Secure Shell (SSH) is fundamental in establishing secure communications between two hosts. The hosts might be a server and a systems administrator on a remote device, or they might be two servers. SSH allows for elevated privileges, bypassing authentication mechanisms on hosts.
By using a stolen SSH private key, an adversary can gain rogue root access to an enterprise network, bypassing all the security controls put in place. Despite this potential danger, according to Ponemon Institute, less than 30% of organizations have a clear understanding of their SSH inventory. As a result, malware that exploits or steals encryption keys (including SSH keys) and digital certificates has increased sharply in recent years. Ponemon Institute’s 2013 Cost of Cyber Crime Study: United States reports that once an attack is detected, organizations take at least 32 days to respond. Mandiant found that the median number of days to detect a compromise is 243 days. Compromised SSH keys need to be detected early and remediated quickly.
Venafi TrustForce part of Venafi Trust Protection Platform, works in unison with TrustAuthority. TrustAuthority helps identify any anomalous SSH key usage, while TrustForce enforces policies and automatically remediates any security incident resulting from detected SSH anomalies. With TrustAuthority and TrustForce, enterprises can reduce the unquantified and unmanaged risks that result in data breaches, reduce the time it takes them to respond to attacks on SSH, and avoid failed security audits.
- Reduce the time to respond to a compromise
- Reduce overall risk exposure to SSH exploits
- Automate responses to SSH-related security incidents
What It Does
TrustForce enforces policies related to SSH keys, the hosts using them, and trusted key lists. It also automatically generates and rotates SSH keys for new or current users via configurable workflows. Working in unison with TrustAuthority, which provides real-time monitoring, TrustForce detects any anomalous SSH key behavior and immediately and automatically resolves it. TrustForce can enforce access control and command execution policies. Organizations achieve faster responses to SSH security incidents and tighter organizational control over SSH key usage.
Policy Configuration Enforcement
TrustForce provides policy enforcement at the host, or group level. In addition to controlling SSH key attributes like key length, hash algorithms, and many more, an administrator can enforce access control policies, which restrict which IP addresses or hostnames can access specific hosts. Administrators can also set policies to control which commands users can execute on specific hosts.
Key Generation and Deletion
TrustForce handles provisioning for new users. It generates a new SSH key pair for the user, deploys the private key to the user’s devices, and deploys the public key to hosts to which the user requires access—along with policies for establishing the correct trust and rights. When a user leaves the organization, TrustForce removes the SSH key pairs from any hosts to which the user had access.
Incident Response and Remediation
If TrustAuthority finds a rogue or orphaned SSH key, TrustForce automatically removes the offending key. Similarly, if TrustAuthority discovers a change in the authorized key configuration, TrustForce reverts the configuration to the settings defined in the template.
Whitelisting and Blacklisting
TrustForce whitelists or blacklists, depending on configurable policies, orphaned SSH keys detected by TrustAuthority. TrustForce allows devices to use a whitelisted key to access to the host, but it collects more information on how the key is used for further analysis. TrustForce blocks blacklisted keys, preventing the host from accepting them and marking them for deletion.
Support for an Extensive Ecosystem
As part of Venafi Trust Protection Platform, TrustForce is able to enforce policies for a wide array of SSH keys, including RSA1, RSA, and DSA SSH keys used with Attachmate, OpenSSH, and SSH Communications clients and servers. TrustForce’s RESTful API increases its extensibility and integration with other systems, further enhancing an organization’s security posture.
Why It’s Important
TrustForce helps organizations reduce their response time to network breaches that take advantage of SSH keys. By automating the enforcement of policies related to SSH keys, hosts, and trusted key lists, TrustForce helps organizations rapidly respond to SSH security incidents and vulnerabilities. Organizations reduce their risk exposure as well as the overall business impact of being compromised via this new attack vector—keys and certificates.
Reduced Organizational Risk
By enforcing SSH key policies that control key lengths, protocol versions, and other attributes, administrators can reduce the organization’s attack surface and mitigate ever-increasing targeted attacks.
- Enforce robust policies and ensure strong SSH key pair configuration
- Enforce rotation of SSH keys
- Enforce access control
Immediate Incident Remediation
The longer it takes for an organization to respond to a breach that uses compromised or rogue SSH keys, the more data the organization loses. The organization suffers untold costs through the loss of intellectual property and brand damage. According to the Ponemon Institute, it takes organizations an average of 32 days to respond to a breach. Leveraging real-time monitoring by TrustAuthority, TrustForce seamlessly remediates any SSH key or configuration file anomalies on numerous systems in minutes, reducing the overall impact of a targeted attack. Organizations see a drastic reduction in their response time to an SSH key compromise and network breach.
- Respond to policy violations in real time
- Enforce authorized settings for configuration files
Compliance and Audit Success
SSH keys grant remote access to privileged administrative and application accounts, which are governed by regulations such as Sarbanes-Oxley (SOX), the Payment Card Industry Data Security Standard (PCI-DSS), and Basel II. Many regulatory standards mandate the periodic rotation of keys. TrustForce provides fully automated key generation and rotation on hosts.
- Automatically rotate keys as often as required
- Log events and prove compliance
How It Works
TrustForce works in unison with TrustAuthority. TrustAuthority identifies all SSH keys, performs trust mapping, and notifies administrators of any policy violations. TrustForce takes action based on events from TrustAuthority, automatically generating SSH keys, and provisioning hosts with the appropriate keys and policies. TrustForce also enforces any policy applied to SSH keys, hosts, or authorized key lists.
Real-time Monitoring and Enforcement
Using a lightweight agent installed on each host, in the event that TrustAuthority detects anomalous SSH key usages, TrustForce automatically remediates the security incident. It might remove an SSH public key, replace the authorized key configuration, completely rotate a key pair, or restrict the commands a user is allowed to execute on the host.