Copyright 2015 SSH Communications SecurityCopyright 2015 SSH Communications Security
SSH Communications Security
SSH Access Management
ENABLE, MONITOR & MANAGE
ENCRYPTED NETWORKS
Sean [email protected](408) 568-8779
Copyright 2015 SSH Communications Security
The Business Challenge
External contractors,3rd parties
Business Partners,Data exchanges
Datacenter 1
Datacenter 2
Virtualized/Cloud environments
Automated Application to Application
InteractiveSIEM
IPS
DLP
IdM
PAMJumpServer
Internal Admins
SSH key based accessBob
root
• How to go from after the fact to preventative controls?
• Can you do all this efficiently and transparently without affecting user experience or automated processes?
• How to monitor, control and audit interactive and automated encrypted traffic?• How to control and ensure secure access to your on premise and clouds at all layers?
Copyright 2015 SSH Communications Security
What We Have Learned
• Average
• 80% SSH usage is Machine – Machine ( vs Interactive )
• 50 SSH user keys identified per Host
• 10% SSH user keys are unknown AND HAVE ROOT ACCESS
• Customer example:
• 10,000 servers on their network
• 1.5 million SSH Keys Identified
• 10% (150,000) user keys unknown
with root access
Copyright 2015 SSH Communications Security
What We Have Learned
Business Users Developers
Production Servers Development & TestWhat You Think You Have
What You Likely Have
Copyright 2015 SSH Communications Security
SSH Mapped Trust Relationships: 100 Hosts
Copyright 2015 SSH Communications Security
SSH Trust Mapping
Copyright 2015 SSH Communications Security
SSH Trust Mapping
Copyright 2015 SSH Communications Security
SSH Trust Mapping
Copyright 2015 SSH Communications Security
Business Driver: Risk
• No visibility : Who has access to What, from Where and What Can They Do?
• Who has privileged / application access to the systems and from where?
• Are there direct authorizations from Dev / Test to Production?
• No tools or methods to Remove keys
• Users may have access systems they no longer should have
• How to identify and remove revoked, orphaned and unauthorized keys?
• No tools or methods to Restrict or Rotate the private keys
• Keys may be over 10 years old, never renewed
• Keys can be copied and used by other person from different location. From stanzas?
Copyright 2015 SSH Communications Security
Business Driver: Compliance
• MAS Technology Risk Mgmt Guidelines
– Separation of duties, Key activity monitoring
ꜜ IETF
• Managing SSH Keys for Automated Access - Current Recommended Best Practice
ꜜ NISTIR 7966 - Publication
• Now official
• Appendix B CyberSecurity Framework
ꜜ PCI – DSS 3.0
• Close cooperation with NIST
• COBIT / SOX Framework, HIPAA
Copyright 2015 SSH Communications Security
NIST IR7966 Best Practices
• Standardize the key configuration across the environment
• Authorized key file should not allow end user write access
• Centralized key provisioning (no more “self service provisioning). Key provisioning should be centralized and limited to a much smaller number of root level administrators
• Cipher configuration – allow only strong ciphers and specified key lengths
• Require password protection for private keys
• Ensure Secure Shell server will not execute if authorized keys file and home directory are insecure
• Prevent privilege escalation by process spawning
• Segregate system accounts from person accounts
• Use controls to limit Secure Shell access to specific commands and source addresses
• Rotate keys
• Require logging of Secure Shell activity
• Remove unneeded User Keys
• Document key usage
• Regular audits
Copyright 2015 SSH Communications Security
Business Driver: Cost
• Complex manual process for setting up new keys and trust-relationships
• Even more complex and time consuming manual process for rotating and removing the keys
• The more dynamic the environments are, the more key operations are required (cloud / grid computing)
• In large organizations, manual SSH user key operations can easily accumulate to several millions in annual operational costs
Key request
Approval process
Key pair creation
Public key transfer
Configuration
Testing
Times the number of remote systems
Number of SSH systems in environment 20,000 Number of new key setups per year 10,000 Average time per setup 15 min Average no. of systems per setup 10 Number of key removal operations per server 2 Time required per operation 30 min Number of other key operations per server 4 Time required per operation 15 min Average cost per hour of security admin $ 59 Estimated operational costs per year $3,835,000
Copyright 2015 SSH Communications Security
Remediation Project Requirements
• Policy Generation and Enforcement
• Discover and understand existing SSH trust relationships
• Controlled provisioning, refresh and termination process
• Ensure proper configuration of SSH clients and servers
• Continuous monitoring and audit processes
• Optimize (automate) SSH key provisioning and termination processes
Copyright 2015 SSH Communications Security
Project Stakeholders
SSH User Key and Access
Management
Unix Ops
SecurityArchitects IAM and
technical access mgmt.
Audit
Crypto & Key mgmt.
Application owners
Mainframe
Windows
MAS
OCC (FFIEC)
RBI
Federal Financial Institutions Examination Council
Copyright 2015 SSH Communications Security
SSH Remediation: Best Practices
Discover Remediate Manage
Map trust relationships
• Inventory all SSH Keys• Monitor key activity & lockdown hosts • Start to detect & alert policy violations• Identify unused keys• Identify unauthorized keys
Centralization & Compliance
*Relocate keys to root owned directories• Remove unused Keys• Remove unauthorized keys• Renew old & non-compliant keys
Automation & Integration
• Centrally manage and enforce SSH configurations• CLI (API)• Integration with existing ticketing systems • Link to AD/LDAP • Integration with IM
systems
Copyright 2015 SSH Communications SecurityCopyright 2015 SSH Communications Security
SSH Communications Security
SSH Access Management
ENABLE, MONITOR & MANAGE
ENCRYPTED NETWORKS
Sean [email protected](408) 568-8779