Protecting Encrypted Networks: The Secure Shell Solution
Cyber attacks today are increasingly sophisticated and aggressive, leaving organizations fighting to stay at least one step ahead of hackers to protect their critical data assets. Identity and access management (IAM) solutions are part of an overall security strategy that helps organizations control access to their cloud infrastructure, applications, servers, and both structured and unstructured data. These solutions manage the identities assigned to interactive, human users fairly well, but do a poor job of managing the typically larger number of identities assigned to the automated processes that drive much of the computing in large-scale data centers. These non-human identities continue to grow, which means that IAM implementations are not addressing the majority of identities present in an enterprise – the identities performing the bulk of operations.
A secure encrypted channel is needed for machine-to-machine (M2M) data transfers. For this reason, most of the identities that enable M2M processes use Secure Shell (SSH) for authentication and authorization. For example, an automated process that retrieves server log data requires an authenticated and authorized connection to each server, plus a secure channel to move the log data to a centralized processing application. Secure Shell is ideal for these functions because:
- The PKI-based authentication process used by Secure Shell provides security for the login credentials. The private Secure Shell user key is never sent over the network.
- Public key (PKI)-based authentication supported by Secure Shell enables the process to present its credentials without requiring an interactive user to login via username and password – or via any other interactive authentication process.
- Secure Shell provides confidentiality of data in transit. Communications over a Secure Shell channel are encrypted.
- Secure Shell enables facilities to define and limit what functions a process may perform under a Secure Shell authorization. This meets “need to know, need to do” criteria of basic IAM governance.
Though these benefits are clear, holes exist in IAM governance of identities that use Secure Shell. Typically, the provisioning of these identities is decentralized. Identities may be assigned by application developers, application owners and process owners. This often leads to a lack of proper control and oversight over creation of identities and their authorizations. Without central management and visibility, enterprises cannot be sure how many Secure Shell identities have been created, what these identities are authorized to perform and what authorizations are in fact no longer needed. The scope and nature of this problem are not theoretical. The typical enterprise server has between eight and 100 Secure Shell authorizations (i.e., public Secure Shell user keys). This adds up. A large enterprise may have over one million keys deployed, which in turn establish an even greater number of unmanaged M2M trust relationships.
M2M communication makes up the majority – in some cases over 90 percent of all Secure Shell traffic – on any given network. The vast majority of Secure Shell trust relationships provide access to production servers and carry high-value payloads: credit card information, healthcare records, national secrets, intellectual property and other highly critical data.
It is stunning, then, to realize that appropriate identity and IAM controls for Secure Shell access to M2M encrypted channels are almost universally absent. Secure Shell uses keys to authenticate a non-human user, and this lack of controls creates a huge risk and compliance issue for most enterprises. Any interactive user who has the proper credentials – in the case of Secure Shell, a simple copy of the key file – can hijack these uncontrolled M2M networks. This means that, in many cases, the most valuable information in the enterprise has the least amount of protection from unauthorized access.
Even though these keys grant access to critical systems and servers, many have never been changed. Most large organizations have between 100,000 to well over a million of these keys in their network environments. Even more incredibly, many organizations have no process in place for approving and enforcing who can grant permanent access to servers using these keys. One study at a large bank, with over one million keys in use, found that 10 percent of these keys granted unlimited administrative (“root”) access to production servers – a grave security risk.
The combination of poor to non-existent security controls and the high value nature of the data they are supposed to be protecting makes Secure Shell an irresistible target for hackers. A recent IBM X-Force study found most attacks against Linux/Unix servers utilize stolen or lost Secure Shell keys as a threat vector. Because many keys are deployed in one-to-many relationships, it is possible that a single breach related to a compromised key could have a cascading effect across a large swath of the network environment.
Encryption sometimes ends up being a two-edged sword, blinding parties on both sides of the security equation. All data-in-transit encryption, including Secure Shell, blinds layered security defense systems to malicious activity originating from a hacker, trusted insiders, business partners and outsourced IT. This means that unless the enterprise has deployed encrypted channel monitoring, security operations and forensics teams cannot see what is happening in the encrypted network. Encrypted channel monitoring enables security intelligence and DLP solutions to inspect, store and – if need be – stop traffic to make sure hackers or malicious insiders cannot use Secure Shell encryption to spirit away information in an undetectable and untraceable manner. This way, the network administrator can track what a user is doing inside the encrypted channel, without exposing the data in the clear during transmission.
Secure Shell Becoming the Standard
In an effort to defend against malicious actors and comply with security mandates,
many enterprises are strengthening interactive user authentication methods. They include enforcing password strength, requiring periodic password changes and implementing two-factor authentication. These methodologies are designed to confound hacker attempts to access interactive accounts through brute force attacks, lost or stolen passwords, or spoofed credentials. These approaches are now considered best practices and are enshrined in compliance requirements like PCI, HIPAA, FISMA, SOX and others.
Regulatory entities are in the process of changing their language to specifically include other methods of authentication above and beyond user names and passwords – such as certificates and keys. This means that auditors will be required to flag instances where access is not being controlled via Secure Shell. This is a natural progression for compliance mandates, arriving at a time when the market is beginning to recognize that strong standards are required to ensure the safety of the enterprise’s most critical business information.
World-Class Key Management
It is in the best interests of organizations that want to provide optimum levels of security and accountability to research, design and deploy an IAM strategy that includes processes designed specifically for M2M communications. A comprehensive, best practices-based IAM program that includes provisions for Secure Shell-based M2M security must address both the provisioning and intelligence aspects of IAM across large, complex and heterogeneous environments.
Secure Shell key management based on best practices creates strong authentication processes, such as:
- Controllingwhere each key can be used from and what commands can be executed using the key
- Discovery and continuous monitoring of trust relationshipsand unauthorized key deployments and removals
- Restricting root access to serversso that only the key manager can provision or revoke keys
- Automated key creation, rotation and removal
- Enforcing the proper versionof Secure Shell,key type and size
- Encrypted channel monitoring
Toward a Secure (Shell) Future
The modern enterprise must accommodate a growing cosmos of connections to the company network. This requires strong Secure Shell access controls in all of those M2M communications. Encryption is tremendously beneficial to network security, but if it is not managed properly, it can actually do harm as well as good. Best practices necessitate getting a handle on Secure Shell access control and governance. Without them, organizations risk fines due to lack of compliance, in addition to the more obvious security issues. Cybersecurity staff can protect against these risks by thoroughly investigating their Secure Shell environments.