Are SSH User Keys “ The Big Short ” of the Security Industry ?
Volume 6
Are SSH User Keys “ The Big Short ” of the Security Industry ?
The Blind Spot in our IAM Framework and the Dark Side of its Misuse
By Matthew McKenna , Chief Strategy Officer and vice president of Key Accounts , SSH Communications Security
Matthew McKenna
I recently saw the movie The Big Short . For those of you who have not seen it , it is the story of how an investor named Michael Burry foresees that the subprime home loans market is in danger of default . Despite the disbelief of almost everyone , including his investors , he puts over a billion dollars into credit default swaps and bets against the market . We all know how the story goes from here .
You may think that I am grasping at straws here in trying to draw a parallel to the SSH protocol and SSH user keys , but I will break it down into three parallels . The first is the understanding of the problem or lack thereof . Second is the challenge related to oversight of the problem . And the third is how significant the impact or consequences are of not addressing the problem in our enterprises .
Lack of Understanding of the Problem or Its Scope
Much like the subprime loan market , the SSH protocol is something that very few understand in sufficient detail and the underlying critical access it is providing to our most important infrastructure . In this case however , ignorance is not bliss .
Over 95 percent of the world ’ s enterprises rely on SSH to provide administrators and developers an effective means of gaining encrypted access to
July-Aug 2016 Edition
critical infrastructure : operating systems , applications , payment processing systems , databases , human resource and financial systems , routers , switches , firewalls and other network devices . It is a lifeline of traffic flow within our data centers , our cloud environments and how our third-party vendors and supply chain access our environments . It has done its job quietly and efficiently over the last two decades . Unfortunately , the access that SSH has been providing , in particular the access SSH user keys provide , has gone largely unmanaged – to an epic degree .
What does epic translate to ? In a typical financial enterprise with 20,000 Unix / Linux servers , we can expect to find up to 4 million SSH user keys providing interactive and machine-to-machine-based access . In many cases , we will see that 10 to 20 percent of these keys provide root-level access and cannot be associated to an owner within the enterprise . Root-level access is the highest level of privilege at an operating system level . It is not just a compliance and risk issue . It is an issue of resilience that has the opportunity to impact the potential downtime of critical services within our operations .
Lack of Regulatory Oversight and Governance
So , why has this problem gone unnoticed for so long ? Primarily because SSH has long been seen as an encryption protocol rather than a means of access and , as a result , has not been considered as a part of our access governance processes and frameworks . In fact , up until October 2015 , there were no NIST guidelines related to the best practices associated with SSH user key-based access .
Although many regulatory guidelines such as PCI , SOX , HIPAA and others make mention of access controls , such as least privilege and segregation of duties , none of them specifically address SSH user keys as a form of access that needs to be controlled . Is this because of the lack of understanding of SSH or an unwillingness to open Pandora ’ s Box ?
From the technical side , there are three dimensions when it comes to the lack oversight and governance of SSH user key based access .
First , SSH user keys are the only form of access a user can provision themselves without oversight
48