Since its invention, the secure shell (SSH) data-in-transit protocol has been used by public and private organizations alike to provide remote access to administrators working offsite and to encrypt sensitive information moving throughout the network environment. Half of all of the world’s websites use a version of secure shell, making it a ubiquitous tool in the data center security world.
Secure shell has secured billions of data transactions without being compromised. But although the protocol itself is highly secure, today’s rapidly evolving threatscape is forcing companies to reconsider how to manage their secure shell environments.
New Threats Hit Home
Data center administrators use secure shell most often to transfer sensitive information in the network environment, including personally identifiable information, health-care records and payment data. Ironically, because secure shell protects sensitive data, it presents a tempting target for hackers. Since the protocol itself remains secure, however, malicious insiders and hackers must seek other entry points to steal the data that secure shell protects.
It turns out that mismanagement of secure shell keys is the perfect backdoor.
As background, a primer on how secure shell works is beneficial to the discussion. Secure shell establishes a “trust relationship” between a computer and the server using a pair of cryptographic keys. These relationships are created and managed internally, often on systems dating back nearly 20 years. As such, very few network administrators have the ability to search for the locations of their secure shell key trust relationships. Therefore, tracking these relationships is done manually.
When a network has potentially hundreds of thousands of keys, trust relationships are inevitably lost. If a malicious insider gains access to one of these keys, that person can then mimic an authorized user with impunity. Improper management of secure shell keys, therefore, opens the door to hackers looking to gain access to sensitive information.
A study on the management operations of some of the largest organizations in the world revealed a disturbing trend:
- Many secure shell keys that grant access to critical servers are orphaned and no longer in use.
- Around 10 percent of all secure shell user keys provide root access, creating a major security and compliance issue.
- Network administrators rarely know what each key is used for. This situation presents not only a security risk, but also a continuity risk.
- Key-based access grants are essentially permanent. This is in direct violation of SOX, PCI and HIPAA requirements for proper termination of access, and it leaves the network vulnerable to attack.
- Very few organizations ever rotate secure shell user keys. They even fail to remove old keys when a user leaves or an application is decommissioned.
- Servers often share the same secure shell host keys across thousands of computers, leaving the network vulnerable to man-in-the-middle attacks.
- Permitting administrators to create or delete secure shell user keys at will—without approvals or control—essentially grants unfettered, permanent access to systems and people.
Owing to the increase in advanced threat vectors, it is more crucial than ever that organizations implement proper secure shell key-management protocols. The more companies deviate from a best-practices approach to secure shell key management, the higher the risk to their data and end users.
Organizations must track not only the security implications of secure shell key mismanagement, but also federal compliance standards—such as SOX, PCI, HIPAA and NIST. These standards require organizations to sustain control over access to sensitive network information, or risk costly fines.
Key Management: Change in Practice
Fortunately, issues with access control in secure shell environments are not a consequence of any vulnerabilities or flaws in the secure shell protocol itself. Regardless, organizations must improve their secure shell key-management practices to reduce risk and meet compliance requirements. Common problems that demand immediate attention include the following:
- Insufficient time and resources to dig into the issue in order to gain understanding or develop solutions.
- Focus of the access-management field on interactive users without addressing automated access.
- Lack of clear guidelines or policies relating to secure shell key management.
- Misunderstanding the scope and implications of the problem.
- Mismanagement of tools and guidelines early in the process of solving key problems.
- A reluctance on the part of auditors to flag issues for which they don’t have effective solutions.
Why has this problem remained hidden for so long, especially given the severity of the consequences? Secure shell key management is so technical that it has remained obscure in the domain of system administrators. Even for technical staff, the full scope of the problem is difficult to see. Each system administrator typically only works on one specific part of the IT environment and therefore lacks the perspective needed to view the scope of the problem. This is where the danger lies.
Secure Shell Key-Management Remediation: Best Practices
The process of fixing the issue involves several teams in IT operations. The possible liability and compliance risks demand the awareness and buy-in from executive management as well.
Some best practices to remedy the problem include the following:
- Automating key setups and key removals to eliminate manual work and human errors. This step slashes the number of administrators needed for key setups from possibly several hundred to only a few highly trusted administrators.
- Discovering all existing users as well as public and private keys, and mapping trust between machines and users.
- Enforcing proper approvals for all key setups.
- Monitoring the environment to determine which keys are actually used, and removing keys that are no longer in use.
- Restricting where each key has access and what commands can be executed using the key.
- Rotating keys regularly so that copied keys cease to work and proper termination of access can be ensured.
To further reduce risk, proper key management should include the development of internal boundaries in the network environment. Network administrators should strictly control which key-based trust relationships can cross which boundaries. They should also enforce ironclad IP-address and “forced command” restrictions for all authorized keys involving trust relationships crossing such boundaries.
Although secure shell is the benchmark for data-in-transit security, the current threat landscape requires organizations to rethink how they are managing access to their encrypted networks. The secure shell protocol has been highly secure in protecting data-in-transit at a tactical level, but an ever increasing number of threat vectors means efficient management of the secure shell environment is critical to secure network operations. Best security practices like the ones identified above will position companies to deal with security threats and new compliance mandates before they become problems.
About the Author
Jason Thompson is director of global marketing for SSH Communications Security. He brings more than 12 years of experience launching new, innovative solutions across a number of industry verticals. Before joining SSH, Thompson worked at Q1 Labs, where he helped build awareness around security intelligence and holistic approaches dealing with advanced threat vectors. Thompson holds a BA from Colorado State University and an MA for the University of North Carolina at Wilmington.
Image courtesy of Chris2d