Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Access ManagementCybersecurity News

Protecting Encrypted Networks: The Secure Shell Solution

By Matthew McKenna
cyber 1 feat
March 24, 2015

Cyber attacks today are increasingly sophisticated and aggressive, leaving organizations fighting to stay at least one step ahead of hackers to protect their critical data assets. Identity and access management (IAM) solutions are part of an overall security strategy that helps organizations control access to their cloud infrastructure, applications, servers, and both structured and unstructured data. These solutions manage the identities assigned to interactive, human users fairly well, but do a poor job of managing the typically larger number of identities assigned to the automated processes that drive much of the computing in large-scale data centers. These non-human identities continue to grow, which means that IAM implementations are not addressing the majority of identities present in an enterprise – the identities performing the bulk of operations.

A secure encrypted channel is needed for machine-to-machine (M2M) data transfers. For this reason, most of the identities that enable M2M processes use Secure Shell (SSH) for authentication and authorization. For example, an automated process that retrieves server log data requires an authenticated and authorized connection to each server, plus a secure channel to move the log data to a centralized processing application. Secure Shell is ideal for these functions because:

  1. The PKI-based authentication process used by Secure Shell provides security for the login credentials. The private Secure Shell user key is never sent over the network.
  2. Public key (PKI)-based authentication supported by Secure Shell enables the process to present its credentials without requiring an interactive user to login via username and password – or via any other interactive authentication process.
  3. Secure Shell provides confidentiality of data in transit. Communications over a Secure Shell channel are encrypted.
  4. Secure Shell enables facilities to define and limit what functions a process may perform under a Secure Shell authorization. This meets “need to know, need to do” criteria of basic IAM governance.

Though these benefits are clear, holes exist in IAM governance of identities that use Secure Shell. Typically, the provisioning of these identities is decentralized. Identities may be assigned by application developers, application owners and process owners. This often leads to a lack of proper control and oversight over creation of identities and their authorizations. Without central management and visibility, enterprises cannot be sure how many Secure Shell identities have been created, what these identities are authorized to perform and what authorizations are in fact no longer needed. The scope and nature of this problem are not theoretical. The typical enterprise server has between eight and 100 Secure Shell authorizations (i.e., public Secure Shell user keys). This adds up. A large enterprise may have over one million keys deployed, which in turn establish an even greater number of unmanaged M2M trust relationships.

Encryption Challenges

M2M communication makes up the majority – in some cases over 90 percent of all Secure Shell traffic – on any given network. The vast majority of Secure Shell trust relationships provide access to production servers and carry high-value payloads: credit card information, healthcare records, national secrets, intellectual property and other highly critical data.

It is stunning, then, to realize that appropriate identity and IAM controls for Secure Shell access to M2M encrypted channels are almost universally absent. Secure Shell uses keys to authenticate a non-human user, and this lack of controls creates a huge risk and compliance issue for most enterprises. Any interactive user who has the proper credentials – in the case of Secure Shell, a simple copy of the key file – can hijack these uncontrolled M2M networks. This means that, in many cases, the most valuable information in the enterprise has the least amount of protection from unauthorized access.

Even though these keys grant access to critical systems and servers, many have never been changed.  Most large organizations have between 100,000 to well over a million of these keys in their network environments. Even more incredibly, many organizations have no process in place for approving and enforcing who can grant permanent access to servers using these keys.  One study at a large bank, with over one million keys in use, found that 10 percent of these keys granted unlimited administrative (“root”) access to production servers – a grave security risk.

The combination of poor to non-existent security controls and the high value nature of the data they are supposed to be protecting makes Secure Shell an irresistible target for hackers. A recent IBM X-Force study found most attacks against Linux/Unix servers utilize stolen or lost Secure Shell keys as a threat vector. Because many keys are deployed in one-to-many relationships, it is possible that a single breach related to a compromised key could have a cascading effect across a large swath of the network environment.

Encryption sometimes ends up being a two-edged sword, blinding parties on both sides of the security equation. All data-in-transit encryption, including Secure Shell, blinds layered security defense systems to malicious activity originating from a hacker, trusted insiders, business partners and outsourced IT. This means that unless the enterprise has deployed encrypted channel monitoring, security operations and forensics teams cannot see what is happening in the encrypted network. Encrypted channel monitoring enables security intelligence and DLP solutions to inspect, store and – if need be – stop traffic to make sure hackers or malicious insiders cannot use Secure Shell encryption to spirit away information in an undetectable and untraceable manner. This way, the network administrator can track what a user is doing inside the encrypted channel, without exposing the data in the clear during transmission.

Secure Shell Becoming the Standard

In an effort to defend against malicious actors and comply with security mandates,

many enterprises are strengthening interactive user authentication methods. They include enforcing password strength, requiring periodic password changes and implementing two-factor authentication. These methodologies are designed to confound hacker attempts to access interactive accounts through brute force attacks, lost or stolen passwords, or spoofed credentials. These approaches are now considered best practices and are enshrined in compliance requirements like PCI, HIPAA, FISMA, SOX and others.

Regulatory entities are in the process of changing their language to specifically include other methods of authentication above and beyond user names and passwords – such as certificates and keys. This means that auditors will be required to flag instances where access is not being controlled via Secure Shell. This is a natural progression for compliance mandates, arriving at a time when the market is beginning to recognize that strong standards are required to ensure the safety of the enterprise’s most critical business information.

World-Class Key Management

It is in the best interests of organizations that want to provide optimum levels of security and accountability to research, design and deploy an IAM strategy that includes processes designed specifically for M2M communications. A comprehensive, best practices-based IAM program that includes provisions for Secure Shell-based M2M security must address both the provisioning and intelligence aspects of IAM across large, complex and heterogeneous environments.

Secure Shell key management based on best practices creates strong authentication processes, such as:

  • Controllingwhere each key can be used from and what commands can be executed using the key
  • Discovery and continuous monitoring of trust relationshipsand unauthorized key deployments and removals
  • Restricting root access to serversso that only the key manager can provision or revoke keys
  • Automated key creation, rotation and removal
  • Enforcing the proper versionof Secure Shell,key type and size
  • Encrypted channel monitoring

Toward a Secure (Shell) Future

The modern enterprise must accommodate a growing cosmos of connections to the company network. This requires strong Secure Shell access controls in all of those M2M communications. Encryption is tremendously beneficial to network security, but if it is not managed properly, it can actually do harm as well as good. Best practices necessitate getting a handle on Secure Shell access control and governance. Without them, organizations risk fines due to lack of compliance, in addition to the more obvious security issues. Cybersecurity staff can protect against these risks by thoroughly investigating their Secure Shell environments.

KEYWORDS: encryption secure shell

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Matthew McKenna brings more than 10 years of high technology sales, marketing and management experience to SSH Communications Security and is responsible for all revenue-generating operations. His expertise in strategically delivering technology solutions that anticipate the marketplace has helped the company become a market leader. Prior to joining the company, McKenna served as a member of the executive management team of Automaster Oyj which was successfully acquired by ADP Dealer Services Nordic. Before this, he played professional soccer in Germany and Finland. He holds a BA in German from the University of South Carolina and an MBA from the Helsinki School of Economics and Business Administration.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Fraud Schemes – Protecting Enterprise Networks

    See More
  • LGBTQ

    Protecting the LGBTQ Mobile Workforce

    See More
  • Encryption Future - Security Magazine

    US Senators introduce the Lawful Access to Encrypted Data Act

    See More

Related Products

See More Products
  • Security of Information and Communication Networks

  • 1119490936.jpg

    Solving Cyber Risk: Protecting Your Company and Society

  • The-Complete-Guide-to-Physi.gif

    The Complete Guide to Physical Security

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing