Subscribe to the InfoTech eNewsletter

infoTECH Feature

July 26, 2017

SSH Keys: Cybersecurity's Largest Blind Spot

By Special Guest
Tatu Ylonen, cybersecurity architect and founder of SSH Communications Security

Picture this plotline from a cyber thriller: Someone self-provisions access to the deepest levels of your network, including all your critical systems. No one notices, and the access never expires. You have no way of knowing who that access belongs to. As if this wasn’t bad enough, you learn that this someone has been poking around your infrastructure for the past 10 years.

Is your heart racing yet? If not, it might once you understand that this form of access exists in our networks today, and it is called SSH user keys. SSH user keys have largely been forgotten because really, who in your company is responsible for SSH? It is an encryption protocol that has existed for the last 20 years, quietly doing its job efficiently and effectively. However, it is the source of the most critical form of access into our networks.

                Tatu Ylonen

IT admins use SSH keys to gain remote access to network devices, application databases and operating systems. It is used by our developers to access systems and move code between various systems and into our cloud environments. It is used to securely move data between applications, both on premises and to our clouds. It is used by our vendors and outsourced managed service providers to maintain our systems. 

But even more pulse-pounding is the fact that SSH keys are used by hackers and malicious insiders as their preferred method to move laterally throughout our networks.

What You Don’t Know Does Hurt You

A major issue in the fight against SSH abuse is the fact security executives are often insufficiently informed about the power and degree of access the SSH protocol provides. If we think about the likes of Snowden, Sony and Target (News - Alert), in each of these cases, there is sufficient evidence pointing to the use of SSH user keys to gain access to critical systems and ex-filtrate data.

All breaches are perpetrated by compromising privileged credentials. Shouldn’t we then take particular notice of credentials like SSH user keys, which are the only form of access that can be provisioned without oversight, don’t expire and aren’t linked to an identity? However, because the impact is so pervasive and all-encompassing across our networks, it is something that we are reluctant to take up to the C-suite and say, “Folks, we somehow forgot about this one over the last 10 years.”

All too often, SSH user key-based access has been a topic to avoid for security executives and journalists. The most common response is, “Well, I need a smoking gun to act on this issue.” Here is the point: the smoking guns and evidence are overwhelming. Common sense and our common objective as security professionals to continuously decrease risk should guide us first on this one.

But here’s the irony: enterprises couldn’t and wouldn’t know if SSH user keys were the privileged credential source that caused the data breach if they have no idea who these credentials belong to, don’t have an inventory of them, are not monitoring them and don’t have a governance process regarding their provisioning, de-provisioning and recertification.

So then, these keys represent the largest cybersecurity blind spot today. The SSH protocol provides access to our most critical systems and network infrastructure. Our traditional layered security concepts are blind to what goes on inside the encrypted sessions. It is a gap inside the majority of identity governance administration programs today.

Taking Control of Access

Because this issue encompasses all aspects of identity governance today within our environment, it is not enough these days to say that our PKI team controls SSH keys or that our Privileged Access Management team has the lead on this. The fact is that they don’t really have it under control.

All stakeholders, therefore, need to come together to answer these questions:

  • Are SSH user key-based connections being monitored?
  • For both human use and application-to-application connections, how is SSH user key-based access provided, de-provisioned and recertified?
  • Do we have visibility and accountability of ownership for all SSH user key-based trusts in our environment on premises, in our cloud and to our network devices?
  • Do we know about cross-platform connections between Windows, Unix and mainframe where SSH user keys are being used?

Access to core systems is nothing to take lightly. Organizations need to take control of this deep-level access and create rules and processes that enable accountability for all credentials that provide access to our systems. It’s time to shine a light on this huge security blind spot.

About the author: Tatu Ylonen is the creator of the SSH protocol and the founder of SSH Communications Security. He is an experienced entrepreneur, manager and engineer. He still keeps up to date with technology and loves the technical side and inventing new technology. He participates in product architecture design and occasionally writes code when he has time or when he thinks that’s where he can bring the most value.

Edited by Maurice Nagle

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers