About 20 years ago, a Finnish man named Tatu Ylonen saw a need for stronger security in the nascent online world and created a powerful access protocol called Secure Shell (SSH). It provides trusted access and encrypts communication in transit to prevent man-in-the-middle attacks. In effect, SSH creates an encrypted tunnel to enable secure communication between two points. Understandably, it became popular quickly and is now de rigueur, pre-installed in every Unix, Linux, mainframe and Mac computer, as well as most network devices.
It’s About Access
In a way, cybersecurity has become a victim of SSH’s success. Because SSH comes pre-installed, most organizations have no group or individual responsible for monitoring SSH activities. In fact, most businesses make the leap that SSH equals encryption and encryption equals security. And who doesn’t want more encryption and security? The premise that encryption alone negates the need for vigilance and oversight of SSH use is dangerously flawed.
That’s because, although SSH does encrypt communication, a more accurate understanding is that it’s about access. SSH access comes in two variants: interactive (human to machine) and noninteractive (machine to machine). Furthermore, access to critical resources and data must be managed, monitored and controlled. Thus, closing the SSH responsibility gap should be a Tier One priority for an enterprise.
Starting to address all risks early is crucial. Organizations must have complete accountability of their protected data: Who has access to our data? Where is our data? What laws and regulations must we adhere to? Governance for your trusted access to protected data is of utmost importance.
Maintaining authorized access to protected data has become a challenge to all IT-security professionals. SSH user key-based access, called as the dark side of compliance, continues to bubble up on the high-risk radar as uncontrolled and unmanaged elevated access to production. Organizations must consider SSH access when assessing credentials because these credentials provide the highest level of access yet are rarely, if ever, monitored.
The Risks of SSH
SSH creates key pairs comprising a private key and a public key. To understand their function, it’s best to use an analogy: A public key is similar to a lock on a door, whereas a private key is similar to a physical key you keep in your pocket. Presenting a matching private key to a public key grants an encrypted connection.
Owing to a variety of features, SSH has inherent risks:
- Root-level access—SSH can provide root-level (command-level) access to systems and data.
- Keys are self-provisioned—All employees and consultants can grant themselves access to critical applications.
- Security bypass—Your expensive security-tool investment is worthless in the face of SSH encrypted traffic, effectively creating a security blind spot.
- SSH tunneling—SSH enables traffic to traverse routers and avoid being blocked.
- People share keys—Employees and contractors often copy and share SSH keys, preventing you from knowing who did what, when.
- No expiration date—Even a key pair created two decades ago still works today.
Therefore, SSH keys that fall into malicious hands can become a security nightmare for any business, giving bad actors the ability to do all sorts of nefarious things beyond detection in this security blind spot that SSH creates.
Follow Good Procedures
Effective, consistent SSH key management and risk prevention is possible if your organization implements industry best practices. First, assess the security risks facing your organization. Let your first line of defense be your business owners and users, and define effective security controls that satisfy multiple regulations. In the age of GDPR, assess your compliance gaps before an auditor does.
Next, create usage procedures that include periodic access reviews, documenting and disseminating security policies and standards, and implementation of required IT controls. Then, create and deploy hardening configuration and review it from time to time. Consider automated tools to manage the configuration and apply integrity-control checks and monitoring over critical files. Make sure to define roles and responsibilities as well so that SSH key management doesn’t fall through the cracks again.
Automation is also vital to the success of SSH key deployments, so make sure use it. Standardization is required, and access restrictions are critical. Finally, inventory of keys and usage tracking is necessary as part of the overall provisioning of users and accounts. These security best practices will enhance your security program, support positive audit outcomes and, most of all, help eliminate the risk of data loss.
You can’t take SSH for granted. It’s not a “set it and forget it” technology, but one that must be watched like a hawk because it grants pervasive, root-level access to the network. Organizations must do everything in their power to secure it and make sure it stays that way. Like many tools, SSH has tremendous advantages and some significant vulnerabilities. Follow the best practices outlined above and remain vigilant to keep your data safe.
About the Author
Thomas MacIsaac is a cybersecurity strategist and currently serves as VP Eastern US, Canada and Federal Markets for SSH. Thomas has spent over 22 years in the high-tech industry representing many of the foundational and cutting-edge technologies of our time. He regularly consults with Fortune 500 businesses and government agencies in the area of security on topics of data at rest and in transit, identity and access management, APIs, and SIEMS, and he’s a sought-after speaker for audit, compliance and security events.