Picture this plotline from a cyber thriller: Someone self-provisions access to the deepest levels of your network, including all your critical systems. No one notices, and the access never expires. You have no way of knowing who that access belongs to. As if this wasn’t bad enough, you learn that this someone has been poking around your infrastructure for the past 10 years.
Is your heart racing yet? If not, it might once you understand that this form of access exists in our networks today, and it is called SSH user keys. SSH user keys have largely been forgotten because really, who in your company is responsible for SSH? It is an encryption protocol that has existed for the last 20 years, quietly doing its job efficiently and effectively. However, it is the source of the most critical form of access into our networks.
IT admins use SSH keys to gain remote access to network devices, application databases and operating systems. It is used by our developers to access systems and move code between various systems and into our cloud environments. It is used to securely move data between applications, both on premises and to our clouds. It is used by our vendors and outsourced managed service providers to maintain our systems.
But even more pulse-pounding is the fact that SSH keys are used by hackers and malicious insiders as their preferred method to move laterally throughout our networks.
What You Don’t Know Does Hurt You
A major issue in the fight against SSH abuse is the fact security executives are often insufficiently informed about the power and degree of access the SSH protocol provides. If we think about the likes of Snowden, Sony and Target (News - Alert), in each of these cases, there is sufficient evidence pointing to the use of SSH user keys to gain access to critical systems and ex-filtrate data.
All breaches are perpetrated by compromising privileged credentials. Shouldn’t we then take particular notice of credentials like SSH user keys, which are the only form of access that can be provisioned without oversight, don’t expire and aren’t linked to an identity? However, because the impact is so pervasive and all-encompassing across our networks, it is something that we are reluctant to take up to the C-suite and say, “Folks, we somehow forgot about this one over the last 10 years.”
All too often, SSH user key-based access has been a topic to avoid for security executives and journalists. The most common response is, “Well, I need a smoking gun to act on this issue.” Here is the point: the smoking guns and evidence are overwhelming. Common sense and our common objective as security professionals to continuously decrease risk should guide us first on this one.
But here’s the irony: enterprises couldn’t and wouldn’t know if SSH user keys were the privileged credential source that caused the data breach if they have no idea who these credentials belong to, don’t have an inventory of them, are not monitoring them and don’t have a governance process regarding their provisioning, de-provisioning and recertification.
So then, these keys represent the largest cybersecurity blind spot today. The SSH protocol provides access to our most critical systems and network infrastructure. Our traditional layered security concepts are blind to what goes on inside the encrypted sessions. It is a gap inside the majority of identity governance administration programs today.
Taking Control of Access
Because this issue encompasses all aspects of identity governance today within our environment, it is not enough these days to say that our PKI team controls SSH keys or that our Privileged Access Management team has the lead on this. The fact is that they don’t really have it under control.
All stakeholders, therefore, need to come together to answer these questions:
Access to core systems is nothing to take lightly. Organizations need to take control of this deep-level access and create rules and processes that enable accountability for all credentials that provide access to our systems. It’s time to shine a light on this huge security blind spot.
About the author: Tatu Ylonen is the creator of the SSH protocol and the founder of SSH Communications Security. He is an experienced entrepreneur, manager and engineer. He still keeps up to date with technology and loves the technical side and inventing new technology. He participates in product architecture design and occasionally writes code when he has time or when he thinks that’s where he can bring the most value.