SSH inventor proposes best practice guidance in face of poor deployment and management of keys
The new skeleton key: changing the locks in your network environment
Management of secure shell (SSH) keys has become such a problem for businesses, that some spend ten per cent of their working time on remediation of them.
Speaking to SC Magazine, Tatu Ylönen, CEO and founder of SSH Communications Security, said that within some customer cases, he had found up to two million keys unaccounted for where there is 20 times as many keys as passwords, where they are granted as freely as passwords.
He said: “Nobody has worked out a deployment of keys that grant access to servers as they are often distributed to privileged users. If you are adding keys for ten years, then often there is no control and you grant access on a ‘need' basis and terminate on a need basis also, and often don't realise the problem.
“You cannot keep pretending that 80 per cent of your credentials do not exist. Some are more convenient ways of doing things or sometimes the keys are installed by hackers to form a permanent backdoor to a server.”
SSH keys, which Ylönen said are used wherever there is a Linux/Unix deployment, are used in machine-to-machine secure communications, for remote access and for logging into hypervisors remotely.
The problem has led to Ylönen, along with the National Institute of Standards and Technology (NIST), to launch a draft document on deployment and management of SSH keys, to offer best practice and guidelines for this.
Ylönen said: “Companies cannot change or remove keys as they do not know what they are used for, yet one customer spends ten per cent of their time on SSH key management.
“No one has full visibility into this as it is too fragmented. Instead of spending ten per cent of time, a company can better control it and more thoroughly audit it.
“This is a big project that organisations need to go through and there needs to be continuous monitoring to find the backdoors and hackers' keys, to enforce key rotation and if they are not being used, revoke them and deploy new keys.”
Ylönen also said that there needs to be best practice guidelines as none have been delivered in the past, particularly on how the keys should be managed, primarily on who has access to keys and who controls them. This is currently open for comment, with a second draft of guidelines published in the summer and a final publication set for October.
“There is no good guidance on this; we have contacted people we know about this and are helping bring attention to the topic,” he said.
“We have worked with the banks and auditors as there is no public guidance on how to manage it, as there is nothing to say ‘this is the scope of the problem', as there needs to be education to do the project and deal with it.”