Management of SSH keys means maintaining controlled access to resources and credentials by allowing differing levels of access and control, tracking which keys are compromised during attacks, and controlling the provision and the decommission of the key. The process of managing and securely administering cryptographic keys in a crypto ecosystem is commonly referred to as SSH key management. Companies require SSH key management to oversee the creation, generation, storage, exchange, protection, replacement, and crypto-shredding of SSH keys to maintain crypto ecosystem security. SSH key management also includes recording who has access to keys, what context keys are used in, and where these keys are used.
SSH key management is a difficult task, but managing the SSH keys is vital for system and company security. SSH keys provide the same access as user names and passwords and they often grant access to privileged accounts on the operating system level and to resources such as production servers, databases, routers, firewalls, disaster recovery systems, financial data, payment systems, intellectual property, and patient information.
However, in many cases, SSH key hygiene is completely overlooked in identity and access management planning. For that reason, it is important to start with an SSH key audit. Over the last few years most large organizations such as the banking sector, retailers and healthcare organizations, have amassed large numbers of SSH keys in their environment. This has led to violations of corporate access policies and dangerous back-doors.
Information security starts from controlling who is given access to systems and data. If there is no control over access, there is no security, no confidentiality, no integrity, and no guarantees of continued operation. Identity and access management is the foundation of information security as it addresses the basic need of any organization to be able to reliably identify users, and to be able to control which users get access to which resources. These two basic controls, identity and access, lay the foundation of security in the corporate environment. It is the basis of information security.
Poorly managed access exposes organizations to significant risks that could, in the worst case, bring down critical information systems for months. Unmanaged keys risk systemic failure of critical infrastructure because the likelihood of keys being misused, stolen, or used as part of an attack is high.
One single key can be enough to gain undetected root access to critical systems and data. An attacker getting root access means they can do anything on the server, including gaining unauthorized access, “pivoting”, circumventing security controls to inject fraudulent data, subvert encryption software, install persistent malware, or actually destroy the system. Confidentiality, integrity, and continuity of operations are all compromised. This could cause billions of dollars of damage to shareholders.
For the modern society a coordinated attack across critical infrastructure with the intention to destroy and confuse is a real possibility and an actual threat to national security. Poorly managed SSH keys can and will lead to access that is in violation of the compliance regimes such as PCI Security Standards, Sarbanes-Oxley, or NIST 800-53, that require controlling who can access what systems and data, segregation of duties, and enforcing boundaries.
A key management system or KMS can really assist in overcoming the risks of poor SSH key management and can help in protecting keys and metadata for the crypto ecosystem. While key management can be performed manually, this will create a lot of concerns and a hassle of workload. This is because manual management of SSH keys is a time-consuming process which is prone to user errors, let alone it is extremely difficult to compile information during mandatory audits.
A key management system is designed to help manage symmetric and asymmetric encryption keys throughout their lifecycle. A KMS caters to automated distribution and key updates, support for business processes, and easy access to information, making audits and compliance easier. A KMS also helps with the main challenges of SSH key management, including reducing repetitive tasks for personnel, orchestrating key delivery between systems and setting clear key responsibilities to avoid confusion. A good key management system can help businesses save time and money by streamlining the organization and management of SSH keys.
Although SSH can be used with passwords and IDs to log in to the network, it’s more common to use public key authentication because it provides greater security.
SSH key management best practices
In order to address the problem of poor SSH key management, it is advised to map the various best practices to the risks of SSH key management so as to understand which practice addresses each risk. The following table, which can be downloaded as an Excel format here, maps best practices to risks.
On a high level, the best practice recommendations that pave the way to better security and compliance are the following:
1. Implement clearly defined SSH key management policies.
The definition of policies should explicitly assign roles and responsibilities in order to prevent misunderstandings that result in security lapses and to ensure accountability. In addition, we should ensure that organizational policy is comprehensive enough to support SSH. Organizations should perform a periodic review of documented procedures to ensure they are extant and complete, and reflect the environment accurately. Furthermore, they should align policies and procedures to IT controls to support continuous compliance. Finally, organizations should incorporate SSH into risk management processes and should consider conducting a risk assessment of SSH usage throughout the organization.
2. Define SSH hardening configurations.
Organizations should create a hardened configuration that reflects the goals of the organization. The hardened configuration should enable SSH server functionality where required, should keep SSH server and client implementations fully up to date, and enforce least privileged access. In addition, the organizations should periodically review the configuration to ensure that SSH client and server software is configured in line with the defined, hardened configuration.
3. Inventory and remediate.
Organizations should map all trust relationships, and identify and remove any orphaned and duplicate authorized keys.They should ensure passphrase protection, key length and algorithms. Furthermore, they should assign ownership of all access granting keys, and monitor and analyze key-based access usage.
4. Control SSH identities and authorized keys.
These controls should enforce minimum key length and approved algorithms, and should provide for a maximum time a key may be used before replacement. It is essential that identity keys should not be duplicated, and that SSH keys should be changed when a compromise is suspected. Finally, SSH key-based access should be reviewed regularly for appropriateness, and should terminate SSH key-based access for decommissioned processes and terminated or transferred users.
5. Establish continuous monitoring and audit process.
Most organizations have many years’ accumulation of SSH keys in their environments, managing and controlling access to tasks and processes that aren’t always obvious. That’s why it’s critical to monitor existing keys to establish how often they are used, what systems they connect to and how any copies of the keys are used.
6. Automate the process.
Automation is a key factor for proper SSH key management. Organizations should strongly consider using automated tools to technically enforce the desired configuration or to discover and report upon inappropriate configuration (e.g., legacy versions or inappropriate cipher use). The automated tools should include file integrity monitoring tools to validate that administrators are alerted to changes in critical files. In addition these automated tools should be used during the deployment process to ensure security goals such as the creation of a standard configuration to apply to all automated deployments, the enforcement of configuration standard to deployed services, the restriction of certain SSH services, the set up of strong protocol versions, the cipher/algorithm configuration, and the establishment of key restrictions and authorizations.
7. Educate, Educate and Educate the masses.
Although aforementioned practices might seem difficult to implement, the truth is that the initial steps in dealing with these issues are not difficult or costly at all. Initially organizations must find out to what extent their environments are exposed to the risks identified. Skilled personnel with the right tools can accomplish these initial steps within a matter of days. Organizations that acquire and use automated SSH key management products will be able to significantly decrease their risks related to SSH access with a reasonable amount of effort.
Management at all levels should adhere to the best practices listed above to ensure timely and total risk reduction or elimination. This means boards, CEOs, CTOs and CISOs must include SSH key management in their organizations’ risk management strategy as the potential issue is an equivalent risk compared to critical business risks. Organizations should not let the “forgotten credentials” (SSH keys) cause them issues, audit exceptions or, worst of all, a security breach.