Welcome!

Cloud Security Authors: Elizabeth White, Liz McMillan, Pat Romanski, Lisa Calkins, Mamoon Yunus

Related Topics: Cloud Security, Java IoT, Industrial IoT, Microservices Expo, Agile Computing, @CloudExpo

Cloud Security: Article

Remediating SSH Key Mismanagement

The Necessary Steps to Secure Your Network

From its origin in 1995, SSH, the secure shell data-in-transit protocol, has been used the world over as a method to transfer data between machines, as well as a tool to provide remote administrator access. Some variation of the protocol is packaged free in every version of Unix, Mac OS and Linux. Recently, its use has grown exponentially in Windows operating systems as well. While the exact number of worldwide SSH deployments is unknown, it is estimated that nearly half of all of the World Wide Web uses SSH, making it a virtually mandatory service in the world of network security.

After nearly two decades of use, SSH has succeeded in securing billions of business transactions without any faults of the protocol itself, demonstrating its dependability as a security solution. On the other hand, the evolution of cyber-threat ability requires that organizations take a careful look at how they manage their SSH environments.

New Threats Requires New Thinking
Organizations rely on SSH to securely transmit immense amounts of sensitive data - such as banking information, healthcare records, classified intelligence and other personally identifiable material. Therefore, to attackers and malicious insiders, SSH is a barrier protecting vital corporate data.

However, because this barrier is inherently unbreakable, attackers must pursue alternate routes around the secure shell; to do this, they must focus instead on the mismanagement of SSH keys.

Network administrators establish a trust-based relationship between a user's computer and server by implementing a cryptographic key pair. The connection is established and managed within the corporation's networking system. Unfortunately, many of these systems are outdated and often cannot search for or pinpoint the location of trust-based relationships. Therefore, the search for keys must be done manually. Given a network often houses keys numbering in the hundreds of thousands, it is too easy to lose track of these trust relationships.

This leads to a disheartening conclusion: if an attacker inside or outside the company walls can discover a key, they can essentially imitate any authorized user and gain access to any sensitive data freely.

Improper management of SSH keys presents a prominent vulnerability available for exploitation by attackers looking to gain access to sensitive information.

A study performed recently on some of the largest corporations in the world produced shocking results deriving from the lack of judgment and knowledge of the importance of key management:

  • Roughly 10 percent of all SSH user keys offer root access, creating a major compliance and security issue
  • Having key-based access grants be essentially permanent leaves the network vulnerable to attack and is in direct violation of SOX, PCI and FISMA requirements for proper termination of access
  • Enterprises rarely know what each key is used for, presenting not only a security risk, but also a business continuity risk
  • Many SSH keys that grant access to critical servers are no longer usable
  • Man-in-the-middle attacks are made simple when organizations share the same SSH host keys across thousands of computers
  • Some organizations permit administrators to create or delete SSH user keys at will - without approvals or control - essentially granting unfettered, permanent access to systems and people
  • Very few organizations ever rotate SSH user keys, or even remove them when a user leaves or an application is decommissioned

Today, advanced threat vectors are very real and are becoming more commonplace. It is more imperative than ever for organizations without proper SSH key management protocols to restructure their approach to key management, or otherwise face serious consequences.

Organizations must also understand that federal compliance standards such as SOX, NIST, PCI and HIPAA all entail huge fines if they do not exercise the utmost control over access to sensitive network information. With 20,000 servers, a typical number for many large organizations, the cost of manual SSH key management is $40 million over ten years. When the reputation damage caused by a security breach is factored in, organizations have a slew of incentives to repair organizational SSH key management practices.

Key Management Practices Must Change
Fortunately, access control issues in secure shell environments are not a result of any vulnerabilities or flaws in the SSH protocol itself. Rather, the security and compliance risks identified are caused by:

  • A reluctance on the part of auditors to flag issues for which they don't have effective answers
  • Insufficient resources and time to dig into the issue to gain understanding or develop answers
  • Years of lack of clear guidelines or policies relating to SSH key management
  • Unintentionally ignoring of the scope and implications of the problem
  • A lack of guidelines and good tools early on for solving key management issues
  • The focus of the access management field on interactive users without addressing automated access

Why then, has this problem remained in the dark, particularly given the possible consequences? Given its complexity, SSH key management has remained buried in the domain of system administrators. System administrators usually don't control the entire IT environment; instead, they only see the area under their immediate jurisdiction. It must also be taken into account that IT administrators are some of the company's busiest employees, and as such, they may not have had time to recognize and investigate the issue. In addition, because managers and executives are disconnected from the problem, and its underlying consequences, no action is taken and the high risk remains present.

Best Practices for Dealing with SSH Key Mismanagement
The process needed to fix the issue involves several teams within IT operations. The possible liability and compliance risks demand the awareness and buy-in from executive management as well.

Some best practices to get rid of the dangers include:

  • Enforcing proper approvals for all key setups
  • Discovering all existing users, public and private keys, and mapping trust between machines and users
  • Restricting where each key has access and what commands can be executed using the key
  • Rotating keys regularly, so that copied keys cease to work and proper termination of access can be ensured
  • Monitoring the environment to determine which keys are actually used, and removing keys no longer in use
  • Automating key setups and key removals; eliminating manual work and human errors. This step slashes the number of administrators needed for key setups from possibly several hundred to only a few highly trusted administrators

To further reduce risk, proper key management should involve the establishment of internal boundaries within the organization. The organization should strictly control what key-based trust relationships can cross which boundaries, while enforcing iron-clad IP address and "forced command" restrictions for all authorized keys involving trust relationships crossing such boundaries.

