Click here to close now.

Welcome!

Security Authors: Elizabeth White, Pat Romanski, Liz McMillan, Brian Vandegrift, Ian Khan

Related Topics: Security, Java, Wireless, MICROSERVICES, Web 2.0, SDN Journal

Security: Article

User Accounts Are Only the Tip of the Iceberg

How to secure M2M connections and protect encrypted networks

Identity and access management solutions provide governance and visibility capabilities that enable organizations to provision and control access to their applications, cloud infrastructure, servers and both structured and unstructured data. Enterprise IAM deployments are generally effective in managing the identities assigned to interactive, human users. However, within a typical enterprise there often are a greater number of identities assigned to the automated processes that drive much of the computing in large- scale data centers. As enterprises adopt more and more process automation, the number of non-human identities continues to grow while the number of identities assigned to human users remains relatively flat or even declines. The net result is enterprise IAM deployments are ignoring the much larger set of identities that actually perform most of the enterprise computing functions.

The vast majority of the identities enabling machine to machine (M2M) processes use Secure Shell for authentication, authorization and to provide a secure encrypted channel for M2M data transfers. For example, an automated process that retrieves server log data requires an authenticated and authorized connection to each server, plus a secure channel to move the log data to a centralized processing application. Secure Shell is ideal for these functions because:

  • Public key (PKI) based authentication supported by Secure Shell enables the process to present its credentials without requiring an interactive user to login via username and password - or via any other interactive authentication process.
  • The PKI based authentication process used by Secure Shell provides security for the login credentials. The private Secure Shell user key is never sent over the network.
  • Secure Shell provides facilities to define and limit what functions a process may perform under a Secure Shell authorization. This meets "need to know, need to do" criteria of basic IAM governance.
  • Finally, Secure Shell provides for confidentiality of data in transit. Communications over a Secure Shell channel are encrypted.

In spite of these advantages, there are significant gaps in IAM governance of identities that use Secure Shell. Typically, the provisioning of these identities is decentralized. Identities may be assigned by application developers, application owners and process owners. This often leads to a lack of proper control and oversight over creation of identities and their authorizations. Without central management and visibility, enterprises cannot be sure how many Secure Shell identities have been created, what these identities are authorized to perform and what authorizations are in fact no longer needed. The scope and nature of this problem are not theoretical. The typical enterprise server has between 8 and 100 Secure Shell authorizations (i.e., public Secure Shell user keys). This adds up. A large enterprise may have over one million keys, which in turn establish an even greater number of unmanaged machine-to-machine (M2M) trust relationships.

The Challenge of Ubiquitous Encryption
While many in IT security use Secure Shell to securely access remote servers, most are surprised to discover that M2M communication makes up the majority - in some cases over 90% of all Secure Shell traffic - on their network. The vast majority of Secure Shell trust relationships provide access to production servers and carry high-value payloads; including credit card information, healthcare records, national secrets, intellectual property and other highly critical information.

Shockingly, access to M2M encrypted channels via Secure Shell, which uses keys to authenticate a non-human user, almost always lacks proper identity and IAM controls, creating a huge risk and compliance issue for most enterprises. Any interactive user who has the proper credentials - in the case of Secure Shell, a simple copy of the key file - can hijack these uncontrolled M2M networks. This means that, in many cases, the most valuable information in the enterprise has the least amount of protection from unauthorized access.

Most large organizations have between 100,000 to well over a million of these keys in their network environments. Even though these keys grant access to critical systems and servers, many have never been changed. Even more incredibly, many organizations have no process for approving and enforcing who can grant permanent access to servers using these keys. One study at a large bank, with over one million keys in use, found that 10 percent of these keys granted unlimited administrative ("root") access to production servers; a grave security risk.

The lack of security controls - coupled with the high value of data it protects - has made Secure Shell a target for hackers. A recent IBM X-Force study found most attacks against Linux/Unix servers utilize stolen or lost Secure Shell keys as a threat vector. Because many keys are deployed in one-to-many relationships, it is possible that a single breach related to a compromised key could have a cascading effect across a large swath of the network environment.

In an ironic twist, the very function that blinds prying eyes from spying on sensitive data in-transit also prevents systems administrators from seeing whether information is being accessed improperly using a stolen Secure Shell key. All data-in-transit encryption, including Secure Shell, blinds layered security defense systems to malicious activity originating from a hacker, trusted insiders, business partners and outsourced IT. This means that unless the enterprise has deployed an encrypted channel monitoring, security operations and forensics teams cannot see what is happening in the encrypted network. Encrypted channel monitoring enables security intelligence and DLP solutions to inspect, store and - if need be - stop traffic to make sure hackers or malicious insiders cannot use Secure Shell encryption to spirit away information in an undetectable and untraceable manner. This way, the network administrator can track what a user is doing inside the encrypted channel, without exposing the data in the clear during transmission.

Evolving Standards to Include Other Authentication Methods
Moving to protect themselves against both hacker attacks and security compliance mandates, many enterprises are bolstering interactive user authentication methods; including enforcing password strength, requiring periodic password changes and implementing two-factor authentication. These methodologies are designed to confound hacker attempts to access interactive accounts through brute force attacks, lost or stolen passwords, or spoofed credentials. These approaches are now considered best practices and are enshrined in compliance requirements like PCI, HIPAA, FISMA, SOX and others.

Currently, compliance bodies are updating their regulations to specifically include other methods of authentication above and beyond user names and passwords - such as certificates and keys - in their regulatory language. This means that auditors will be required to flag instances where access is not being controlled via Secure Shell. This is a natural progression for compliance mandates, arriving at a time when the market is beginning to recognize that strong standards are required to ensure the safety of the enterprise's most critical business information.

Best Practices
To provide the highest levels of security and accountability, it is in the organization's best interest to research, design and deploy an IAM strategy that includes processes designed specifically for M2M communications. A comprehensive, best practices-based IAM program that includes provisions for Secure Shell-based M2M security must address both the provisioning and intelligence aspects of IAM across large, complex and heterogeneous environments.

Best practices based Secure Shell key management enables strong authentication practices, including:

  • Restricting root access to servers so that only the key manager can provision or revoke keys
  • Automated key creation, rotation and removal
  • Discovery and continuous monitoring of trust relationships and unauthorized key deployments and removals
  • Enforcing proper key type, size and version of Secure Shell
  • Controlling where each key can be used from and what commands can be executed using the key
  • Monitoring traffic in encrypted channels

Looking Ahead
In an environment where ever-increasing numbers of users, devices and machines are connected to the Internet and the company network, ensuring that the enterprise's IAM strategy includes strong Secure Shell access controls in M2M communications is mission-critical. While ubiquitous encryption offers clear network security benefits, left unmanaged it can present a significant threat to the business. IT security, compliance and audit professionals must begin the process of addressing Secure Shell access control and governance issues. The absence of such controls creates security vulnerabilities and can cause an organization to run afoul of compliance mandates, resulting in the risk of fines and other liabilities. By critically examining the organization's Secure Shell environment, IT teams can reveal and address the M2M access control issues that lie beneath the tip of the iceberg.

