Click here to close now.

Welcome!

Cloud Security Authors: Elizabeth White, Pat Romanski, Liz McMillan, Lori MacVittie, John Wetherill

Related Topics: Cloud Security, JAVA IoT, Industrial IoT, Microservices Expo, Agile Computing, CloudExpo® Blog

Cloud Security: Article

Remediating SSH Key Mismanagement

The Necessary Steps to Secure Your Network

From its origin in 1995, SSH, the secure shell data-in-transit protocol, has been used the world over as a method to transfer data between machines, as well as a tool to provide remote administrator access. Some variation of the protocol is packaged free in every version of Unix, Mac OS and Linux. Recently, its use has grown exponentially in Windows operating systems as well. While the exact number of worldwide SSH deployments is unknown, it is estimated that nearly half of all of the World Wide Web uses SSH, making it a virtually mandatory service in the world of network security.

After nearly two decades of use, SSH has succeeded in securing billions of business transactions without any faults of the protocol itself, demonstrating its dependability as a security solution. On the other hand, the evolution of cyber-threat ability requires that organizations take a careful look at how they manage their SSH environments.

New Threats Requires New Thinking
Organizations rely on SSH to securely transmit immense amounts of sensitive data - such as banking information, healthcare records, classified intelligence and other personally identifiable material. Therefore, to attackers and malicious insiders, SSH is a barrier protecting vital corporate data.

However, because this barrier is inherently unbreakable, attackers must pursue alternate routes around the secure shell; to do this, they must focus instead on the mismanagement of SSH keys.

Network administrators establish a trust-based relationship between a user's computer and server by implementing a cryptographic key pair. The connection is established and managed within the corporation's networking system. Unfortunately, many of these systems are outdated and often cannot search for or pinpoint the location of trust-based relationships. Therefore, the search for keys must be done manually. Given a network often houses keys numbering in the hundreds of thousands, it is too easy to lose track of these trust relationships.

This leads to a disheartening conclusion: if an attacker inside or outside the company walls can discover a key, they can essentially imitate any authorized user and gain access to any sensitive data freely.

Improper management of SSH keys presents a prominent vulnerability available for exploitation by attackers looking to gain access to sensitive information.

A study performed recently on some of the largest corporations in the world produced shocking results deriving from the lack of judgment and knowledge of the importance of key management:

  • Roughly 10 percent of all SSH user keys offer root access, creating a major compliance and security issue
  • Having key-based access grants be essentially permanent leaves the network vulnerable to attack and is in direct violation of SOX, PCI and FISMA requirements for proper termination of access
  • Enterprises rarely know what each key is used for, presenting not only a security risk, but also a business continuity risk
  • Many SSH keys that grant access to critical servers are no longer usable
  • Man-in-the-middle attacks are made simple when organizations share the same SSH host keys across thousands of computers
  • Some organizations permit administrators to create or delete SSH user keys at will - without approvals or control - essentially granting unfettered, permanent access to systems and people
  • Very few organizations ever rotate SSH user keys, or even remove them when a user leaves or an application is decommissioned

Today, advanced threat vectors are very real and are becoming more commonplace. It is more imperative than ever for organizations without proper SSH key management protocols to restructure their approach to key management, or otherwise face serious consequences.

Organizations must also understand that federal compliance standards such as SOX, NIST, PCI and HIPAA all entail huge fines if they do not exercise the utmost control over access to sensitive network information. With 20,000 servers, a typical number for many large organizations, the cost of manual SSH key management is $40 million over ten years. When the reputation damage caused by a security breach is factored in, organizations have a slew of incentives to repair organizational SSH key management practices.

Key Management Practices Must Change
Fortunately, access control issues in secure shell environments are not a result of any vulnerabilities or flaws in the SSH protocol itself. Rather, the security and compliance risks identified are caused by:

  • A reluctance on the part of auditors to flag issues for which they don't have effective answers
  • Insufficient resources and time to dig into the issue to gain understanding or develop answers
  • Years of lack of clear guidelines or policies relating to SSH key management
  • Unintentionally ignoring of the scope and implications of the problem
  • A lack of guidelines and good tools early on for solving key management issues
  • The focus of the access management field on interactive users without addressing automated access

Why then, has this problem remained in the dark, particularly given the possible consequences? Given its complexity, SSH key management has remained buried in the domain of system administrators. System administrators usually don't control the entire IT environment; instead, they only see the area under their immediate jurisdiction. It must also be taken into account that IT administrators are some of the company's busiest employees, and as such, they may not have had time to recognize and investigate the issue. In addition, because managers and executives are disconnected from the problem, and its underlying consequences, no action is taken and the high risk remains present.

Best Practices for Dealing with SSH Key Mismanagement
The process needed to fix the issue involves several teams within IT operations. The possible liability and compliance risks demand the awareness and buy-in from executive management as well.

Some best practices to get rid of the dangers include:

  • Enforcing proper approvals for all key setups
  • Discovering all existing users, public and private keys, and mapping trust between machines and users
  • Restricting where each key has access and what commands can be executed using the key
  • Rotating keys regularly, so that copied keys cease to work and proper termination of access can be ensured
  • Monitoring the environment to determine which keys are actually used, and removing keys no longer in use
  • Automating key setups and key removals; eliminating manual work and human errors. This step slashes the number of administrators needed for key setups from possibly several hundred to only a few highly trusted administrators

To further reduce risk, proper key management should involve the establishment of internal boundaries within the organization. The organization should strictly control what key-based trust relationships can cross which boundaries, while enforcing iron-clad IP address and "forced command" restrictions for all authorized keys involving trust relationships crossing such boundaries.

Conclusion
While SSH is widely considered the benchmark for data-in-transit security, the current threat landscape requires organizations to rethink how they are managing access to their encrypted networks. The SSH protocol has done a great job in protecting data-in-transit at a tactical level, but an ever-increasing number of threat vectors means effective management of the SSH environment is critical to secure network operations. Best security practices like the ones identified above will position your enterprise to prepare for security threats and new compliance mandates before they occur.