Conclusion
While SSH is widely considered the benchmark for data-in-transit security, the current threat landscape requires organizations to rethink how they are managing access to their encrypted networks. The SSH protocol has done a great job in protecting data-in-transit at a tactical level, but an ever-increasing number of threat vectors means effective management of the SSH environment is critical to secure network operations. Best security practices like the ones identified above will position your enterprise to prepare for security threats and new compliance mandates before they occur.

More Stories By Jason Thompson

Jason Thompson is director of global marketing for SSH Communications Security. He brings more than 12 years of experience launching new, innovative solutions across a number of industry verticals. Prior to joining SSH, he worked at Q1 Labs where he helped build awareness around security intelligence and holistic approaches dealing with advanced threat vectors. Mr. Thompson holds a BA from Colorado State University and an MA for the University of North Carolina at Wilmington.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
Internet-of-Things discussions can end up either going down the consumer gadget rabbit hole or focused on the sort of data logging that industrial manufacturers have been doing forever. However, in fact, companies today are already using IoT data both to optimize their operational technology and to improve the experience of customer interactions in novel ways. In his session at @ThingsExpo, Gordon Haff, Red Hat Technology Evangelist, shared examples from a wide range of industries – including en...
Detecting internal user threats in the Big Data eco-system is challenging and cumbersome. Many organizations monitor internal usage of the Big Data eco-system using a set of alerts. This is not a scalable process given the increase in the number of alerts with the accelerating growth in data volume and user base. Organizations are increasingly leveraging machine learning to monitor only those data elements that are sensitive and critical, autonomously establish monitoring policies, and to detect...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. Jack Norris reviews best practices to show how companies develop, deploy, and dynamically update these applications and how this data-first...
Intelligent Automation is now one of the key business imperatives for CIOs and CISOs impacting all areas of business today. In his session at 21st Cloud Expo, Brian Boeggeman, VP Alliances & Partnerships at Ayehu, will talk about how business value is created and delivered through intelligent automation to today’s enterprises. The open ecosystem platform approach toward Intelligent Automation that Ayehu delivers to the market is core to enabling the creation of the self-driving enterprise.
SYS-CON Events announced today that Grape Up will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company specializing in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the U.S. and Europe, Grape Up works with a variety of customers from emergi...
"We're a cybersecurity firm that specializes in engineering security solutions both at the software and hardware level. Security cannot be an after-the-fact afterthought, which is what it's become," stated Richard Blech, Chief Executive Officer at Secure Channels, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Consumers increasingly expect their electronic "things" to be connected to smart phones, tablets and the Internet. When that thing happens to be a medical device, the risks and benefits of connectivity must be carefully weighed. Once the decision is made that connecting the device is beneficial, medical device manufacturers must design their products to maintain patient safety and prevent compromised personal health information in the face of cybersecurity threats. In his session at @ThingsExpo...
SYS-CON Events announced today that Massive Networks will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Massive Networks mission is simple. To help your business operate seamlessly with fast, reliable, and secure internet and network solutions. Improve your customer's experience with outstanding connections to your cloud.
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution and join Akvelon expert and IoT industry leader, Sergey Grebnov, in his session at @ThingsExpo, for an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
Because IoT devices are deployed in mission-critical environments more than ever before, it’s increasingly imperative they be truly smart. IoT sensors simply stockpiling data isn’t useful. IoT must be artificially and naturally intelligent in order to provide more value In his session at @ThingsExpo, John Crupi, Vice President and Engineering System Architect at Greenwave Systems, will discuss how IoT artificial intelligence (AI) can be carried out via edge analytics and machine learning techn...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
SYS-CON Events announced today that Datera, that offers a radically new data management architecture, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera is transforming the traditional datacenter model through modern cloud simplicity. The technology industry is at another major inflection point. The rise of mobile, the Internet of Things, data storage and Big...
SYS-CON Events announced today that GrapeUp, the leading provider of rapid product development at the speed of business, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company, specialized in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market acr...
In the enterprise today, connected IoT devices are everywhere – both inside and outside corporate environments. The need to identify, manage, control and secure a quickly growing web of connections and outside devices is making the already challenging task of security even more important, and onerous. In his session at @ThingsExpo, Rich Boyer, CISO and Chief Architect for Security at NTT i3, discussed new ways of thinking and the approaches needed to address the emerging challenges of security i...
In his opening keynote at 20th Cloud Expo, Michael Maximilien, Research Scientist, Architect, and Engineer at IBM, discussed the full potential of the cloud and social data requires artificial intelligence. By mixing Cloud Foundry and the rich set of Watson services, IBM's Bluemix is the best cloud operating system for enterprises today, providing rapid development and deployment of applications that can take advantage of the rich catalog of Watson services to help drive insights from the vast t...
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business - from apparel to energy - is being rewritten by software. From planning to development to management to security, CA creates software that fuels transformation for companies in the applic...
There is only one world-class Cloud event on earth, and that is Cloud Expo – which returns to Silicon Valley for the 21st Cloud Expo at the Santa Clara Convention Center, October 31 - November 2, 2017. Every Global 2000 enterprise in the world is now integrating cloud computing in some form into its IT development and operations. Midsize and small businesses are also migrating to the cloud in increasing numbers. Companies are each developing their unique mix of cloud technologies and service...
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, will introduce two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a...
Recently, IoT seems emerging as a solution vehicle for data analytics on real-world scenarios from setting a room temperature setting to predicting a component failure of an aircraft. Compared with developing an application or deploying a cloud service, is an IoT solution unique? If so, how? How does a typical IoT solution architecture consist? And what are the essential components and how are they relevant to each other? How does the security play out? What are the best practices in formulating...
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...