Skip to main content
banner image
venafi logo

Best Practices for Securing SSH: Defining SSH Policies

Best Practices for Securing SSH: Defining SSH Policies

November 30, 2017 | Paul Turner

In my last two posts, I talked about SSH risks and provided a high-level view of best practices for addressing those risks. Now, we’ll start digging into some of those best practices. The first one I’d like to dig into is establishing SSH policies.

You are probably cringing right now and thinking, “Why on Earth would he suggest creating policies? Every time a new one gets defined, the auditors use it to make us work more hours than we already are!”

I understand. But, the challenge is that management and use of SSH is distributed across many individuals and groups in most organizations. To maintain consistent security across the board, you need some way of making sure everyone who might enable or use SSH understands what they must do to secure SSH. You then must make sure they do it. If they don’t, your organization is left with significant security risk.

Many organizations and security teams shy away from defining SSH policies because they’re concerned about getting more work and scrutiny from auditors. Or, the process of getting policies approved takes so long. In general, you’ve got a few options:

  1. Centralize all SSH management into a single team—though this will, at a minimum, require a policy that says no one can setup and manage SSH on their own.
  2. Define and communicate a set of SSH best practices that include everything that’s required to manage and use SSH securely but don’t have any enforcement.
  3. Define and enforce SSH polices that are enforceable and used by auditors to make sure that they’re being followed.

The common element in these three options is the best practices. For example, if you centralize SSH management, the team that does that is going to need a clearly defined set of best practices to use in their processes. If you keep management decentralized and define policies, your policies need to be guided by a set of best practices.

So, at a minimum, you need to make sure you have good SSH best practices defined and you keep them up to date (as new types of attacks or vulnerabilities may arise). Once you have best practices defined, you can decide whether you codify them as enforceable policies.

To help in creating best practices (and, if you choose, policies), I’ve created a rough SSH best practices checklist.

These best practices are only suggestions based on our experience working with our customers. Make sure you evaluate and modify them as necessary to ensure they’re effective in your organization.

I’ve attempted to write each best practice so that you can use it in defining policies, if you choose. The goal is to help you get sound SSH security practices implemented enterprise-wide as quickly and effectively as possible so your organization can avoid a breach. There are a few places where you’ll have to specify your chosen parameters. For example, I’ve left the Interactive User Authentication method as an “X”. There are a variety of factors to consider in selecting the most appropriate authentication for people. NIST’s Security of Interactive and Automated Access Management Using Secure Shell (SSH) - NISTIR 7966 provides a good overview of the pros and cons of each.

If you see something I’ve missed in the checklist, please post a comment to this blog with your feedback. SSH security is a big topic and I love learning new things that I’ve overlooked or haven’t encountered before.

If you do choose to define enforceable SSH policies but your organization’s policies/standards are split into multiple individual documents that an SSH administrator has to piece together, you may want to publish a companion SSH best practices document that provides a single cohesive guide. That document can point to the various policies.

I hope this helps you in mobilizing your organization to secure SSH and the data/systems it protects.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

NIST TLS Infosec Guidelines

New NIST TLS Management Guidelines for InfoSec [Expert Advice]

NIST Guidelines TLS

What Executives Need to Know about New NIST Guidelines for TLS Management

ssh key management

Best Practices for Securing SSH: Creating a Roadmap for Securing SSH

About the author

Paul Turner
Paul Turner

Paul Turner writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat