This page contains a Flash digital edition of a book.
Data Security


Securing the keys to your data house


Image: Jeanne Roué-Taylor


Jason Thompson looks at how organisations are making their data more secure in the face of rising cyber crime and threats


W


ith the data boom in full effect, more organisations are making securing their data a priority. A


recent study by IDC noted a spike in interest and adoption of federated identity and authentication technologies in 2011, and due to the increasing trends in cybercrime and threats it is estimated that identity access management could reach $6.6 billion in revenue by 2016. The threat of a malicious actor is propelling organisations to pay closer attention to how data is being transmitted and the protocols put in place to secure highly sensitive information.


For nearly two decades, the Secure


Shell protocol has established itself as one of the leading security solutions. Even though the protocol has handled more than one billion business transactions, no security breach has ever been brought on by the process itself. Regardless of the protocol’s track record, organisations must be careful of their own Secure Shell management to stay ahead of the constantly changing threat environment. The Secure Shell data-in-transit


protocol has been used by a myriad of organisations to securely transmit data from machine to machine while providing administrator access. Currently,


34 November 2013


every machine running Linux, Unix and Mac OS all come prepackaged with some with some version of the Secure Shell protocol. Additionally, Windows devices are beginning to see


implementation as well. About half of all websites across the globe also use some type of Secure Shell protocol, making the protocol universally accepted.


Future threats Typically, the Secure Shell protocol is used to transfer private information within the network environment such as credit card numbers, healthcare records and personally identifiable information. For this reason, from the attacker’s point of view, the Secure Shell protocol is a lock waiting to be picked. However, if the Secure Shell protocol itself is secure how can criminals gain entry to the network in the first place? In this instance, the keys are key. The Secure Shell protocol establishes a


trust relationship between a computer and the server through an encryption key pair. These trust relationships are created and managed internally, usually on systems dating back to the mid ‘90’s. Significantly, none of these systems can identify where the trust relationships exist within the network. Consequently, administrators must track each


Components in Electronics


relationship manually. In a network with thousands of keys, trust relationships inevitable are lost. If a malicious user gets hold of one of these keys, they could pretend to be an authorised user quite easily. Poor control of Secure Shell keys makes it far too easy for attackers to gain entry to the systems where important data is stored. A study was conducted on the management operations of some of the largest organisations in the world, and the results were troubling:


• Most organisations do not remove keys after a user leaves or an application is decommissioned


• Organisations typically use the same


Secure Shell host keys on thousands of machines, which makes networks open to man-in-the-middle attacks • Key-based access grants are essentially permanent, in direct violation of SOX, PCI and FISMA requirements for proper termination of access, leaving the network vulnerable to attack • Roughly 10 percent of all Secure Shell user keys provide root access, thus creating a major security and compliance issue


• Many Secure Shell keys that grant access to critical servers are orphaned and no longer in use


• Some administrators have the ability


to create or terminate Secure Shell user keys at their discretion with approval, granting full, permanent access to systems and people • Enterprises often don’t know what each key is used for, presenting not only a security risk, but a business continuity risk as well


Considering how many threat vectors


are appearing, organisations need to evaluate how they manage their Secure Shell keys to keep data secure. The more an organisation varies from best practices for Secure Shell management, the greater the risk of a breach. Security breaches are only one of the


problems created by Secure Shell key mismanagement. Organisations are under the purview of a number of government and industry compliance standards, which mandate an organisation keep strict control over access to important network data or risk being fined. In addition to risks on non- compliance, an organisation could face harsh economic ramifications as a result of poor key management as well. The average major organisation usually has over 20,000 servers, so they should be closely examining their key management practices.


Fixing key management Luckily, troubles with access control in Secure Shell environments are not the result of the protocol itself. In reality, these security and compliance risk are caused by:


• An lack of sufficient tools and guidelines early on for solving key management issues


• A shortage of time and resources to dedicate towards identifying the source, scope and consequences of the problem • The focus of the access


management field on interactive users without addressing automated access • A lack urgency by auditors to flag issues for which they don’t have effective solutions


• Years without clear guidelines, or policies, relating to Secure Shell key management It’s a wonder why greater attention


hasn’t been focused on this problem considering the consequences of a security breach. The answer lies in the fact that key management is quite technical and has remained concealed in the world of IT system administrators. Because each administrator often only sees a small part of the IT environment, it is nearly impossible to gain a full picture of how profound the issue truly is. Likewise, administrators are usually very busy and may not even recognise a problem to begin with. Furthermore, management may be several steps removed from the problem and its consequences and so as a result nothing happens to fix the problem.


Improving key management The potential liability and risk of non- compliance calls for awareness and buy- in from executive management as well. Due to the technical skills needed to solve these issues it will require multiple IT teams for full remediation. Some best practices to remedy the


problem include: • Monitoring the environment to determine which keys are actually used, and removing keys no longer in use • Discovering all existing users, public and private keys and mapping trust relationships between machines and users


• Restricting where each key has access and what commands can be executed using the key • Enforcing proper approvals for all key setups


• Rotating keys regularly, so that copied keys cease to work and proper termination of access can be ensured • Automating key setups and key


removals – eliminating manual work and human errors. This step slashes the number of administrators needed for key setups to only a few highly trusted administrators


Even though the problem of Secure Shell key mismanagement is severe and far-reaching, solving it is not impossible. Proper key management involving the establishment of internal boundaries within the organisation is necessary to reduce further risk. Strict control of Secure Shell access should be mandatory in every organisation. Moreover, the organisation should enforce strict IP address and “forced command” restrictions for all authorised keys involving trust relationships. Even though the Secure Shell protocol is considered an industry standard for data-in-transit security, the evolution of threats necessitates that organisations alter their management processes to ensure complete control. By sticking to the best practices above, organisations will be prepared to handle new security threats and adhere to compliance mandates before a serious problem becomes apparent.


SSH Communications Security | www.ssh.com


Jason Thompson is director of global marketing for SSH Communications Security


www.cieonline.co.uk


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49