More Stories By Jason Thompson

Jason Thompson is director of global marketing for SSH Communications Security. He brings more than 12 years of experience launching new, innovative solutions across a number of industry verticals. Prior to joining SSH, he worked at Q1 Labs where he helped build awareness around security intelligence and holistic approaches dealing with advanced threat vectors. Mr. Thompson holds a BA from Colorado State University and an MA for the University of North Carolina at Wilmington.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
SYS-CON Events announced today that BMC will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. BMC delivers software solutions that help IT transform digital enterprises for the ultimate competitive business advantage. BMC has worked with thousands of leading companies to create and deliver powerful IT management services. From mainframe to cloud to mobile, BMC pairs high-speed digital innovation with robust IT industrialization – allowing customers to provide amazing user experiences with optimized IT per...
The Internet of Things is not new. Historically, smart businesses have used its basic concept of leveraging data to drive better decision making and have capitalized on those insights to realize additional revenue opportunities. So, what has changed to make the Internet of Things one of the hottest topics in tech? In his session at @ThingsExpo, Chris Gray, Director, Embedded and Internet of Things, discussed the underlying factors that are driving the economics of intelligent systems. Discover how hardware commoditization, the ubiquitous nature of connectivity, and the emergence of Big Data a...
SYS-CON Events announced today that MetraTech, now part of Ericsson, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Ericsson is the driving force behind the Networked Society- a world leader in communications infrastructure, software and services. Some 40% of the world’s mobile traffic runs through networks Ericsson has supplied, serving more than 2.5 billion subscribers.
The world is at a tipping point where the technology, the device and global adoption are converging to such a point that we will see an explosion of a world where smartphone devices not only allow us to talk to each other, but allow for communication between everything – serving as a central hub from which we control our world – MediaTek is at the heart of both driving this and allowing the markets to drive this reality forward themselves. The next wave of consumer gadgets is here – smart, connected, and small. If your ambitions are big, so are ours. In his session at @ThingsExpo, Jack Hu, D...
SYS-CON Events announced today that DragonGlass, an enterprise search platform, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. After eleven years of designing and building custom applications, OpenCrowd has launched DragonGlass, a cloud-based platform that enables the development of search-based applications. These are a new breed of applications that utilize a search index as their backbone for data retrieval. They can easily adapt to new data sets and provide access to both structured and unstruc...
The 4th International Internet of @ThingsExpo, co-located with the 17th International Cloud Expo - to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA - announces that its Call for Papers is open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
We’re entering a new era of computing technology that many are calling the Internet of Things (IoT). Machine to machine, machine to infrastructure, machine to environment, the Internet of Everything, the Internet of Intelligent Things, intelligent systems – call it what you want, but it’s happening, and its potential is huge. IoT is comprised of smart machines interacting and communicating with other machines, objects, environments and infrastructures. As a result, huge volumes of data are being generated, and that data is being processed into useful actions that can “command and control” thi...
As the Internet of Things unfolds, mobile and wearable devices are blurring the line between physical and digital, integrating ever more closely with our interests, our routines, our daily lives. Contextual computing and smart, sensor-equipped spaces bring the potential to walk through a world that recognizes us and responds accordingly. We become continuous transmitters and receivers of data. In his session at @ThingsExpo, Andrew Bolwell, Director of Innovation for HP's Printing and Personal Systems Group, discussed how key attributes of mobile technology – touch input, sensors, social, and ...
All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades. With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo, June 9-11, 2015, at the Javits Center in New York City. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be
The Internet of Things is not only adding billions of sensors and billions of terabytes to the Internet. It is also forcing a fundamental change in the way we envision Information Technology. For the first time, more data is being created by devices at the edge of the Internet rather than from centralized systems. What does this mean for today's IT professional? In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will addresses this very serious issue of profound change in the industry.
WebRTC defines no default signaling protocol, causing fragmentation between WebRTC silos. SIP and XMPP provide possibilities, but come with considerable complexity and are not designed for use in a web environment. In his session at @ThingsExpo, Matthew Hodgson, technical co-founder of the Matrix.org, discussed how Matrix is a new non-profit Open Source Project that defines both a new HTTP-based standard for VoIP & IM signaling and provides reference implementations.
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists will peel away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud environment, and we must architect and code accordingly. At the very least, you'll have no problem fil...
"People are a lot more knowledgeable about APIs now. There are two types of people who work with APIs - IT people who want to use APIs for something internal and the product managers who want to do something outside APIs for people to connect to them," explained Roberto Medrano, Executive Vice President at SOA Software, in this SYS-CON.tv interview at Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.
In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect at GE, and Ibrahim Gokcen, who leads GE's advanced IoT analytics, focused on the Internet of Things / Industrial Internet and how to make it operational for business end-users. Learn about the challenges posed by machine and sensor data and how to marry it with enterprise data. They also discussed the tips and tricks to provide the Industrial Internet as an end-user consumable service using Big Data Analytics and Industrial Cloud.
Building low-cost wearable devices can enhance the quality of our lives. In his session at Internet of @ThingsExpo, Sai Yamanoor, Embedded Software Engineer at Altschool, provided an example of putting together a small keychain within a $50 budget that educates the user about the air quality in their surroundings. He also provided examples such as building a wearable device that provides transit or recreational information. He then reviewed the resources available to build wearable devices at home including open source hardware, the raw materials required and the options available to power s...
How do APIs and IoT relate? The answer is not as simple as merely adding an API on top of a dumb device, but rather about understanding the architectural patterns for implementing an IoT fabric. There are typically two or three trends: Exposing the device to a management framework Exposing that management framework to a business centric logic Exposing that business layer and data to end users. This last trend is the IoT stack, which involves a new shift in the separation of what stuff happens, where data lives and where the interface lies. For instance, it's a mix of architectural styles ...
We certainly live in interesting technological times. And no more interesting than the current competing IoT standards for connectivity. Various standards bodies, approaches, and ecosystems are vying for mindshare and positioning for a competitive edge. It is clear that when the dust settles, we will have new protocols, evolved protocols, that will change the way we interact with devices and infrastructure. We will also have evolved web protocols, like HTTP/2, that will be changing the very core of our infrastructures. At the same time, we have old approaches made new again like micro-services...
Connected devices and the Internet of Things are getting significant momentum in 2014. In his session at Internet of @ThingsExpo, Jim Hunter, Chief Scientist & Technology Evangelist at Greenwave Systems, examined three key elements that together will drive mass adoption of the IoT before the end of 2015. The first element is the recent advent of robust open source protocols (like AllJoyn and WebRTC) that facilitate M2M communication. The second is broad availability of flexible, cost-effective storage designed to handle the massive surge in back-end data in a world where timely analytics is e...
Collecting data in the field and configuring multitudes of unique devices is a time-consuming, labor-intensive process that can stretch IT resources. Horan & Bird [H&B], Australia’s fifth-largest Solar Panel Installer, wanted to automate sensor data collection and monitoring from its solar panels and integrate the data with its business and marketing systems. After data was collected and structured, two major areas needed to be addressed: improving developer workflows and extending access to a business application to multiple users (multi-tenancy). Docker, a container technology, was used to ...