SSH keys: The elephant in the compliance room
- By Fouad Khalil
- Oct 24, 2017
Now more than ever, government agencies need effective risk management, control and governance processes. Security, audit, risk and compliance professionals are finding it harder to maintain control and oversight of their entire digital environment due to the increasing daily demands of a complex and expanding network. As the environment acquires more layers, the compliance challenges grow.
One of these challenges, though, is not new at all. It comes from a tool that has been residing within the environment for more than 20 years, and it creates a huge access gap. This tool, known as the Secure Shell protocol, grants privileged access across production environments. Poor SSH key management can open agencies to threats and compliance audit failures.
Poor SSH key management is exacerbated by a lack of awareness at the management level. The network, system and database administrators are aware of the SSH key access because it grants them access to do their jobs. Unfortunately, this elevated access cannot be managed and governed, because it has no management visibility. Agencies that attest to compliance and indicate they have effective access controls may be totally missing the boat in terms of attesting to SSH key access.
Government IT teams often grant privileged access going into production to vendors and administrators without controlling access by logging, auditing or review. The point of privileged access is to obtain approval to elevate access to do a certain function, to audit and check development work and then sever the session and review it after the fact. Unfortunately, those steps and the control of privileged access fail when agencies have no true governance over SSH keys.
Though this problem has gone largely unnoticed, professionals are raising awareness through practitioner guidance, industry events and, unfortunately, from the publicity surrounding large security breaches (such as the Sony breach) that stemmed from poorly managed SSH key environments.
The results of inaction
Agencies are beginning to understand the enormous risk involved with elevated, direct access to a production environment that is not audited, logged, controlled or governed. Auditors must take action to assess the risk, govern it, minimize it and take control over SSH keys. Failure to act is likely to have several negative consequences.
One of the main consequences would be the massive failure of an audit. Not having control over 30 percent of production access could be construed as material weakness to an environment from a controls perspective. For publicly traded financial institutions that fall under the Sarbanes-Oxley umbrella, this is a huge problem. From a SOX perspective, when CFOs or CEOs sign off on attestations, they are saying they have complete visibility and control over access. However, the reality is that they may have no visibility or control over their production environment due to poor or non-existent SSH key management.
Another result of inaction is that it paves the way for unseen threats. For instance, a malicious insider could be leveraging uncontrolled, unaudited privileged access, and IT managers wouldn’t be able to tell. By the same token, if agencies are breached by an attacker who takes advantage of back doors or exploits in this environment, the same thing would happen. IT managers would have no visibility into the data that is being compromised or potentially compromised. By law they must notify and report accordingly, but what would their reported evidence look like?
What ISACA recommends
To make sure SSH access is authorized and that the access falls within governance guidelines, agencies must adopt best practices, leverage automation, establish ongoing monitoring and auditing and govern all access equally.
To help navigate this path to good SSH key management, the IT governance association ISACA recently released a new guidance document, SSH: Practitioner Considerations. In collaboration with industry experts, practitioners and ISACA subject matter experts, the white paper provides an excellent overview of SSH, assurance considerations, practitioner impacts and suggested controls.
ISACA recommends the following best practices for managing SSH keys and mitigating risk:
- Deployment: Consider using automated tools, standardize configurations and restrict SSH services.
- Provisioning: Implement an inventory of keys and usage tracking as part of the overall provisioning of users and accounts.
- Usage procedures: Document and disseminate security policies and standards, implement periodic access reviews and deploy required IT controls.
- Configuration management: Create and implement a hardened configuration and periodically review the configuration. Consider automated tools to manage the configuration and apply integrity control checks and monitoring over critical files.
- Accountability and ownership: Clearly define roles and responsibilities so that everyone knows who owns SSH key management in the agency.
What’s at stake
Poor SSH key management has been lurking behind the scenes for a long time. To protect themselves, government agencies must commit to a consistent process using the right tools and best practices to create a secure, audit-proof network landscape. If not, ISACA warns that audit failures and security breaches loom on the horizon. Compliance attestations are quite likely to be incomplete when poorly managed SSH key environments are present.
Fouad Khalil is vice president of compliance with SSH Communications Security.