Today SSH is one of the most widely used security protocols in the world. Over 3,000 global organisations use the data-in-transit solution for moving information, including seven of the Fortune 10. 90% of the world’s SSH and OpenSSH Unix servers use the file transfer function making SSH the gold-standard security protocol.
Over the years, the runaway success of the SSH protocol has seen millions of digital key pairs created, which has produced an overwhelming IT management task and the problem of knowing exactly who and what has access to a companies’ servers worldwide.
The keys (small files), if illegally obtained, could allow for unauthorised connections to an enterprise, opening access to sensitive information such as customer data, invoicing details, credit card numbers or patient records.
The problem has been noted in the recent IBM X-Force 2011 Trend and Risk Report in March 2012, which observed a large spike in automated SSH password guessing during the latter half of 2011.
The challenge for enterprises is the management of this SSH user keys overhead, which has always been a time consuming and error prone process. If you consider that some of the largest global enterprises have up to a hundred thousand servers running the SSH protocol in their environment, and these servers in turn run thousands of individual applications, which equates tens if not hundreds of thousands of automated data transfers between different applications and user accounts, then you begin to appreciate that the key management task is astronomical.
The problem has also been exacerbated by the lack of good tools for creating new keys and trust relationships. Many organisations lack the sophistication, processes, visibility and means to carry out efficient SSH key management. That inability has placed organisations at risk of failing to meet compliance and increased IT management costs.
Most large enterprises never systematically remove trust relationships, i.e. the user keys that enable connections. This is put down to cost and the lack of documentation/database on trust relationships. With that in mind, administrators who leave a firm could still have access to critical SSH servers.
It is fairly straightforward to copy a private key which has been created for an automated file transfer or other password-less login. If an administrator left a company and their personal account had been disabled or the original private key file had been destroyed then many organisations would think they are safe. However, depending on the platform, public keys may actually remain authorised on a server.
Keeping unused trust relationships in an SSH environment also increases the risk of rogue administrator access – an ‘active’ key which is no longer in use makes it easier to propagate access to other accounts (trust relationships provided by public key authentication are transitive).
Organisations have also been known to be lax in rotating SSH keys. In practice, renewing key pairs (i.e. changing the keys) has been fairly cumbersome and costly. The result is that many private keys are still in use years later.
Another area of weakness has been key visibility. Most organisations do not have a view over which computers administrators can access when public key authentications (transitively) are taken into account. Typically, an administrator is given access to a subset of the organisation’s production computers.
However, these computers can have automated file transfers and other application-to-application connections to other computers in the production environment. Effectively, public key authentication escalates the administrator’s access beyond their designated subset to all the accounts accessible using public key authentication (this can, however, be mitigated by controlling and auditing privileged access).
Outsourcing has also created its own set of risks. Many enterprises outsource some or all of their IT to external service providers and consultants, thus giving the outsourcing provider access to the enterprise’s production network from the provider’s premises. The administrative access is usually implemented using the SSH protocol.
Again, many enterprises lack the visibility over whether trust relationships for password-less authentication exist between the enterprise’s internal network and the provider. Unauthorised trust relationships to an IT service provider can expose you to rogue personnel and even highly systematic data leaks.
The world’s largest organisations are facing a ticking time-bomb that well known but the complexity of the problem has compounded efforts to devise a ‘credible’ fix. Businesses need to regain control over their SSH user key management.