More Stories By Jonathan Lewis

Jonathan Lewis is director of product marketing for SSH Communications Security, where he is responsible for communicating the value and importance of effective Secure Shell access governance. Jonathan has diverse experience in the network and security industry including technical and business management roles at companies ranging from start-ups to global enterprises. His technology expertise includes VPN, Firewall, SSL, SSH and DDoS mitigation. Jonathan holds BS and MS degrees from McGill University and an MBA from Bentley College.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
SYS-CON Events announced today that robomq.io will exhibit at SYS-CON's @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. robomq.io is an interoperable and composable platform that connects any device to any application. It helps systems integrators and the solution providers build new and innovative products and service for industries requiring monitoring or intelligence from devices and sensors.
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal today!
SYS-CON Events announced today that Litmus Automation will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Litmus Automation’s vision is to provide a solution for companies that are in a rush to embrace the disruptive Internet of Things technology and leverage it for real business challenges. Litmus Automation simplifies the complexity of connected devices applications with Loop, a secure and scalable cloud platform.
While not quite mainstream yet, WebRTC is starting to gain ground with Carriers, Enterprises and Independent Software Vendors (ISV’s) alike. WebRTC makes it easy for developers to add audio and video communications into their applications by using Web browsers as their platform. But like any market, every customer engagement has unique requirements, as well as constraints. And of course, one size does not fit all. In her session at WebRTC Summit, Dr. Natasha Tamaskar, Vice President, Head of Cloud and Mobile Strategy at GENBAND, will explore what is needed to take a real time communications ...
As Marc Andreessen says software is eating the world. Everything is rapidly moving toward being software-defined – from our phones and cars through our washing machines to the datacenter. However, there are larger challenges when implementing software defined on a larger scale - when building software defined infrastructure. In his session at 16th Cloud Expo, Boyan Ivanov, CEO of StorPool, will provide some practical insights on what, how and why when implementing "software-defined" in the datacenter.
SYS-CON Events announced today that Solgenia will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Solgenia is the global market leader in Cloud Collaboration and Cloud Infrastructure software solutions. Designed to “Bridge the Gap” between Personal and Professional Social, Mobile and Cloud user experiences, our solutions help large and medium-sized organizations dr...
Internet of Things (IoT) will be a hybrid ecosystem of diverse devices and sensors collaborating with operational and enterprise systems to create the next big application. In their session at @ThingsExpo, Bramh Gupta, founder and CEO of robomq.io, and Fred Yatzeck, principal architect leading product development at robomq.io, will discuss how choosing the right middleware and integration strategy from the get-go will enable IoT solution developers to adapt and grow with the industry, while at the same time reduce Time to Market (TTM) by using plug and play capabilities offered by a robust I...
The world's leading Cloud event, Cloud Expo has launched Microservices Journal on the SYS-CON.com portal, featuring over 19,000 original articles, news stories, features, and blog entries. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. Microservices Journal offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. Follow new article posts on Twitter at @MicroservicesE
After making a doctor’s appointment via your mobile device, you receive a calendar invite. The day of your appointment, you get a reminder with the doctor’s location and contact information. As you enter the doctor’s exam room, the medical team is equipped with the latest tablet containing your medical history – he or she makes real time updates to your medical file. At the end of your visit, you receive an electronic prescription to your preferred pharmacy and can schedule your next appointment.
Wearable technology was dominant at this year’s International Consumer Electronics Show (CES) , and MWC was no exception to this trend. New versions of favorites, such as the Samsung Gear (three new products were released: the Gear 2, the Gear 2 Neo and the Gear Fit), shared the limelight with new wearables like Pebble Time Steel (the new premium version of the company’s previously released smartwatch) and the LG Watch Urbane. The most dramatic difference at MWC was an emphasis on presenting wearables as fashion accessories and moving away from the original clunky technology associated with t...
SYS-CON Events announced today the IoT Bootcamp – Jumpstart Your IoT Strategy, being held June 9–10, 2015, in conjunction with 16th Cloud Expo and Internet of @ThingsExpo at the Javits Center in New York City. This is your chance to jumpstart your IoT strategy. Combined with real-world scenarios and use cases, the IoT Bootcamp is not just based on presentations but includes hands-on demos and walkthroughs. We will introduce you to a variety of Do-It-Yourself IoT platforms including Arduino, Raspberry Pi, BeagleBone, Spark and Intel Edison. You will also get an overview of cloud technologies s...
Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...
The WebRTC Summit 2015 New York, to be held June 9-11, 2015, at the Javits Center in New York, NY, announces that its Call for Papers is open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 16th International Cloud Expo, @ThingsExpo, Big Data Expo, and DevOps Summit.
SOA Software has changed its name to Akana. With roots in Web Services and SOA Governance, Akana has established itself as a leader in API Management and is expanding into cloud integration as an alternative to the traditional heavyweight enterprise service bus (ESB). The company recently announced that it achieved more than 90% year-over-year growth. As Akana, the company now addresses the evolution and diversification of SOA, unifying security, management, and DevOps across SOA, APIs, microservices, and more.
The list of ‘new paradigm’ technologies that now surrounds us appears to be at an all time high. From cloud computing and Big Data analytics to Bring Your Own Device (BYOD) and the Internet of Things (IoT), today we have to deal with what the industry likes to call ‘paradigm shifts’ at every level of IT. This is disruption; of course, we understand that – change is almost always disruptive.
SYS-CON Events announced today that SafeLogic has been named “Bag Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. SafeLogic provides security products for applications in mobile and server/appliance environments. SafeLogic’s flagship product CryptoComply is a FIPS 140-2 validated cryptographic engine designed to secure data on servers, workstations, appliances, mobile devices, and in the Cloud.
GENBAND has announced that SageNet is leveraging the Nuvia platform to deliver Unified Communications as a Service (UCaaS) to its large base of retail and enterprise customers. Nuvia’s cloud-based solution provides SageNet’s customers with a full suite of business communications and collaboration tools. Two large national SageNet retail customers have recently signed up to deploy the Nuvia platform and the company will continue to sell the service to new and existing customers. Nuvia’s capabilities include HD voice, video, multimedia messaging, mobility, conferencing, Web collaboration, deskt...
SYS-CON Media announced today that @WebRTCSummit Blog, the largest WebRTC resource in the world, has been launched. @WebRTCSummit Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. @WebRTCSummit Blog can be bookmarked ▸ Here @WebRTCSummit conference site can be bookmarked ▸ Here
SYS-CON Events announced today that Cisco, the worldwide leader in IT that transforms how people connect, communicate and collaborate, has been named “Gold Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Cisco makes amazing things happen by connecting the unconnected. Cisco has shaped the future of the Internet by becoming the worldwide leader in transforming how people connect, communicate and collaborate. Cisco and our partners are building the platform for the Internet of Everything by connecting the...
Temasys has announced senior management additions to its team. Joining are David Holloway as Vice President of Commercial and Nadine Yap as Vice President of Product. Over the past 12 months Temasys has doubled in size as it adds new customers and expands the development of its Skylink platform. Skylink leads the charge to move WebRTC, traditionally seen as a desktop, browser based technology, to become a ubiquitous web communications technology on web and mobile, as well as Internet of Things compatible devices.