, management could be several steps removed from the problem and its ramifications, so the end result is no action being taken.
Yet the threat continues.
Polices to Improve Secure Shell Key Management
Since the vulnerability is typically found in all Unix/Linux and many Windows servers, the process to fix the problem will require multiple IT teams’ diverse skill sets. In order to fix the potential liability and compliance issues, buy-in from executive management will be necessary as well.
Some best practices to remedy the problem include:
- Automating key setups and key removals; eliminating manual work and human errors. This step slashes the number of administrators needed for key setups from possibly several hundred to only a few highly trusted administrators
- Rotating keys regularly, so that copied keys cease to work and proper termination of access can be ensured
- Restricting where each key has access and what commands can be executed using the key
- Discovering all existing users, public and private keys, and mapping trust between machines and users
- Monitoring the environment to determine which keys are actually used, and removing keys no longer in use
- Enforcing proper approvals for all key setups
Proper key management is absolutely necessary for an organization’s well-being. Setting strict controls for what key-based trust relationships can cross which boundaries and enforcing strict IP address and “force command” restrictions for every authorized key will greatly reduce the risks an organization faces.
The increasing amount of threat vectors means that organizations must have strict policies regarding Secure Shell key management if they mean to keep their data secure. By following the suggestions above, organizations can prepare for new security threats and compliance mandates before they happen.
About the Author:
Jason Thompson is director of global marketing for SSH Communications Security. Mr. Thompson brings more than 12 years of experience launching new, innovative solutions across a number of industry verticals. Prior to joining SSH, Mr. Thompson worked at Q1 Labs where he helped build awareness around security intelligence and holistic approaches dealing with advanced threat vectors. Mr. Thompson holds a BA from Colorado State University and an MA for the University of North Carolina at Wilmington.